HP-UX Secure Shell A.04.30.006 and A.04.30.007 Release Notes HP-UX 11.0, 11i v1, and 11i v2 Manufacturing Part Number: T1471-90027 September 2006 © Copyright 2006 Hewlett-Packard Development Company, L.P.
Legal Notices The information contained herein is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Contents HP-UX Secure Shell A.04.30.006 and A.04.30.007 Announcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Secure Shell Versions on HP-UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Provide an sftponly Solution in a chroot Environment . . . . . . . . . .
Contents 4
HP-UX Secure Shell A.04.30.006 and A.04.30.007 This document discusses the most recent product information for HP-UX Secure Shell Versions A.04.30.006 and A.04.30.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 HP-UX 11.0, HP-UX 11i v1, and HP-UX 11i v2. This document addresses the following topics: 6 • “Announcement” on page 7 • “Secure Shell Versions on HP-UX” on page 8 • “New Features” on page 9 • “Unsupported Features” on page 10 • “Defects Fixed in OpenSSH4.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Announcement Announcement HP-UX Secure Shell Versions A.04.30.006 and A.04.30.007 are based on OpenSSH 4.3p2. HP-UX Secure Shell supports the SSH-1 and SSH-2 protocols and provides secured remote login, file transfer, and remote command execution.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Secure Shell Versions on HP-UX Secure Shell Versions on HP-UX Table 1 lists the versions of HP-UX Secure Shell products available for HP-UX 11.0, 11i v1, and 11i v2. Table 1 Availability of Secure Shell Versions on HP-UX Supported Operating System 8 Version HP-UX 11.0 HP-UX Secure Shell Version A.04.30.006 HP-UX 11i v1 HP-UX Secure Shell Version A.04.30.006 HP-UX 11i v2 HP-UX Secure Shell Version A.04.30.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 New Features New Features Following are the new features in HP-UX Secure Shell Versions A.04.30.006 and A.04.30.007: Provide an sftponly Solution in a chroot Environment In a chroot environment, you can allow users to login using sftp only. The ssh and scp commands are not available. This feature is provided by the /opt/ssh/utils/sftponly script. To enable this feature, complete the following steps: Step 1.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Unsupported Features Unsupported Features Starting with HP-UX Secure Shell A.03.81, the following features are not supported: • The KerberosGetAFSToken option for sshd(8) This configuration directive specifies whether to accept forwarded Andrew File System (AFS) tokens. • Host keys in DNS (draft-ietf-secsh-dns-xx.txt) HP-UX Secure Shell does not support this configuration option.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Defects Fixed in OpenSSH4.3p2 Defects Fixed in OpenSSH4.3p2 HP-UX Secure Shell Versions A.04.30.006 and A.04.30.007 are based on OpenSSH4.3p2. The defects fixed in OpenSSH4.3p2 are also available in HP-UX Secure Shell A.04.30.006 and A.04.30.007. Table 2 lists the defects fixed in OpenSSH4.3p2. Table 2 Defect Fixes in HP-UX Secure Shell A.04.03.006 and A.04.30.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Defects Fixed in OpenSSH4.3p2 Table 2 Defect Fixes in HP-UX Secure Shell A.04.03.006 and A.04.30.007 Identifier Description Bugzilla #1076 Set SO_REUSEADDR on X11 listeners to avoid problems caused by lingering messages on the same port (caused by a previous instance of the same listener daemon). Bugzilla #1082 The Xauth list invocation has bogus "." argument.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Defect Fixes in HP-UX Secure Shell A.04.30.006 and A.04.30.007 Defect Fixes in HP-UX Secure Shell A.04.30.006 and A.04.30.007 Table 3 lists the defect fixes in HP-UX Secure Shell Versions A.04.30.006 and A.04.30.007. All defects in previous versions of HP-UX Secure Shell are included in HP-UX Secure Shell A.04.30.006 and A.04.30.007. Table 3 Defects Fixed in HP-UX Secure Shell A.04.30.006 and A.04.30.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Defect Fixes in HP-UX Secure Shell A.04.30.006 and A.04.30.007 • Users are unable to login to a chroot environment using sftp. This issue occurred because the /dev/null file is not present in a chroot environment. From HP-UX Secure Shell Versions A.04.30.006 and A.04.30.007 onwards, the chroot script copies the /dev/null file to the chroot environment. Information on these defect fixes is also available at /opt/ssh/README.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Known Problems and Workarounds Known Problems and Workarounds Following are the known problems and workarounds in HP-UX Secure Shell Versions A.04.30.006 and A.04.30.007: • HP-UX Secure Shell user authentication through the public-key will fail in a server environment if the UsePAM is set to YES and pam.conf is set to PAM_LDAP.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Known Problems and Workarounds • The chroot functionality does not work if the UseLogin configuration directive in sshd_config is set to YES. • In a chroot-ed environment, users do not see a subset of syslog messages. HP-UX Secure Shell writes syslog messages at the time of authentication and when the session is terminated. The syslogd daemon reads the syslog messages written by all subsystems and reports it to the /dev/log file.