HP-UX Secure Shell A.05.20.013, A.05.20.014, and A.05.20.015 Release Notes

NOTE: The sshd daemon is pre-configured, and it is started after installation.

The swinstall command installs HP-UX Secure Shell in the /opt/ssh/ directory.

HP-UX Secure Shell and chroot Environments

HP-UX Secure Shell version A.05.20 supports chroot functionality for the ssh, sftp, and scp

commands. The chroot functionality is mainly used as an added security measure.

When you enable chroot, you can start an application in a specified directory and enable all its

users access to that directory and the directories below it. It prevents users from using the cd

command to access directories at a higher level. Use this functionality to enable restricted file

and directory access to users of a particular application. This is not an end-user feature. The

system administrator must enable the chroot functionality for an application. All users of that

application will automatically be subject to the restrictions imposed by chroot.

See the README file at /opt/ssh/README.hp for more information on setting up the chroot

functionality. The chroot setup script is available at /opt/ssh/utils/

ssh_chroot_setup.sh.

Frequently Asked Questions (FAQ)

This section discusses questions frequently asked about HP-UX Secure Shell.

1 What is the difference between HP-UX Secure Shell A.05.00 and OpenSSH 5.0p1?

OpenSSH 5.0p1 is a free version of the SSH protocol suite of network connectivity tools that

increasing numbers of people on the Internet are coming to rely on. OpenSSH supports SSH

protocol versions 1.3, 1.5, and 2.0.

HP-UX Secure Shell is a binary package compiled with support for PAM, gssapi, krb5, libwrap,

and no support for Smartcard. HP-UX Secure Shell is built to install and un-install using the

SD-UX utility and includes all required pre-requisites.

2 How do I find out the version of HP-UX Secure Shell I am using? How do I find out whether

I am running HP-UX Secure Shell or the public domain version of OpenSSH?

Use the swlist command to display the name and version number of HP-UX Secure Shell.

For example:

# swlist grep T1471AA

T1471AA A.05.00 HP-UX Secure Shell

You can also use the what command shown in the example below:

# what /usr/bin/scp

Is libwrap.a linked in HP-UX Secure Shell? Must I only configure hosts.allow and

hosts.deny to use the access control provided by tcp_wrapper?

Yes, the libwrap.a archive library consisting of tcp_wrapper version 7.6-ipv6.4,

is linked to HP-UX Secure Shell. You only need to configure hosts.allow and hosts.deny

to use the access control provided by tcp_wrapper.

Is HP-UX Secure Shell vulnerable to the reported double free bug in the zlib compression

algorithm documented at http://www.cert.org/advisories/CA-2002-07.html?

All versions of HP-UX Secure Shell starting from A.03.10 are built with support for

zlib-1.1.4 or later. So, HP-UX Secure Shell is not affected by the bug described above.

HP-UX Secure Shell versions A.05.00.021, A.05.00.022, and A.05.00.023 are built with zlib

v1.2.3.

5 Is HP-UX Secure Shell vulnerable to the following CERTs: http://cve.mitre.org/cgi-bin/

cvename.cgi?name=CAN-2003-0147 http://cve.mitre.org/cgi-bin/

cvename.cgi?name=CAN-2003-0131?

HP-UX Secure Shell and chroot Environments 11