HP-UX Secure Shell A.05.10.045, A.05.10.046, and A.05.10.047 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software

• OpenSSH 5.1 is now linked with OpenSSL A.00.09.8j instead of A.00.09.7m

• You can use the TPM chip on the system hardware to secure the host key. See the TCS page

at http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=TCS

for details on how to configure HP-UX Secure Shell to do this.

• You can use HP-UX Secure Shell with the latest audit enhancments on 11iv3. See: http://

h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AuditExt

for details on how to use the 11iv3 audit enhancements.

Support for the Sftpfilecontrol Patch

HP-UX Secure Shell supports the Sftpfilecontrol patch. This patch enables administrators

to set the umask on sftp sessions and to control whether the client may issue chown and chmod

commands in an sftp session. As a result, the following server configuration directives (/opt/

ssh/etc/sshd_config) related to Sftpfilecontrol are supported in this release:

• #SftpUmask

• #SftpPermitChmod yes

• #SftpPermitChown yes

This patch supersedes the sftplogging patch for HP-UX Secure Shell versions A.04.50 and

higher.

Defects Fixed in OpenSSH5.1p1

This section lists the defects fixed in OpenSSH5.1p1. HP-UX Secure Shell versions A.05.10.045,

A.05.10.046, and A.05.10.047 are based on OpenSSH5.1p1 and include these defect fixes. Table 1-2

lists the defects fixed in OpenSSH5.1p1.

Table 1-2 Defects Fixed in OpenSSH5.1p1

Defect FixDefect Identifier

https://bugzilla.mindrot.org/show_bug.cgi?id=1083

Background Information: Fixed test for locked accounts on HP/UX with shadowed

passwords disabled. In some HP-UX systems sshd lets users to login with public key

authentication even if their accounts are locked. This happens for the systems that

lack shadow password feature and ssh was configured without using the

--without-shadow option.

Bugzilla #1083

https://bugzilla.mindrot.org/show_bug.cgi?id=1199

Background Information: Fix ssh(1) sending invalid TTY modes when a TTY was

forced (ssh -tt) but stdin was not a TTY. In previous OpenSSH versions, when

requesting forced pseudo-terminal allocation (such as ssh -tt) while stdin is not a

terminal, ssh client would send an all-zero terminal info, which might cause

problem in some platforms. Since OpenSSH5.1, we will send an empty list of modes.

Bugzilla #1199

https://bugzilla.mindrot.org/show_bug.cgi?id=1200

Background Information: Strip trailing dot from hostnames when the

sshd_config(5) HostbasedUsesNameFromPacketOnly option is set.

Bugzilla #1200

https://bugzilla.mindrot.org/show_bug.cgi?id=1240

Background Information: Avoid NULL dereferences in ancient sigaction replacement

code. Fix: In openbsd-compat/sigact.c, add handling for NULL dereferences

for sigaction replacement code

Bugzilla #1240

https://bugzilla.mindrot.org/show_bug.cgi?id=1348 Background Information: Merged

duplicate authentication file checks in sshd(8) and refuse to read authorised_keys and

.shosts from non-regular files.

Bugzilla #1348

https://bugzilla.mindrot.org/show_bug.cgi?id=1363

Background Information: Make keepalive timeouts apply while synchronously waiting

for a packet, particularly during key renegotiation.

Bugzilla #1363

6 HP-UX Secure Shell A.05.10.045, A.05.10.046, and A.05.10.047