HP-UX Secure Shell A.04.40.006 and A.04.40.007 Release Notes HP-UX 11i v1 and HP-UX 11i v2 Manufacturing Part Number: 5991-7517 November 2006 © Copyright 2006 Hewlett-Packard Development Company, L.P.
Legal Notices Copyright 2006 Hewlett-Packard Company, L.P. Confidential Computer Software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.11 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents HP-UX Secure Shell A04.40.006 and A.04.40.007 Announcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Secure Shell Versions on HP-UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Obsolescence of HP-UX Secure Shell on 11.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 New Features in HP-UX Secure Shell A.04.40.006 and A.04.40.007 . . . . . . . . . . . . . . .
Contents 4
HP-UX Secure Shell A04.40.006 and A.04.40.007 This document discusses the most recent product information for HP-UX Secure Shell Versions A.04.40.006 and A.04.40.
HP-UX Secure Shell A04.40.006 and A.04.40.007 HP-UX 11i v1 and HP-UX 11i v2. This document addresses the following topics: 6 • “Announcement” on page 7 • “Secure Shell Versions on HP-UX” on page 8 • “New Features in HP-UX Secure Shell A.04.40.006 and A.04.40.007” on page 9 • “New Features in OpenSSH 4.4p1” on page 11 • “Unsupported Features” on page 15 • “Defects Fixed in OpenSSH 4.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Announcement Announcement HP-UX Secure Shell Versions A.04.40.006 and A.04.40.007 are based on OpenSSH 4.4p1. HP-UX Secure Shell supports the SSH-1 and SSH-2 protocols and provides secured remote login, file transfer, and remote command execution. HP-UX Secure Shell uses hashing to ensure data integrity. It also provides secure tunneling features, port forwarding, and an SSH agent to maintain private keys on the client.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Secure Shell Versions on HP-UX Secure Shell Versions on HP-UX Table 1 lists the versions of HP-UX Secure Shell products that are available for HP-UX 11i v1 and HP-UX 11i v2. Table 1 Availability of Secure Shell Versions on HP-UX Supported Operating System Version HP-UX 11i v1 HP-UX Secure Shell Version A.04.40.006 HP-UX 11i v2 HP-UX Secure Shell Version A.04.40.007 Obsolescence of HP-UX Secure Shell on 11.
HP-UX Secure Shell A04.40.006 and A.04.40.007 New Features in HP-UX Secure Shell A.04.40.006 and A.04.40.007 New Features in HP-UX Secure Shell A.04.40.006 and A.04.40.007 HP-UX Secure Shell A.04.40.006 and A.04.40.007 supports the following new features: • “The ssh ControlMaster for Connection Sharing Allows 128 Sessions” on page 9 • “HPN Enhancement” on page 10 HP-UX Secure Shell Versions A.04.40.006 and A.04.40.007 also include the following new features available in OpenSSH 4.
HP-UX Secure Shell A04.40.006 and A.04.40.007 New Features in HP-UX Secure Shell A.04.40.006 and A.04.40.007 On the ssh Client: open failed: administratively prohibited: open failed On the ssh Server syslog File: error: no more sessions In HP-UX Secure Shell A.04.40.006 and A.04.40.007, the MAX_SESSIONS parameter is hard coded as 128. This enables users to share up to 128 connections. IMPORTANT You must ensure that the maxfiles kernel parameter is tuned to the appropriate value on the server.
HP-UX Secure Shell A04.40.006 and A.04.40.007 New Features in OpenSSH 4.4p1 New Features in OpenSSH 4.4p1 Following are the new features introduced in OpenSSH4.4p1. These features are also available in HP-UX Secure Shell Versions A.04.40.006 and A.04.40.007 because these versions are based on OpenSSH4.4p1.
HP-UX Secure Shell A04.40.006 and A.04.40.007 New Features in OpenSSH 4.4p1 • “The ForceCommand Directive” on page 12 • “The PermitOpen Directive” on page 12 The ForceCommand Directive The ForceCommand directive forces the execution of the command specified by ForceCommand, ignoring any other command supplied by the client. Previous releases of OpenSSH specified this option in the authorised_keys file.
HP-UX Secure Shell A04.40.006 and A.04.40.007 New Features in OpenSSH 4.4p1 Optional Logging of Transactions to sftp-server In earlier releases of OpenSSH, the sftp transactions are logged using LogSftp, SftpLogFacility, and SftpLogLevel configuration directives. Starting with OpenSSH 4.4p1, the LogLevel and LogFacility command-line options are added to sftp-server.
