HP-UX Secure Shell A.04.30.014 and A.04.30.015 Release Notes HP-UX 11.0, 11i v1, and 11i v2 Manufacturing Part Number: T1471-90026 August 2006 © Copyright 2006 Hewlett-Packard Development Company, L.P.
Legal Notices The information contained herein is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Contents HP-UX Secure Shell A04.30.014 and A.04.30.015 Announcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Secure Shell Versions on HP-UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 New Features in HP-UX Secure Shell A.04.30.014 and A.04.30.015 . . . . . . . . . . . . . . . 9 Modified chroot Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 4
HP-UX Secure Shell A04.30.014 and A.04.30.015 This document discusses the most recent product information for HP-UX Secure Shell versions A.04.30.014 and A.04.30.
HP-UX Secure Shell A04.30.014 and A.04.30.015 HP-UX 11.0, HP-UX 11i v1, and HP-UX 11i v2. This document addresses the following topics: 6 • “Announcement” on page 7 • “Secure Shell Versions on HP-UX” on page 8 • “New Features in HP-UX Secure Shell A.04.30.014 and A.04.30.015” on page 9 • “Unsupported Features” on page 11 • “Defects Fixed in HP-UX Secure Shell Versions A.04.30.014 and A.04.30.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Announcement Announcement HP-UX Secure Shell Versions A.04.30.014 and A.04.30.015 are based on OpenSSH 4.3p2. HP-UX Secure Shell supports the SSH-1 and SSH-2 protocols and provides secured remote login, file transfer, and remote command execution. HP-UX Secure Shell uses hashing to ensure data integrity. HP-UX Secure Shell also provides secure tunneling features, port forwarding, and an SSH agent to maintain private keys on the client.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Secure Shell Versions on HP-UX Secure Shell Versions on HP-UX Table 1 lists the versions of HP-UX Secure Shell products that are available for HP-UX 11.0, 11i v1, and 11i v2. Table 1 Availability of Secure Shell Versions on HP-UX Supported Operating System 8 Version HP-UX 11.0 HP-UX Secure Shell Version A.04.30.014 HP-UX 11i v1 HP-UX Secure Shell Version A.04.30.014 HP-UX 11i v2 HP-UX Secure Shell Version A.04.30.
HP-UX Secure Shell A04.30.014 and A.04.30.015 New Features in HP-UX Secure Shell A.04.30.014 and A.04.30.015 New Features in HP-UX Secure Shell A.04.30.014 and A.04.30.015 Following are the new features in HP-UX Secure Shell Versions A.04.30.014 and A.04.30.015: Modified chroot Script The chroot script is modified and the permissions to the user’s home directory is set to 700 instead of 755.
HP-UX Secure Shell A04.30.014 and A.04.30.015 New Features Introduced in HP-UX Secure Shell A.04.30.006 and A.04.30.007 New Features Introduced in HP-UX Secure Shell A.04.30.006 and A.04.30.007 This version of HP-UX Secure Shell includes the following features introduced in HP-UX Secure Shell A.04.30.006 and A.04.30.007: Provide an sftponly Solution in a chroot Environment In a chroot environment, you can allow users to login using sftp only. The ssh and scp commands are not available.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Unsupported Features Unsupported Features Starting with HP-UX Secure Shell A.03.81, the following features are not supported: • The KerberosGetAFSToken option for sshd(8) This configuration directive specifies whether to accept forwarded Andrew File System (AFS) tokens. • Host keys in DNS (draft-ietf-secsh-dns-xx.txt) HP-UX Secure Shell does not support this configuration option.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Defects Fixed in OpenSSH4.3p2 Defects Fixed in OpenSSH4.3p2 HP-UX Secure Shell Versions A.04.30.014 and A.04.30.015 are based on OpenSSH4.3p2. The defects fixed in OpenSSH4.3p2 are also available in HP-UX Secure Shell A.04.30.014 and A.04.30.015. Table 2 lists the defects fixed in OpenSSH4.3p2. Table 2 Defect Fixes in HP-UX Secure Shell A.04.03.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Defects Fixed in OpenSSH4.3p2 Table 2 Defect Fixes in HP-UX Secure Shell A.04.03.014/015 (Continued) Identifier Description Bugzilla #1076 Set SO_REUSEADDR on X11 listeners to avoid problems caused by lingering messages on the same port (caused by a previous instance of the same listener daemon). Bugzilla #1082 The Xauth list invocation has bogus "." argument.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Defects Fixed in HP-UX Secure Shell Versions A.04.30.014 and A.04.30.015 Defects Fixed in HP-UX Secure Shell Versions A.04.30.014 and A.04.30.015 All defects included in previous versions of HP-UX Secure Shell are also included in HP-UX Secure Shell A.04.30.014 and A.04.30.015. Table 3 lists the defects fixed in HP-UX Secure Shell Versions A.04.30.014/015: Table 3 Defects Fixed in HP-UX Secure Shell A.04.30.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Defects Fixed in HP-UX Secure Shell Versions A.04.30.014 and A.04.30.015 • Every time a chroot user in a trusted environment enters a wrong password, the failed login counter increments. However, the counter is not reset when the user enters the correct password. As a result, the account is disabled. Defects Fixed in HP-UX Secure Shell A.04.30.006 and A.04.30.007 Table 4 lists the defects that are fixed in HP-UX Secure Shell A.04.30.006 and A.04.30.007.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Defects Fixed in HP-UX Secure Shell Versions A.04.30.014 and A.04.30.015 This version of HP-UX Secure Shell also includes the following defect fixed in HP-UX Secure Shell Versions A.04.30.006 and A.04.30.007: • Users are unable to login to a chroot environment using sftp. This issue occurred because the /dev/null file is not present in a chroot environment. From HP-UX Secure Shell Versions A.04.30.006 and A.04.30.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Known Problems and Workarounds Known Problems and Workarounds Following are the known problems and workarounds in HP-UX Secure Shell A.04.30.014 and A.04.30.015: • The following SMSE behavior is seen in this version of HP-UX Secure Shell: Audit log messages show repeated entries for a user. This occurs because bad login attempts are logged in the audit file.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Known Problems and Workarounds These error message appear only when the daemon is running in debug mode. These error message are not relevant to (and does not affect) HP-UX Secure Shell operations. The PAM function pam_setcred() generates this message. These error messages appear during the scenarios listed in Table 5.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Known Problems and Workarounds • The chroot functionality does not work if the UseLogin configuration directive in sshd_config is set to YES. • In a chroot-ed environment, users do not see a subset of syslog messages. HP-UX Secure Shell writes syslog messages at the time of authentication and when the session is terminated. The syslogd daemon reads the syslog messages written by all subsystems and reports it to the /dev/log file.
