HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Release Notes HP-UX 11i v1, HP-UX 11i v2 and HP-UX 11i v3 Manufacturing Part Number: 5991-7494 February 2007 © Copyright 2007 Hewlett-Packard Development Company, L.P.
Legal Notices Copyright 2007 Hewlett-Packard Company, L.P. Confidential Computer Software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.11 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Announcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Secure Shell Versions on HP-UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Obsolescence of HP-UX Secure Shell on 11.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 New Features in HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 . . . .
Contents 4
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 This document discusses the most recent product information for HP-UX Secure Shell Versions A.04.40.005, A.04.40.006 and A.04.40.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 supported on HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3. This document addresses the following topics: 6 • “Announcement” on page 7 • “Secure Shell Versions on HP-UX” on page 8 • “New Features in HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007” on page 9 • “New Features in OpenSSH 4.4p1” on page 11 • “Unsupported Features” on page 16 • “Defects Fixed in OpenSSH 4.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Announcement Announcement HP-UX Secure Shell Versions A.04.40.005, A.04.40.006 and A.04.40.007 are based on OpenSSH 4.4p1. HP-UX Secure Shell supports the SSH-1 and SSH-2 protocols and provides secured remote login, file transfer, and remote command execution. HP-UX Secure Shell uses hashing to ensure data integrity. It also provides secure tunneling features, port forwarding, and an SSH agent to maintain private keys on the client.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Secure Shell Versions on HP-UX Secure Shell Versions on HP-UX Table 1 lists the versions of HP-UX Secure Shell products that are available for HP-UX 11i v1 and HP-UX 11i v2. Table 1 Availability of Secure Shell Versions on HP-UX Supported Operating System Version HP-UX 11i v1 HP-UX Secure Shell Version A.04.40.006 HP-UX 11i v2 HP-UX Secure Shell Version A.04.40.007 HP-UX 11i v3 HP-UX Secure Shell Version A.04.40.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 New Features in HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 New Features in HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 This version of HP-UX Secure Shell supports the following new features: • “The ssh ControlMaster for Connection Sharing Allows 128 Sessions” on page 9 • “HPN Enhancement” on page 10 This version of HP-UX Secure Shell also includes the following new features available in OpenSSH 4.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 New Features in HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 On the ssh Client: open failed: administratively prohibited: open failed On the ssh Server syslog File: error: no more sessions In this version of HP-UX Secure Shell, the MAX_SESSIONS parameter is hard coded as 128. This enables users to share up to 128 connections.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 New Features in OpenSSH 4.4p1 New Features in OpenSSH 4.4p1 Following are the new features introduced in OpenSSH4.4p1. These features are also available in HP-UX Secure Shell Versions A.04.40.005, A.04.40.006 and A.04.40.007 because these versions are based on OpenSSH4.4p1.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 New Features in OpenSSH 4.4p1 New Configuration Directives in the sshd_config File The following new configuration directives are added to the sshd_config file: • “The ForceCommand Directive” on page 12 • “The PermitOpen Directive” on page 12 The ForceCommand Directive The ForceCommand directive forces the execution of the command specified by ForceCommand, ignoring any other command supplied by the client.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 New Features in OpenSSH 4.4p1 SSH does not enable the user to forward traffic to the system. It allows forwardings only to the host specified by the PermitOpen directive. Optional Logging of Transactions to sftp-server In earlier releases of OpenSSH, the sftp transactions are logged using LogSftp, SftpLogFacility, and SftpLogLevel configuration directives. Starting with OpenSSH 4.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 New Features in OpenSSH 4.4p1 This enhancement enables clients to connect to multiple sshd servers running on non-standard ports with different hostkeys. Connections using the default port (port 22) and ones that use HostKeyAlias (regardless of the port) are not affected by this enhancement. Added ExitOnForwardFailure Option In earlier versions of OpenSSH, ssh does not terminate if port forwarding requests fail. Starting with OpenSSH 4.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 New Features in OpenSSH 4.4p1 Replacement of malloc (3) and realloc (3) Invocations Starting with OpenSSH 4.4p1, all integer overflow susceptible invocations of malloc() and realloc() are replaced with xcalloc() and xasprintf() failure-checked allocation functions.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Defects Fixed in OpenSSH 4.4p1 Defects Fixed in OpenSSH 4.4p1 Following important defects fixes in OpenSSH 4.4p1 are included in this version of HP-UX Secure Shell: • Fixed a pre-authentication denial of service that causes the sshd daemon to spin until the login grace time expired. • Fixed an unsafe signal handler that can be exploited to perform a pre-authentication denial of service.