HP-UX Secure Shell A.05.10.006,A.05.10.007, and A.05.10.008 Release Notes HP-UX 11i v1, 11i v2, and 11i v3
rejection of changed host keys. sshd_config(5) now supports CIDR address/masklen matching
in "Match address" blocks, with a fallback to classic wildcard matching.
• sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys from="..." restrictions, also
with a fallback to classic wildcard matching.
• sshd_config(5) now supports CIDR address/masklen matching in "Match address" blocks,
with a fallback to classic wildcard matching.
• Added an extended test mode (-T) to sshd(8) to request that it write its effective configuration
to stdout and exit. Extended test mode also supports the specification of connection
parameters (username, source address and hostname) to test the application of sshd_config(5)
Match rules.
• ssh(1) now prints the number of bytes transferred and the overall connection throughput
for SSH protocol 2 sessions when in verbose mode (previously these statistics were displayed
for protocol 1 connections only).
• sftp-server(8) now supports extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations.
• sftp(1) now has a "df" command to the sftp client that uses the statvfs@openssh.com to
produce a df(1)-like display of filesystem space and inode utilisation (requires
statvfs@openssh.com support on the server).
• Added a MaxSessions option to sshd_config(5) to allow control of the number of multiplexed
sessions supported over a single TCP connection. This allows increasing the number of
allowed sessions above the previous default of 10, disabling connection multiplexing
(MaxSessions=1) or disallowing login/shell/subsystem sessions entirely (MaxSessions=0).
• Added a no-more-sessions@openssh.com global request extension that is sent from ssh(1)
to sshd(8) when the client knows that it will never request another session (i.e. when session
multiplexing is disabled). This allows a server to disallow further session requests and
terminate the session in cases where the client has been hijacked.
• ssh-keygen(1) now supports the use of the -l option in combination with -F to search for a
host in ~/.ssh/known_hosts and display its fingerprint.
• ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of "rsa1".
• Added an AllowAgentForwarding option to sshd_config(8) to control whether authentication
agent forwarding is permitted. Note that this is a loose control, as a client may install their
own unofficial forwarder.
• ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving network data,
resulting in a speedup.
• ssh(1) and sshd(8) will now try additional addresses when connecting to a port forward
destination whose DNS name resolves to more than one address. The previous behavior
was to try the only first address and give up if that failed.
• ssh(1) and sshd(8) now support signalling that channels are half-closed for writing, through
a channel protocol extension notification "eow@openssh.com". This allows propagation of
closed file descriptors, so that commands such as: "ssh -2 localhost od /bin/ls | true"do not
send unnecessary data over the wire.
• sshd(8): increased the default size of ssh protocol 1 ephemeral keys from 768 to 1024 bits.
• When ssh(1) has been requested to fork after authentication ("ssh -f") with
ExitOnForwardFailure enabled, delay the fork until after replies for any -R forwards have
been seen. Allows for robust detection of -R forward failure when using -f.
• "Match group" blocks in sshd_config(5) now support negation of groups. E.g. "Match group
staff,!guests".
• sftp(1) and sftp-server(8) now allow chmod-like operations to set set[ug]id/sticky bits.
• The MaxAuthTries option is now permitted in sshd_config(5) match blocks.
6 HP-UX Secure Shell A.05.10.006, A.05.10.007, and A.05.10.008