This version gives us protocol 2 support. With that comes
some compatibility issues. Please read below for more details.

Note that currently since the sshd server is in a separate rpm, it isn't packed
with both versions of sshd. If you need the old sshd, just install the ssh and
ssh-client rpms, leaving out the ssh-server rpm.

Please contact Kevin Hill kevinh@fnal.gov if there are any problems with these
packages.

Whats the Deal with OpenSSH?

   With the this release of SSH, we will be transitioning from ssh.com's ssh
   code base to OpenSSH. The advantages of OpenSSH are:

     * Supports SSH Protocol 2, Which allows:
     * Multiple and easy addition of new encryption systems
     * Multiple and easy addition of new authentication systems
     * Easy creation of new "services" that operate over ssh encrypted
       channels. "sftp" being an example that ships with OpenSSH and allows
       ftp like file browsing and transferring over an ssh connection.

   The flexible authentication modules allows us to implement cryptocard
   access in a protocol compliant way. The current ssh 1.2.27g is not the
   most secure way to do cyptocard authentication as ssh protocol 1 was not
   designed to allow adding custom authentication modules.

   This fermi ssh, based on OpenSSH v3.1p1, which will be called ssh
   v3.1p1f11, will include kerberos5 authentication and ticket forwarding
   with both protocol 1 and 2, and cryptocard access via protocol 2 only,
   using the "keyboard interactive challenge response" authentication method.
   Many currently available ssh clients support both kerberos and cryptocard
   access, but not all do completely or properly. The chart following shows
   capability as tested so far:

     +-------------------------------------+
     |             |        Servers        |
     |-------------+-----------------------|
     |   Clients   | OpenSSH | SSH 1.2.27g |
     |-------------+---------+-------------|
     | OpenSSH     | KFAPC   | KFAPC       |
     |-------------+---------+-------------|
     | SSH 1.2.27g | KP      | KFAPC       |
     |-------------+---------+-------------|
     | Putty       | PC      | PC          |
     |-------------+---------+-------------|
     | SecureCRT   | PC      | PC          |
     |-------------+---------+-------------|
     | FSecure SSH | P       | PC          |
     +-------------------------------------+

     Key:

       * K - KerberosV Authentication
       * F - KerberosV TGT Forwarding
       * A - AFS Token getting
       * P - Password Authentication
       * C - Cryptocard Access (will get Krb5 TGT and AFS token)

   Note that to access a fermi kerberized machine that also uses afs, you
   will need a combination that supports either K,F, & A or C. If a
   combination supports K only, you will be able to authenticate to login and
   get a shell, but you won't be able to get an AFS ticket or have a
   forward-able kerberos ticket to be able to connect to another machine from
   that session.


NOTE SECURITY update

   The recent openssh security issue has been fixed in this version.