HP-UX Secure Shell A.05.80.001, A.05.80.002, and A.05.80.
Legal Notices Copyright 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 HP-UX Secure Shell A.05.80........................................................................4 Announcement.........................................................................................................................4 Secure Shell versions on HP-UX...................................................................................................5 Support notice.....................................................................................................................
1 HP-UX Secure Shell A.05.80 This document discusses the most recent product information for HP-UX Secure Shell versions A.05.80.001, A.05.80.002, and A.05.80.004 that are supported on HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3 respectively. This document addresses the following topics: • “Secure Shell versions on HP-UX” (page 5) • “New features” (page 5) • “Defects fixed in OpenSSH 5.8p1” (page 6) • “Defects fixed in HP-UX Secure Shell A.05.
HP-UX Secure Shell version A.05.80 is built with the following libraries: • zlib V1.2.3 • OpenSSL V0.9.8q — For HP-UX 11i V3, OpenSSL is a shared library • TCP Wrappers V7.6-ipv6.4 Secure Shell versions on HP-UX Table 1 lists the versions of HP-UX Secure Shell products available for HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3. Table 1 Availability of Secure Shell Versions on HP-UX Supported Operating System Version HP-UX 11i V1 HP-UX Secure Shell version A.05.80.
• ssh(1): “Atomically” creates the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races. Stale server sockets are now automatically removed.
transactions. As a result, the following directives are not supported in this release of HP-UX Secure Shell: • ◦ #LogSftp no ◦ #SftpLogFacility AUTH ◦ #SftpLogLevel INFO The following SMSE behavior is seen in this version of HP-UX Secure Shell: Audit log messages show repeated entries for a user. This occurs because bad login attempts are logged in the audit file.
Table 2 Scenarios where pam_setcred Generates Error Messages (continued) • User UsePriv KeyServ Running Error Messages root no no Permission denied non-root no no Permission denied root yes yes Permission denied non-root yes yes No message root no yes Permission denied non-root no yes Permission denied A Kerberos ticket on a Secure Shell server system gets inadvertently deleted in the following scenario: 1.
first device that it finds. If it fails to locate these two devices, HP-UX Secure Shell uses its own internal random number generator program. The /dev/urandom and /dev/random devices are available by default on HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3 systems. HP-UX Secure Shell resources For more information about Secure Shell, see the following: • HTML and pdf versions at http://www.hp.
Table 4 System Requirements for Installing HP-UX Secure Shell A.05.80. Component Requirement Operating System • HP-UX 11i V1 • HP-UX 11i V2 • HP-UX 11i V3 • HP/9000 servers Hardware • HP Integrity servers Disk Space Approximately 32MB Software HP-UX Secure Shell A.05.80.004 requires OpenSSL version A.00.09.08g.003 or later Software availability in native languages English only Patch requirements HP has tested HP-UX Secure Shell A.05.80 with the Support Plus patches listed in Table 5.
NOTE: The PHCO_33215 patch fixes a PAM-related issue. Without this patch, pam_acct_mgmt returned success messages on locked accounts. With this patch, account management fails for locked accounts (this is the appropriate behavior). To log in using ssh, you must unlock your accounts. HP-UX Secure Shell software availability HP-UX Secure Shell is available on the following: • HP Software Depot at: http://www.software.hp.
For more information on setting up thechroot functionality, see README file at /opt/ssh/ README.hp. The chroot setup script is available at /opt/ssh/utils/ ssh_chroot_setup.sh. Frequently Asked Questions (FAQ) This section discusses questions frequently asked about HP-UX Secure Shell. 1 What is the difference between HP-UX Secure Shell A.05.80 and OpenSSH 5.8p1? OpenSSH 5.8p1 is a free version of the SSH protocol suite of network connectivity tools. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.
HP recommends using /dev/random on your system to significantly speed-up program initialization. HP is continually striving for performance enhancements for future releases. 11 Does HP-UX Secure Shell support rdist or rsync? No. HP-UX Secure Shell cannot be specified as the connection mechanism to HP's rdist. HP has not officially certified Secure Shell with the open source versions of rdist or rsync. 12 Does HP-UX Secure Shell support the DenyHosts parameter? No.
# what /usr/bin/scp 16 Is libwrap.a linked in HP-UX Secure Shell? Must I only configure hosts.allow and hosts.deny to use the access control provided by tcp_wrapper? Yes, the libwrap.a archive library consisting of tcp_wrapper version 7.6-ipv6.4, is linked to HP-UX Secure Shell. You only need to configure hosts.allow and hosts.deny to use the access control provided by tcp_wrapper.
By default SSH-1 is disabled in ssh_config. To enable SSH-1, either modify the configuration file or override the protocol on the command line. The client supports DES but the server does not support DES. Issue the following command to enable SSH-1: # ssh -1 -c des 21 When two systems are separated by a firewall, can I use a HP-UX Secure Shell connection to 'swinstall' (SD-UX) to a system in a secure way? Yes, there is a workaround to secure communication.
