OBSOLETE Patch-ID# 148105-29
Download this patch from My Oracle Support
|
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
|
For further information on patching best practices and resources, please
see the following links:
|
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security ssh sftp last sshd
Synopsis: Obsoleted by: 148105-31 SunOS 5.10_x86: last, ssh/sshd patch
Date: Apr/15/2019
Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.
Solaris Release: 10_x86
SunOS Release: 5.10_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 148104
Topic: SunOS 5.10_x86: last, ssh/sshd patch
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 29358716
Patches accumulated and obsoleted by this patch: 148097-06
Patches which conflict with this patch:
Patches required with this patch: 120012-14 137138-09 142910-17 144501-19 151913-09 (or greater)
Obsoleted by:
Files included with this patch:
/etc/ssh/sshd_config
/usr/bin/last
/usr/bin/scp
/usr/bin/sftp
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-keygen
/usr/bin/ssh-keyscan
/usr/lib/ssh/sftp-server
/usr/lib/ssh/ssh-keysign
/usr/lib/ssh/sshd
Problem Description:
29358716 Problem with utility/ssh
(from 148105-28)
15355457 SUNBT6481668 sftp(1)/sftp-server(1m) needs a resync with OpenSSH
(from 148105-27)
15441914 more memory leaks in SunSSH
15571452 ssh is freeing memory with the hostname it needs later
23605678 support for control of the kex algorithms in SunSSH
23752391 cipher, mac and kex configuration list should support + prefix
24295459 add HostKeyAlgorithms, HostbasedAcceptedKeyTypes, PubkeyAcceptedKeyTypes options
(from 148105-26)
15209171 ssh(1) and sshd(1M) should re-key periodically as per-recent recommendations
15436453 cmd/ssh/libssh/common/xlist.c should be cstyle clean
15437359 memory leaks in SunSSH's GSS-API code
15437360 memory leaks in SunSSH's g11n code
15437367 memory leaks in cmd/ssh/sshd/auth2-pam.c
15467610 ssh disconnects with error if RC4, 3DES or Blowfish is used and default RekeyLimit is reached
15550987 SunSSH daemon crashes if /usr/bin/locale isn't present
15823935 problem with rekeying
(from 148105-25)
18160693 add AES CTR to the default cipher list for FIPS
18762585 ssh/sshd should not enable pkcs11 engine by default on T4/T4+ and x86 platforms
(from 148105-24)
21473672 length of doid in userauth_gssapi() should be bigger than 2
21473707 auth_pam_password() incorrectly returns 1 when pam_set_item fails
(from 148105-23)
15782799 hostbased authentication failed for non-root user ("not a valid request" error)
22949976 problem with ssh
23047973 kex_parse_kexinit show that ssh/sshd offer "arcfour128 and arcfour256"
(from 148105-22)
15437362 memory leaks in SunSSH's alternative privilege separation code
15537375 fix for 6761890 in SunSSH is too aggressive
15714511 hmac-sha256 support in SSH
16099259 fix for Bug 15817021 should be expanded to include new DH algorithms
16230627 SunSSH needs to accept the compatible version of OpenSSL
21782799 SunSSH client is not able to use compression against OpenSSH server
22228050 ssh should use new OpenSSL version
22533678 sshd complains about TIOCSCTTY
(from 148105-21)
21517153 problem with ssh
(from 148105-20)
15453748 sshd doesn't use MaxAuthTries correctly
(from 148105-19)
15387750 scp skips a file after a "set mode:" error
15533739 array overrun in scp
(from 148105-18)
19010426 sshd getgrouplist() should use _getgroupsbymember()
(from 148105-17)
18775931 sshd is not setting locale properly when LANG and LC_XXX env variables were sent
(from 148105-16)
15453735 resync server's conditional Match block from OpenSSH
15453736 resync server's ForceCommand from OpenSSH
15676709 SSH is missing an argument in snprintf() in process_escapes()
15686304 protect the SSH protocol 2 private keys with AES-128 instead of 3DES
15686307 add ForceCommand, AuthorizedKeysFile and HostbasedUsersNameFromPack
15699435 test for sshd_config option(HostbasedUsesNameFromPacketOnly) failed
15822755 sshd ignores LookupClientHostnames=no, doesn't disable DNS reverse lookups
16074348 sshd fix for 15822755 needs to cover more cases
(from 148105-15)
18483882 sshd session hangs when copy-pasting large amount of data
18537455 fix for 16212206 is not sufficient
(from 148105-14)
15896442 sshd auth.info message is shown as ja_JP.UTF-8 even if "LANG=PCK/EUC"
17446614 sshd: endless loop in fatal
(from 148105-13)
17313800 sshd should abort the connection when the user fails to change his password
17336872 SSH should provide better krb5 error
17403437 move debug output outside of a signal handler
17415150 memory-leaks in ssh detected by Parfait
17475399 sshd/ssh should deliver CTF information
(from 148105-12)
16345356 SSH Tunnel connect returns EINPROGRESS, must not invoke isatty() before select()
(from 148105-11)
15484784 SunSSH server leaks memory during initialization
15640462 keyboard-interactive configuration option handling needs to be fixed in SunSSH
16306194 problem with ssh
16538152 problem with ssh
(from 148105-10)
15436976 delegating creds should update creds when remote copy unexpired
15786285 GSSAPIDelegateCredentials issues with PAM_USER and 3rd-party module
(from 148105-09)
15917734 SSH truncates instruction field of SSH2_MSG_USERAUTH_INFO_REQUEST
16212206 sshd fails with buffer size greater than 2MB
16221564 uninitialized variable in source of scp.c:651
16221570 uninitialized variable in valid_request of ssh-keysign.c:138
16229840 uninitialized variable in session_loc_env_check of session.c:1968
(from 148105-08)
15816953 ssh connection with a forced tty allocation sometimes fails, under some conditions
15821465 sftp server fails to show date and time in ls localized output using certain locales
(from 148105-07)
This revision accumulates generic Sustaining patch 148097-06
into Solaris S10U11 update.