HP-UX Secure Shell A04.30.014 and A.04.30.015 HP-UX Secure Shell and the Strong Random Number Generator HP-UX Secure Shell and the Strong Random Number Generator HP-UX Secure Shell requires that a random number generator be located on the system. It searches for /dev/urandom and /dev/random (in that sequence) on the system and uses the first device it finds. If it fails to locate these two devices, HP-UX Secure Shell uses its own internal random number generator program.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Related Documents Related Documents Following are the additional documentation available for HP-UX Secure Shell: • HP-UX Secure Shell Getting Started Guide on the Internet and Security Solutions page at: http://www.docs.hp.com/en/internet.html#Secure%20Shell • The README file at /opt/ssh/README.hp. You must install HP-UX Secure Shell to access this file.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Prerequisites Prerequisites This section discusses the prerequisites for installing HP-UX Secure Shell A.04.30.014/015. System Requirements Table 6 lists the minimum system requirements for installing HP-UX Secure Shell Versions A.04.30.014 or A.04.30.015. Table 6 System Requirements for Installing HP-UX Secure Shell A.04.30.014/015 Component Operating System Hardware 22 Requirement • HP-UX 11.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Prerequisites Patch Requirements HP has tested HP-UX Secure Shell Versions A.04.30.014 and A.04.30.015 with the Support Plus patches listed in Table 7. HP recommends that HP-UX 11.0 customers install these Support Plus patches. HP mandates that HP-UX 11i v1 customers must install these Support Plus patches. Table 7 Quality Packs for HP-UX 11.0 and 11i v1 Operating System Recommended Support Plus Patch Date / Release # / Part # HP-UX 11.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Prerequisites HP recommends that you install the libc patches listed in Table 8 with HP-UX Secure Shell Versions A.04.30.014 and A.04.30.015: Table 8 libc Patches Operating System Version Patch HP-UX 11.0 PHCO_25976 HP-UX 11i v1 PHCO_27740 HP-UX 11i v2 No libc patch required HP recommends that you install the PAM patches listed in Table 9 with HP-UX Secure Shell Versions A.04.30.014 and A.04.30.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Prerequisites Table 10 pthreads Patches Operating System Version Chapter Patch HP-UX 11.
HP-UX Secure Shell A04.30.014 and A.04.30.015 HP-UX Secure Shell Software Availability HP-UX Secure Shell Software Availability HP-UX Secure Shell is available on the following: NOTE 26 • HP Software Depot at: http://www.software.hp.com • HP-UX Application Release CDs • HP-UX 11i v1 Operating Environment (OE) • HP-UX 11i v2 Operating Environment (OE) HP-UX Secure Shell is available on the HP-UX Application Release CD, HP-UX 11i v1 OE, and HP-UX 11i v2 OE whenever the CD and OEs are available.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Installing HP-UX Secure Shell Installing HP-UX Secure Shell You do not need to remove any previous versions of HP-UX Secure Shell before upgrading to HP-UX Secure Shell Versions A.04.30.014 or A.04.30.015. However, if you are reverting to an older version of HP-UX Secure Shell, HP recommends that you remove the new product before reverting to the older version. To install HP-UX Secure Shell, complete the following steps: Step 1. Log in as superuser. Step 2.
HP-UX Secure Shell A04.30.014 and A.04.30.015 HP-UX Secure Shell and chroot Environments HP-UX Secure Shell and chroot Environments HP-UX Secure Shell Versions A.04.30.014 and A.04.30.015 supports chroot functionality for the ssh, sftp, and scp commands. The chroot functionality is mainly used as an added security measure. When you enable chroot, you can start an application in a specified directory and enable all its users access to that directory and the directories below it.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Frequently Asked Questions (FAQ) Frequently Asked Questions (FAQ) This section discusses questions frequently asked about HP-UX Secure Shell. What is the difference between HP-UX Secure Shell A.04.30 and OpenSSH 4.3p2? OpenSSH 4.3p2 is the latest free version of the SSH protocol suite of network connectivity tools. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
HP-UX Secure Shell A04.30.014 and A.04.30.015 Frequently Asked Questions (FAQ) Is HP-UX Secure Shell vulnerable to the reported double free bug in the zlib compression algorithm documented at http://www.cert.org/advisories/CA-2002-07.html? All versions of HP-UX Secure Shell starting from A.03.10 are built with support for zlib-1.1.4 or later. So, HP-UX Secure Shell is not affected by the bug described above. HP-UX Secure Shell A.04.30.014/015 is built with zlib v1.2.3.