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 HP-UX Secure Shell and the Strong Random Number Generator HP-UX Secure Shell and the Strong Random Number Generator HP-UX Secure Shell requires that a random number generator be located on the system. It searches for /dev/urandom and /dev/random (in that sequence) on the system and uses the first device it finds. If it fails to locate these two devices, HP-UX Secure Shell uses its own internal random number generator program.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Related Documents Related Documents Following are the additional documentation available for HP-UX Secure Shell: • HP-UX Secure Shell Getting Started Guide on the Internet and Security Solutions page at: http://www.docs.hp.com/en/internet.html#Secure%20Shell • The README file at /opt/ssh/README.hp. You must install HP-UX Secure Shell to access this file.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Prerequisites for Installing HP-UX Secure Shell Prerequisites for Installing HP-UX Secure Shell This section details the prerequisites for installing HP-UX Secure Shell A.04.30.006 or A.04.30.007. System Requirements Table 4 specifies the minimum system requirements for installing HP-UX Secure Shell A.04.30.006 or A.04.30.007. Table 4 System Requirements for Installing HP-UX Secure Shell A.04.30.006 or A.04.30.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Prerequisites for Installing HP-UX Secure Shell Patch Requirements HP has tested HP-UX Secure Shell Versions A.04.30.006 and A.04.30.007 with the Support Plus patches listed in Table 5. HP recommends that HP-UX 11.0 customers install these Support Plus patches. HP mandates that HP-UX 11i v1 customers install these Support Plus patches. Table 5 Quality Packs for HP-UX 11.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Prerequisites for Installing HP-UX Secure Shell NOTE The standard HP-UX patch bundles are cumulative. If you do not find an older bundle, such as the patch bundle on the December 2002 Support Plus 11.11 media, you can select the latest 11.11 release and use the latest version of the particular patch bundle. HP recommends that the following libc patches be installed for use with HP-UX Secure Shell A.04.30.006.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Prerequisites for Installing HP-UX Secure Shell HP recommends that the following pthreads patches be installed for use with HP-UX Secure Shell A.04.30.006.: Table 8 pthreads Patches Operating System Version 22 Patch HP-UX 11.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 HP-UX Secure Shell Software Availability HP-UX Secure Shell Software Availability HP-UX Secure Shell is available on the following: NOTE 23 • HP Software Depot at: http://www.software.hp.com • HP-UX Application Release CDs • HP-UX 11i v1 Operating Environment (OE) • HP-UX 11i v2 Operating Environment (OE) HP-UX Secure Shell is available on the HP-UX Application Release CD, HP-UX 11i v1 OE, and HP-UX 11i v2 OE whenever the CD and OEs are available.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Installing HP-UX Secure Shell Installing HP-UX Secure Shell You do not need to remove any previous versions of HP-UX Secure Shell before upgrading to HP-UX Secure Shell A.04.30.006 and A.04.30.007. However, if you are reverting to an older version of HP-UX Secure Shell, HP recommends that you remove the new product before reverting to the older version. To install HP-UX Secure Shell, complete the following steps: Step 1. Log in as superuser. Step 2.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 HP-UX Secure Shell and chroot environments HP-UX Secure Shell and chroot environments HP-UX Secure Shell Versions A.04.30.006 and A.04.30.007 supports chroot functionality for the ssh, sftp, and scp commands. The chroot functionality is mainly used as an added security measure. When you enable chroot, you can start an application in a specified directory and enable all its users access to that directory and the directories below it.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Frequently Asked Questions (FAQ) Frequently Asked Questions (FAQ) This section discusses questions frequently asked about HP-UX Secure Shell. What is the difference between HP-UX Secure Shell A.04.30 and OpenSSH 4.3p2? OpenSSH 4.3p2 is the latest free version of the SSH protocol suite of network connectivity tools. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
HP-UX Secure Shell A.04.30.006 and A.04.30.007 Frequently Asked Questions (FAQ) Is HP-UX Secure Shell vulnerable to the reported double free bug in the zlib compression algorithm documented at http://www.cert.org/advisories/CA-2002-07.html? All versions of HP-UX Secure Shell starting from A.03.10 are built with support for zlib-1.1.4 or later. So, HP-UX Secure Shell is not affected by the bug described above. HP-UX Secure Shell A.04.30.006/007 is built with zlib v1.2.3.
HP-UX Secure Shell A.04.30.006 and A.04.30.