HP-UX Secure Shell A.06.20.004, A.06.20.005, and A.06.20.
Copyright 2011, 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 HP-UX Secure Shell A.06.20........................................................................4 Announcement.........................................................................................................................4 Secure Shell versions on HP-UX...................................................................................................5 Support notice.....................................................................................................................
1 HP-UX Secure Shell A.06.20 This document describes the most recent product information for HP-UX Secure Shell versions A.06.20.004, A.06.20.005, and A.06.20.006 that are supported on HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3 respectively. This document addresses the following topics: • “Secure Shell versions on HP-UX” (page 5) • “New features” (page 5) • “Defects fixed in OpenSSH 6.2p2” (page 5) • “Defects fixed in HP-UX Secure Shell A.06.20.004, A.06.20.005, and A.06.20.
HP-UX Secure Shell version A.06.20 is built with the following libraries: • zlib V1.2.3 • OpenSSL v0.9.8y — For HP-UX 11i V3, OpenSSL is a shared library • TCP Wrappers V7.6-ipv6.4 Secure Shell versions on HP-UX Table 1 lists the versions of HP-UX Secure Shell products available for HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3. Table 1 Availability of Secure Shell Versions on HP-UX Supported Operating System Version HP-UX 11i V1 HP-UX Secure Shell version A.06.20.
Defects fixed in HP-UX Secure Shell A.06.20.001, A.06.20.002, and A.06.20.003 • Fixed the issue to properly display the Korean banner message properly when user connects with SSH. • Added a new sshd_config keyword DisplayHostNameInAuditLog to have the hostname reported in syslog for ssh. This new config option logs the hostname in addition to the IP Address in syslog.
Example 1 Public key authentication With Bad RSA, ECDSA and DSA Keys If you try Public key authentication with bad RSA, ECDSA and DSA keys, it results in a bad login attempt for each key type.
• A Kerberos ticket on a Secure Shell server system gets inadvertently deleted in the following scenario: 1. User U1 creates a Kerberos ticket file on a Secure Shell server system, S1. 2. The SSH server on S1 is set up for PAM_KERBEROS authentication. 3. User U1 now remotely connects to the SSH instance on S1 using public-key authentication. 4. User U1 exits. The kinit-generated ticket file created in Step 1 gets deleted when the user exits the Secure Shell session.
HP-UX and the strong random number generator HP-UX Secure Shell requires that a random number generator to be located on the system. It searches for /dev/urandom and /dev/random (in that sequence) on the system and uses the first device that it finds. The /dev/urandom and /dev/random devices are available by default on HP-UX 11i V1, HP-UX 11i V2, and HP-UX 11i V3 systems. HP-UX Secure Shell resources For more information about Secure Shell, see the following: • HTML and pdf versions at http://www.hp.
System requirements Table 4 lists the minimum system requirements for installing HP-UX Secure Shell A.06.20. Table 4 System Requirements for Installing HP-UX Secure Shell A.06.20 Component Requirement Operating System • HP-UX 11i V1 • HP-UX 11i V2 • HP-UX 11i V3 • HP/9000 servers Hardware • HP Integrity servers Disk Space Approximately 32MB Software HP-UX Secure Shell A.06.20 requires OpenSSL version A.00.09.08g.
HP-UX Secure Shell software availability HP-UX Secure Shell is available on the following: • HP Software Depot at: http://www.software.hp.com • HP-UX Application Release CDs • HP-UX 11i V1 Operating Environment (OE) • HP-UX 11i V2 Operating Environment (OE) • HP-UX 11i V3 Operating Environment (OE) NOTE: HP-UX Secure Shell is available on the HP-UX Application Release CD, HP-UX 11i V1 OE, HP-UX 11i V2 OE, and HP-UX 11i V3 OE whenever the CD and OEs are available.
Frequently Asked Questions (FAQ) This section discusses questions frequently asked about HP-UX Secure Shell. 1 What is the difference between HP-UX Secure Shell A.06.20 and OpenSSH 6.2p2? OpenSSH 6.2p2 is a free version of the SSH protocol suite of network connectivity tools. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0 and now more people on the internet are relying on it.
12 Does HP-UX Secure Shell support the DenyHosts parameter? No. For access control, HP-UX Secure Shell does not support the DenyHosts, AllowHosts, DenySHosts, and IgnoreRootRhosts parameters. However, HP-UX Secure Shell supports the AllowUsers, DenyUsers, AllowGroups, and DenyGroups parameters. 13 How can I configure HP-UX Secure Shell to allow multiple users (more clients) access to an SFTP server using one login and encrypt the connection? Use public key authentication.
17 Is HP-UX Secure Shell vulnerable to the reported double free bug in the zlib compression algorithm documented at http://www.cert.org/advisories/CA-2002-07.html? All versions of HP-UX Secure Shell starting from A.03.10 are built with support for zlib-1.1.4 or later. So, HP-UX Secure Shell is not affected by the bug described above. HP-UX Secure Shell versions A.06.20.004, A.06.20.005, and A.06.20.006 are built with zlib v1.2.3. 18 Is HP-UX Secure Shell vulnerable to the following CERTs: http://cve.mitre.
By default SSH-1 is disabled in ssh_config. To enable SSH-1, either modify the configuration file or override the protocol on the command line. The client supports DES but the server does not support DES. Issue the following command to enable SSH-1: # ssh -1 -c des 21 When two systems are separated by a firewall, can I use a HP-UX Secure Shell connection to 'swinstall' (SD-UX) to a system in a secure way? Yes, there is a workaround to secure communication.
