Manualshelf

HP-UX Secure Shell A.05.60.001, A.05.60.002, and A.05.60.003 Release Notes, October 2010 (5900-1115)

ManualsBrandsHP ManualsSoftwareHP-UX 11i Secure Shell Software
12345678910
sshd(8) enabled to support indirection in matching of principal names listed in certificates.
By default, if a certificate has an embedded principals list then the username on the server
must match one of the names in the list for it to be accepted for authentication.
sshd(8) now has a new AuthorizedPrincipalsFile option to specify a file containing a list of
names that may be accepted in place of the username when authorizing a certificate trusted
via the sshd_config(5) TrustedCAKeys option. Similarly, authentication using a CA trusted
in ~/.ssh/authorized_keys now accepts a principals="name1[,name2,...]" to specify a list of
permitted names.
If either option is absent, the current behaviour of requiring the username to appear in
principals continues to apply. These options are useful for role accounts, disjoint account
namespaces and "user@realm"-style naming policies in certificates.
Additional sshd_config(5) options are now valid inside the following match blocks:
— AuthorizedKeysFile
— AuthorizedPrincipalsFile
— HostbasedUsesNameFromPacketOnly
— PermitTunnel
Format of certificate keys revised. The new format, identified as
ssh-{dss,rsa}-cert-v01@openssh.com, includes the following changes:
— A serial number field added. This may be specified by the CA at the time of certificate
signing.
— The nonce field moved to the beginning of the certificate where it can better protect
against chosen-prefix attacks on the signature hash (currently infeasible against the
SHA1 hash used).
— The "constraints" field renamed to "critical options".
A non-critical "extensions" field added. The "permit-*" options are now extensions rather
than critical options. They permit non-OpenSSH implementation of this key format to
degrade gracefully when encountering keys with options that they do not recognize.
NOTE: The older format is still supported for authentication and may still be used when
signing certificates (use "ssh-keygen -t v00 ..."). The v00 format, introduced in OpenSSH 5.4,
will be supported for at least one year from the HP-UX Secure Shell A.05.60 release, after
which it will be deprecated and removed.
Support for the Sftpfilecontrol Patch
HP-UX Secure Shell supports the Sftpfilecontrol patch. This patch enables administrators
to set the umask on sftp sessions and to control whether the client may issue chown and chmod
commands in an sftp session. As a result, the following server configuration directives (/opt/
ssh/etc/sshd_config) related to Sftpfilecontrol are supported in this release:
#SftpUmask
#SftpPermitChmod yes
#SftpPermitChown yes
This patch supersedes the sftplogging patch for HP-UX Secure Shell versions A.04.50 and
higher.
Defects Fixed in OpenSSH 5.6p1
The HP-UX Secure Shell version A.05.60 is based on OpenSSH 5.6p1 and include the defect fixes
mentioned in Table 1-2.
Defects Fixed in OpenSSH 5.6p1 9