HP-UX Secure Shell A04.40.006 and A.04.40.007 New Features in OpenSSH 4.4p1 Added ExitOnForwardFailure Option In earlier versions of OpenSSH, ssh does not terminate if port forwarding requests fail. Starting with OpenSSH 4.4p1, an ExitOnForwardFailure option is added so that ssh exits with a non-zero value if port forwarding requests fail.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Unsupported Features Unsupported Features Starting with HP-UX Secure Shell Versions A.04.40.006 and A.04.40.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Defects Fixed in OpenSSH 4.4p1 Defects Fixed in OpenSSH 4.4p1 Following important defects fixes in OpenSSH 4.4p1 are included in HP-UX Secure Shell A.04.40.006 and A.04.40.007: • Fixed a pre-authentication denial of service that causes the sshd daemon to spin until the login grace time expired. • Fixed an unsafe signal handler that can be exploited to perform a pre-authentication denial of service.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Defects Fixed in OpenSSH 4.4p1 Table 2 Additional Defects Fixed in OpenSSH4.4p1 (Continued) Bugzilla # Defect Description Bugzilla #1162 Inappropriate sequence of syslog messages. Bugzilla #1186 The ssh command tries to open unprotected keys multiple times. Bugzilla #1188 Keyboard interactive authorization does not allow the user to retry login if pam_acct_mgmt() fails.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Defects Fixed in OpenSSH 4.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Known Problems and Workarounds Known Problems and Workarounds Following are the known problems and workarounds in HP-UX Secure Shell A.04.40.006 and A.04.40.007: • The following SMSE behavior is seen in this version of HP-UX Secure Shell: Audit log messages show repeated entries for a user. This occurs because bad login attempts are logged in the audit file.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Known Problems and Workarounds These error message appear only when the daemon is running in debug mode. These error message are not relevant to (and does not affect) HP-UX Secure Shell operations. The PAM function pam_setcred() generates this message. These error messages appear during the scenarios listed in Table 3.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Known Problems and Workarounds • The chroot functionality does not work if the UseLogin configuration directive in sshd_config is set to YES. • In a chroot-ed environment, users do not see a subset of syslog messages. HP-UX Secure Shell writes syslog messages at the time of authentication and when the session is terminated. The syslogd daemon reads the syslog messages written by all subsystems and reports it to the /dev/log file.
HP-UX Secure Shell A04.40.006 and A.04.40.007 HP-UX Secure Shell and the Strong Random Number Generator HP-UX Secure Shell and the Strong Random Number Generator HP-UX Secure Shell requires that a random number generator be located on the system. It searches for /dev/urandom and /dev/random (in that sequence) on the system and uses the first device it finds. If it fails to locate these two devices, HP-UX Secure Shell uses its own internal random number generator program.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Related Documents Related Documents Following are the additional documentation available for HP-UX Secure Shell: • HP-UX Secure Shell Getting Started Guide on the Internet and Security Solutions page at: http://www.docs.hp.com/en/internet.html#Secure%20Shell • The README file at /opt/ssh/README.hp. You must install HP-UX Secure Shell to access this file.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Prerequisites Prerequisites This section discusses the prerequisites for installing HP-UX Secure Shell Versions A.04.40.006 and A.04.40.007. System Requirements Table 4 lists the minimum system requirements for installing HP-UX Secure Shell Versions A.04.40.006 or A.04.40.007. Table 4 System Requirements for Installing HP-UX Secure Shell A.04.40.006 or A.04.40.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Prerequisites The HP-UX 11i v1 (B.11.11) Support Plus release media contains the standard HP-UX patch bundles, which are also available on the HP IT Resource Center Web site. The HP-UX 11i v1 (B.11.11) Support Plus release media for December 2002 also contains the required patches. If you do not have access to the media, complete the following steps: Step 1. Go to the IT Resource Center (ITRC): http: //www.itrc.hp.com Step 2.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Prerequisites NOTE 26 The PHCO_33215 patch fixes a PAM-related issue. Without this patch, pam_acct_mgmt () returned success messages on locked accounts. With this patch, account management fails for locked accounts (this is the appropriate behavior). In order to log in using ssh, users must unlock their accounts.
HP-UX Secure Shell A04.40.006 and A.04.40.007 HP-UX Secure Shell Software Availability HP-UX Secure Shell Software Availability HP-UX Secure Shell is available on the following: NOTE Chapter • HP Software Depot at: http://www.software.hp.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Installing HP-UX Secure Shell Installing HP-UX Secure Shell You do not need to remove any previous versions of HP-UX Secure Shell before upgrading to HP-UX Secure Shell Versions A.04.40.006 or A.04.40.007. However, if you are reverting to an older version of HP-UX Secure Shell, HP recommends that you remove the new product before reverting to the older version. To install HP-UX Secure Shell, complete the following steps: Step 1. Log in as superuser. Step 2.
HP-UX Secure Shell A04.40.006 and A.04.40.007 HP-UX Secure Shell and chroot Environments HP-UX Secure Shell and chroot Environments HP-UX Secure Shell Versions A.04.40.006 and A.04.40.007 supports chroot functionality for the ssh, sftp, and scp commands. The chroot functionality is mainly used as an added security measure. When you enable chroot, you can start an application in a specified directory and enable all its users access to that directory and the directories below it.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Frequently Asked Questions (FAQ) Frequently Asked Questions (FAQ) This section discusses questions frequently asked about HP-UX Secure Shell. What is the difference between HP-UX Secure Shell A.04.40 and OpenSSH 4.4p1? OpenSSH 4.4p1 is the latest free version of the SSH protocol suite of network connectivity tools. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
HP-UX Secure Shell A04.40.006 and A.04.40.007 Frequently Asked Questions (FAQ) Is HP-UX Secure Shell vulnerable to the reported double free bug in the zlib compression algorithm documented at http://www.cert.org/advisories/CA-2002-07.html? All versions of HP-UX Secure Shell starting from A.03.10 are built with support for zlib-1.1.4 or later. So, HP-UX Secure Shell is not affected by the bug described above. HP-UX Secure Shell Versions A.04.40.006 and A.04.40.007 are built with zlib v1.2.3.
HP-UX Secure Shell A04.40.006 and A.04.40.
