HP-UX Secure Shell A.05.80.001, A.05.80.002, and A.05.80.
Legal Notices Copyright 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 HP-UX Secure Shell A.05.80........................................................................4 Announcement.........................................................................................................................4 Secure Shell Versions on HP-UX..................................................................................................5 Support Notice....................................................................................................................
1 HP-UX Secure Shell A.05.80 This document discusses the most recent product information for HP-UX Secure Shell versions A.05.80.001, A.05.80.002, and A.05.80.003 that are supported on HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3 respectively. This document addresses the following topics: • “Secure Shell Versions on HP-UX” (page 5) • “New Features” (page 5) • “Defects Fixed in OpenSSH 5.8p1” (page 6) • “Defects Fixed in HP-UX Secure Shell A.05.
• zlib V1.2.3 • OpenSSL V0.9.8q — For HP-UX 11i V3, OpenSSL is a shared library • TCP Wrappers V7.6-ipv6.4 Secure Shell Versions on HP-UX Table 1 lists the versions of HP-UX Secure Shell products available for HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3. Table 1 Availability of Secure Shell Versions on HP-UX Supported Operating System Version HP-UX 11i V1 HP-UX Secure Shell version A.05.80.001 HP-UX 11i V2 HP-UX Secure Shell version A.05.80.002 HP-UX 11i V3 HP-UX Secure Shell version A.05.80.
• ssh(1): “Atomically” creates the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races. Stale server sockets are now automatically removed.
• ◦ #LogSftp no ◦ #SftpLogFacility AUTH ◦ #SftpLogLevel INFO The following SMSE behavior is seen in this version of HP-UX Secure Shell: Audit log messages show repeated entries for a user. This occurs because bad login attempts are logged in the audit file. Example 1 Public key authentication With Bad RSA, EDSA and DSA Keys If you try Public key authentication with bad RSA, EDSA and DSA keys, it results in a bad login attempt for each key type.
Table 2 Scenarios where pam_setcred Generates Error Messages (continued) • User UsePriv KeyServ Running Error Messages non-root no no Permission denied root yes yes Permission denied non-root yes yes No message root no yes Permission denied non-root no yes Permission denied A Kerberos ticket on a Secure Shell server system gets inadvertently deleted in the following scenario: 1. User U1 creates a Kerberos ticket file on a Secure Shell server system, S1. 2.
random number generator program. The /dev/urandom and /dev/random devices are available by default on HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3 systems. HP-UX Secure Shell Resources For more information about Secure Shell, read the following: • HTML and pdf versions at http://www.hp.com/go/hpux-security-docs ( Internet and Security Solutions) • A README text version in the software at: /opt/ssh/README.
Table 4 System Requirements for Installing HP-UX Secure Shell A.05.80. Component Requirement Operating System • HP-UX 11i V1 • HP-UX 11i V2 • HP-UX 11i V3 • HP/9000 servers Hardware • HP Integrity servers Disk Space Approximately 32MB Software Availability in Native Languages English only Patch Requirements HP has tested HP-UX Secure Shell A.05.80 with the Support Plus patches listed in Table 5.
NOTE: The PHCO_33215 patch fixes a PAM-related issue. Without this patch, pam_acct_mgmt returned success messages on locked accounts. With this patch, account management fails for locked accounts (this is the appropriate behavior). To log in using ssh, you must unlock your accounts. HP-UX Secure Shell Software Availability HP-UX Secure Shell is available on the following: • HP Software Depot at: http://www.software.hp.
administrator must enable the chroot functionality for an application. All users of that application will automatically be subject to the restrictions imposed by chroot. For more information on setting up thechroot functionality, see README file at /opt/ssh/ README.hp. The chroot setup script is available at /opt/ssh/utils/ ssh_chroot_setup.sh. Frequently Asked Questions (FAQ) This section discusses questions frequently asked about HP-UX Secure Shell. 1 What is the difference between HP-UX Secure Shell A.
Compared to the conventional file transfer, scp is two to three times slower than rcp. As Secure Shell authenticates both the server and the users, and encrypts both the data and the password, sftp is two to three times slower than ftp. HP recommends using /dev/random on your system to significantly speed-up program initialization. HP is continually striving for performance enhancements for future releases. 11 Does HP-UX Secure Shell support rdist or rsync? No.
# swlist | grep T1471 T1471AA A.05.80 HP-UX Secure Shell You can also use the what command as shown in the following example: # what /usr/bin/scp 16 Is libwrap.a linked in HP-UX Secure Shell? Must I only configure hosts.allow and hosts.deny to use the access control provided by tcp_wrapper? Yes, the libwrap.a archive library consisting of tcp_wrapper version 7.6-ipv6.4, is linked to HP-UX Secure Shell. You only need to configure hosts.allow and hosts.deny to use the access control provided by tcp_wrapper.
◦ LIBPAM=-lpam ◦ LIBWRAP=-lwrap 20 As Cisco routers and switches are enabled with SSH-1 and use only DES, how do I configure HP-UX Secure Shell to work with CISCO SSH-1? By default SSH-1 is disabled in ssh_config. To enable SSH-1, either modify the configuration file or override the protocol on the command line. The client supports DES but the server does not support DES.
