Distribution: cd-6.2 openssh 3.8.1p1
 
Changes: v3.8p1 -> v3.8.1p1
  1. Bug #673 - Fix compilation on NetBSD with S/Key enabled
  2. Bug #748 - Detect and workaround broken name resolution on HP-UX
  3. Bug #802 - Fix linking on Tru64 when compiled with SIA support
  4. Bug #808 - Fix PAM crash on expired password when not authenticated using pam/kbdint mechanism
  5. Bug #810 - Fix erroneous clearing of TZ environment variable
  6. Bug #811 - Improve locked password detection across Linux variants
  7. Bug #820 - Fix utmp corruption on Irix
  8. Bug #825 - Fix disconnection problem when using IPv4-in-IPv6 mapped addresses on Solaris
  9. Fix compilation on OS X systems with Kerberos/GSSAPI
 
Changes: v3.7p1 -> v3.8p1
  1. sshd(8) now supports forced changes of expired passwords via /usr/bin/passwd or keyboard-interactive authentication Note for AIX: sshd will now deny password access to accounts with passwords expired longer than their maxexpired attribute
  2. ssh(1) now uses untrusted cookies for X11-Forwarding. Some X11 applications might need full access to the X11 server, see ForwardX11Trusted in ssh(1) and xauth(1) for more information.
  3. ssh(1) now supports sending application layer keep-alive messages to the server. See ServerAliveInterval in ssh(1) for more information.
  4. Improved sftp(1) batch file support
  5. New KerberosGetAFSToken option for sshd(8)
  6. Updated /etc/moduli file and improved performance for protocol version 2
  7. Support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details.
  8. Fix a number of memory leaks
  9. The experimental "gssapi" support has been replaced with the "gssapi-with-mic" to fix possible MITM attacks. The two versions are not compatible.
 
Compilation notes:
The PCRE regular expression library was used rather than the builtin system regular expression library. This provides more robust regular expression support where applicable.
 
/opt/local/bin, /opt/local/sbin, /usr/local/bin, and /usr/local/sbin are path components of the default SSHD path. This is done for legacy reasons for systems that use to use these two paths. They will be removed in a future OpenSSH version.
 
Installation notes:
Beginning with the 3.8 release, ssh now uses untrusted X11 cookies by default. The previous behavior can be restored by setting ForwardX11Trusted yes in /etc/opt/TWWfsw/openssh38/ssh_config.
 
A new ``sshd'' user and ``sshd'' group must be created for privilege separation to work. The non-privileged sshd daemon chroots to /var/opt/TWWfsw/openssh38/chroot and runs as the sshd user.
 
The ssh program, beginning with version 3.3p1, is no longer suid root. With privilege separation enabled and using SSH Protocol v2, suid privileges are no longer necessary.
 
PAM is disabled by default. To enable PAM, add "UsePAM yes" to the sshd configuration file.
 
The following files have been marked as configuration files in /etc/opt/TWWfsw/openssh38: shosts.equiv, ssh_config, ssh_host_dsa_key, ssh_host_dsa_key.pub, ssh_host_key, ssh_host_key.pub, ssh_host_rsa_key, ssh_host_rsa_key.pub, ssh_known_hosts, ssh_prng_cmds, and sshd_config. Of these, all have been marked as upgradable except for ssh_prng_cmds. If upgrading from a previous release of OpenSSH, the old versions will be copied in place of the new though a backup of the new files will exist to assist with upgrading.
 
For every host you wish to secure by running OpenSSH (sshd), a host key must be generated. This is done with ssh-keygen. The following commands will create a RSA public/private host keypair and a DSA public/private host keypair:
  $ ssh-keygen -t rsa1 -f /etc/opt/TWWfsw/openssh38/ssh_host_key -N ""
  $ ssh-keygen -t dsa -f /etc/opt/TWWfsw/openssh38/ssh_host_dsa_key -N ""
  $ ssh-keygen -t rsa -f /etc/opt/TWWfsw/openssh38/ssh_host_rsa_key -N ""
 
The startup script will execute these commands automatically if using the default configuration.
 
Because neither Solaris 2.5.1-8/SPARC, HP-UX, IRIX, Tru64 UNIX, nor AIX 4.3.x-5.1 have a /dev/random device (or equivalent), OpenSSH has been compiled to gather entropy from the PRNG daemon. The path to the entropy pool is /var/opt/TWWfsw/prngd/pool. While OpenSSH can gather entropy independent of PRNGD, the PRNGD solution provides better performance. Therefore, the OpenSSH package has a dependency on the PRNGD runtime package. However, the PRNGD configuration package must be loaded manually if "out of the box" configuration is required. The PRNGD configuration package creates startup scripts in the system /etc/init.d or /sbin/init.d directory to start the prngd daemon which is required for communication by OpenSSH.
 
Platform notes: AIX
When connecting to an AIX host, the default search path is:
  /usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin
 
This is defined in /etc/environment. Because of this, scp will fail. For scp to work to an AIX host, add /opt/TWWfsw/openssh38/bin to PATH in /etc/environment or add the binary common path prefix. The latter is the recommended method.
 
Platform notes: Tru64 UNIX 5.1
Tru64 UNIX 5.1 requires patch #761 or newer to fix problems with getaddrinfo(). Without this patch the following error might occur:
  getaddrinfo [hostname]: Name does not resolv to supplied
  parameters; neither nodename nor servname were passed.