]> ${SB_PROG_NAME}-noacss-${SB_PROG_VER} ${SB_PROG_NAME}40 v==5.8.6 v>=0.9.25 v>=0.9.7b v>=5.0 v>=1.1.4 v>=7.6 ssh(1) now allows the optional specification of an address to bind to in port forwarding connections (local, remote and dynamic). Please refer to the documentation for the -L and -R options in the ssh(1) manual page and the LocalForward and RemoteForward options in the ssh_config(5) manpage. (Bugzilla #413) To control remote bindings while retaining backwards compatibility, sshd(8)'s GatewayPorts option has been extended. To allow client specified bind addresses for remote (-R) port forwardings, the server must be configured with "GatewayPorts clientspecified". ssh(1) and ssh-keyscan(1) now support hashing of host names and addresses added to known_hosts files, controlled by the ssh(1) HashKnownHosts configuration directive. This option improves user privacy by hiding which hosts have been visited. At present this option is off by default, but may be turned on once it receives sufficient testing. Added options for managing keys in known_hosts files to ssh-keygen(1), including the ability to search for hosts by name, delete hosts by name and convert an unhashed known_hosts file into one with hashed names. These are particularly useful for managing known_hosts files with hashed hostnames. Improve account and password expiry support in sshd(8). Ther server will now warn in advance for both account and password expiry. sshd(8) will now log the source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups (Bugzilla #909) Added AddressFamily option to sshd(8) to allow global control over IPv4/IPv6 usage. (Bugzilla #989) Improved sftp(1) client, including bugfixes and optimisations for the ``ls'' command and command history and editing support using libedit. Improved the handling of bad data in authorized_keys files, eliminating fatal errors on corrupt or very large keys. (Bugzilla #884) Improved connection multiplexing support in ssh(1). Several bugs have been fixed and a new "command mode" has been added to allow the control of a running multiplexing master connection, including checking that it is up, determining its PID and asking it to exit. Have scp(1) and sftp(1) wait for the spawned ssh to exit before they exit themselves. This prevents ssh from being unable to restore terminal modes (not normally a problem on OpenBSD but common with -Portable on POSIX platforms). (Bugzilla #950) Enable IPv6 on AIX where possible (see README.platform for details), working around a misfeature of AIX's getnameinfo. (Bugzilla #835) Teach sshd(8) to write failed login records to btmp for unsuccessful auth attempts. Currently this is only for password, keyboard-interactive and challenge/response authentication methods and only on Linux and HP-UX. sshd(8) now sends output from failing PAM session modules to the user before exiting, similar to the way /etc/nologin is handled. Store credentials from gssapi-with-mic authentication early enough to be available to PAM session modules when privsep=yes. Added new "IdentitiesOnly" option to ssh(1), which specifies that it should use keys specified in ssh_config, rather than any keys in ssh-agent(1) Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things. Add strict permission and ownership checks to programs reading ~/.ssh/config NB ssh(1) will now exit instead of trying to process a config with poor ownership or permissions Implemented the ability to pass selected environment variables between the client and the server. See "AcceptEnv" in sshd_config(5) and "SendEnv" in ssh_config(5) for details. Added a "MaxAuthTries" option to sshd(8), allowing control over the maximum number of authentication attempts permitted per connection Added support for cancellation of active remote port forwarding sessions. This may be performed using the ~C escape character, see "Escape Characters" in ssh(1) for details. Many sftp(1) interface improvements, including greatly enhanced "ls" support and the ability to cancel active transfers using SIGINT (^C) Implement session multiplexing: a single ssh(1) connection can now carry multiple login/command/file transfer sessions. Refer to the "ControlMaster" and "ControlPath" options in ssh_config(5) for more information The sftp-server has improved support for non-POSIX filesystems (e.g. FAT) Portable OpenSSH: Re-introduce support for PAM password authentication, in addition to the keyboard-interactive driver. PAM password authentication is less flexible, and doesn't support pre-authentication password expiry but runs in-process so Kerberos tokens, etc are retained Improved and more extensive regression tests The ACSS implementation was removed from OpenSSH to avoid possible patent problems. The PCRE regular expression library was used rather than the builtin system regular expression library. This provides more robust regular expression support where applicable. /opt/local/bin, /opt/local/sbin, /usr/local/bin, and /usr/local/sbin are path components of the default SSHD path. This is done for legacy reasons for systems that use to use these two paths. They will be removed in a future OpenSSH version. Beginning with the 3.8 release, ssh now uses untrusted X11 cookies by default. The previous behavior can be restored by setting ForwardX11Trusted yes in &SYSCONFDIR;/ssh_config. A new "sshd" user and "sshd" group must be created for privilege separation to work. The non-privileged sshd daemon chroots to &LOCALSTATEDIR;/chroot and runs as the sshd user. The ssh program, beginning with version 3.3p1, is no longer suid root. With privilege separation enabled and using SSH Protocol v2, suid privileges are no longer necessary. PAM is disabled by default. To enable PAM, add "UsePAM yes" to the sshd configuration file. The following files have been marked as configuration files in &SYSCONFDIR;: shosts.equiv, ssh_config, ssh_host_dsa_key, ssh_host_dsa_key.pub, ssh_host_key, ssh_host_key.pub, ssh_host_rsa_key, ssh_host_rsa_key.pub, ssh_known_hosts, ssh_prng_cmds, and sshd_config. Of these, all have been marked as upgradable except for ssh_prng_cmds. If upgrading from a previous release of OpenSSH, the old versions will be copied in place of the new though a backup of the new files will exist to assist with upgrading. For every host you wish to secure by running OpenSSH (sshd), a host key must be generated. This is done with ssh-keygen. The following commands will create a RSA public/private host keypair and a DSA public/private host keypair: $ ssh-keygen -t rsa1 -f &SYSCONFDIR;/ssh_host_key -N "" $ ssh-keygen -t dsa -f &SYSCONFDIR;/ssh_host_dsa_key -N "" $ ssh-keygen -t rsa -f &SYSCONFDIR;/ssh_host_rsa_key -N "" The startup script will execute these commands automatically if using the default configuration. Because neither Solaris 2.5.1-8/SPARC, HP-UX, IRIX, Tru64 UNIX, nor AIX 4.3.x-5.1 have a /dev/random device (or equivalent), OpenSSH has been compiled to gather entropy from the PRNG daemon. The path to the entropy pool is &PRNGD_SOCKET;. While OpenSSH can gather entropy independent of PRNGD, the PRNGD solution provides better performance. Therefore, the OpenSSH package has a dependency on the PRNGD runtime package. However, the PRNGD configuration package must be loaded manually if "out of the box" configuration is required. The PRNGD configuration package creates startup scripts in the system /etc/init.d or /sbin/init.d directory to start the prngd daemon which is required for communication by OpenSSH. When connecting to an AIX host, the default search path is: /usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin This is defined in /etc/environment. Because of this, scp will fail. For scp to work to an AIX host, add ${SB_INSTALL_PREFIX}/bin to PATH in /etc/environment or add the binary common path prefix. The latter is the recommended method. Tru64 UNIX 5.1 requires patch #761 or newer to fix problems with getaddrinfo(). Without this patch the following error might occur: getaddrinfo [hostname]: Name does not resolv to supplied parameters; neither nodename nor servname were passed. Add support for Solaris 10/SPARC