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Defects Fixed in OpenSSH 4.4p1 Table 2 Additional Defects Fixed in OpenSSH4.4p1 (Continued) Bugzilla # Defect Description Bugzilla #1162 Inappropriate sequence of syslog messages. Bugzilla #1186 The ssh command tries to open unprotected keys multiple times. Bugzilla #1188 Keyboard interactive authorization does not allow the user to retry login if pam_acct_mgmt() fails.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Defects Fixed in OpenSSH 4.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Known Problems and Workarounds Known Problems and Workarounds Following are the known problems and workarounds in HP-UX Secure Shell Versions A.04.40.005, A.04.40.006 and A.04.40.007: • The following SMSE behavior is seen in this version of HP-UX Secure Shell: Audit log messages show repeated entries for a user. This occurs because bad login attempts are logged in the audit file.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Known Problems and Workarounds These error message appear only when the daemon is running in debug mode. These error message are not relevant to (and does not affect) HP-UX Secure Shell operations. The PAM function pam_setcred() generates this message. These error messages appear during the scenarios listed in Table 3.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Known Problems and Workarounds • The chroot functionality does not work if the UseLogin configuration directive in sshd_config is set to YES. • In a chroot-ed environment, users do not see a subset of syslog messages. HP-UX Secure Shell writes syslog messages at the time of authentication and when the session is terminated. The syslogd daemon reads the syslog messages written by all subsystems and reports it to the /dev/log file.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 HP-UX Secure Shell and the Strong Random Number Generator HP-UX Secure Shell and the Strong Random Number Generator HP-UX Secure Shell requires that a random number generator be located on the system. It searches for /dev/urandom and /dev/random (in that sequence) on the system and uses the first device it finds. If it fails to locate these two devices, HP-UX Secure Shell uses its own internal random number generator program.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Related Documents Related Documents Following are the additional documentation available for HP-UX Secure Shell: • HP-UX Secure Shell Getting Started Guide on the Internet and Security Solutions page at: http://www.docs.hp.com/en/internet.html#Secure%20Shell • The README file at /opt/ssh/README.hp. You must install HP-UX Secure Shell to access this file.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Prerequisites Prerequisites This section discusses the prerequisites for installing HP-UX Secure Shell Versions A.04.40.005, A.04.40.006, and A.04.40.007. System Requirements Table 4 lists the minimum system requirements for installing HP-UX Secure Shell Versions A.04.40.005, A.04.40.006 or A.04.40.007. Table 4 System Requirements for Installing HP-UX Secure Shell A.04.40.005, A.04.40.006 or A.04.40.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Prerequisites Table 5 Quality Pack Requirements for HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 (Continued) Operating System Recommended Support Plus Patch Date / Release # / Part # HP-UX 11i v2‘ No Quality Packs Required HP-UX 11i v3 No Quality Packs Required The HP-UX 11i v1 (B.11.11) Support Plus release media contains the standard HP-UX patch bundles, which are also available on the HP IT Resource Center Web site. The HP-UX 11i v1 (B.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Prerequisites HP recommends that you install the libc, PAM, and pthreads patches listed in Table 6 with HP-UX Secure Shell Versions A.04.40.005, A.04.40.006 and A.04.40.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 HP-UX Secure Shell Software Availability HP-UX Secure Shell Software Availability HP-UX Secure Shell is available on the following: NOTE 28 • HP Software Depot at: http://www.software.hp.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Installing HP-UX Secure Shell Installing HP-UX Secure Shell You do not need to remove any previous versions of HP-UX Secure Shell before upgrading to HP-UX Secure Shell Versions A.04.40.005, A.04.40.006 or A.04.40.007. However, if you are reverting to an older version of HP-UX Secure Shell, HP recommends that you remove the new product before reverting to the older version. To install HP-UX Secure Shell, complete the following steps: Step 1.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 HP-UX Secure Shell and chroot Environments HP-UX Secure Shell and chroot Environments HP-UX Secure Shell Versions A.04.40.005, A.04.40.006 and A.04.40.007 support chroot functionality for the ssh, sftp, and scp commands. The chroot functionality is mainly used as an added security measure. When you enable chroot, you can start an application in a specified directory and enable all its users access to that directory and the directories below it.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Frequently Asked Questions (FAQ) Frequently Asked Questions (FAQ) This section discusses questions frequently asked about HP-UX Secure Shell. What is the difference between HP-UX Secure Shell A.04.40 and OpenSSH 4.4p1? OpenSSH 4.4p1 is the latest free version of the SSH protocol suite of network connectivity tools. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
HP-UX Secure Shell A.04.40.005, A.04.40.006 and A.04.40.007 Frequently Asked Questions (FAQ) Is HP-UX Secure Shell vulnerable to the reported double free bug in the zlib compression algorithm documented at http://www.cert.org/advisories/CA-2002-07.html? All versions of HP-UX Secure Shell starting from A.03.10 are built with support for zlib-1.1.4 or later. So, HP-UX Secure Shell is not affected by the bug described above. HP-UX Secure Shell Versions A.04.40.005, A.04.40.006 and A.04.40.