(from 148105-06)
This revision accumulates generic Sustaining patch 148097-05
into Solaris S10U11 update.
(from 148105-05)
This revision accumulates generic Sustaining patch 148097-04
into Solaris S10U11 update.
(from 148105-04)
This revision accumulates generic Sustaining patch 148097-03
into Solaris S10U11 update.
(from 148105-03)
This revision accumulates generic Sustaining patch 148097-02
into Solaris S10U11 update.
(from 148105-02)
5044096 ssh(1) is too picky, quits on unknown ~/.ssh/config options
(from 148105-01)
This revision accumulates generic Sustaining patch 148097-01
into Solaris S10U11 update.
(from 148097-06)
6908482 missing SSH host keys should be reported properly
(from 148097-05)
6875954 fork error is reported with wrong errno in sshd.c
7188428 sftp does not use the commands from batch file from -b option after installing 148096-03/148097-03
(from 148097-04)
7131879 fix for 6628064 is not optimal: ssh receive window should be increased more on server
(from 148097-03)
6480741 command line editing is desired for sftp(1)
(from 148097-02)
6628064 high-performance ssh/scp
(from 148097-01)
6409841 multiple ssh connections from same user cause previous sshd wtmpx entries to get logged out
6953874 ssh client does not propagate SIGPIPE to server side and hangs
7050937 monitor header files should be removed from source tree
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: The fix for 6628064 (high-performance ssh/scp) increases ssh/scp
performance on high bandwidth/high latency links by increasing the
SSH receive window size and by sending window adjust packets more
often. SSH receive window size is set to 4 times the value of TCP
receive buffer. Lower boundary for window size is 128kB, upper
boundary 64MB. The TCP receive buffer can be set by following
command:
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat <window size>
This tuning is recommended for networks with latency over ten
milliseconds.
NOTE 2: After patch application the sshd daemon has to be restarted using
the following command:
svcadm restart ssh
The changes then apply only on new ssh connections. Already
established connections remain unchanged.
NOTE 3: The fix for 6480741 (command line editing is desired for sftp(1))
adds a dependency of sftp on libtecla (SUNWtecla), which is part
of a minimal installation and should be available on the system.
If not, SUNWtecla has to be installed for sftp to work properly.
NOTE 4: The fix for:
16538152 problem with ssh
16306194 problem with ssh
15484784 SunSSH server leaks memory during initialization
changes the default value of ssh MaxStartups to "10:30:100".
NOTE 5: This patch introduces new keywords (Match and ForceCommand)
which can be used in sshd_config(4). Before patch uninstall,
make sure the configuration file is reverted to previous
version and the new keywords are no longer present. Otherwise
sshd would fail to be started.
Man page changes:
-------------------------------------------------------
New keyword "ForceCommand" in sshd_config(4):
ForceCommand
Forces the execution of the command specified by For-
ceCommand, ignoring any command supplied by the client,
and, if present, ~/.ssh/rc. The command is invoked by
using the user's login shell with the -c option. This
applies to shell, command, or subsystem execution. It is
most useful inside a Match block. The command originally
supplied by the client is available in the
SSH_ORIGINAL_COMMAND environment variable. Specifying a
command of internal-sftp forces the use of an in-process
sftp server that requires no support files when used
with ChrootDirectory.
New paragraph for "LookupClientHostnames" in sshd_config(4):
It is an error to set up a Match Block with Host matching
and also set "LookupClientHostnames" to "no". If there is
a Match Block with Host matching, then even if
"LookupClientHostnames" is set to "no", "LookupClientHostnames"
will be re-enabled, so that the security requirements of
the match block are honored. In such a case, "sshd" issues
an error message to the console, and will also "syslog" an
ERROR if someone logs in while the misconfiguration remains
in the "sshd_config" file.
New keyword "Match" in sshd_config(4):
Match
Introduces a conditional block. If all of the criteria
on the Match line are satisfied, the keywords on the
following lines override those set in the global section
of the config file, until either another Match line or
the end of the file. Match blocks must be located at the
end of the file, after all the global settings.
The arguments to Match are one or more criteria-pattern
pairs. The available criteria are User, Group, Host, and
Address. The match patterns can consist of single
entries or comma-separated lists and can use the wild-
card (Asterisk * and question mark ?) and negation (!)
operators.
The patterns in a Host criteria should be hostname. The
patterns in an Address criteria should be an IP address,
which can additionally contain addresses to match in
CIDR address/masklen format, for example, 192.0.2.0/24.
The mask length provided must be consistent with the
address - it is an error to specify a mask length that is
too long for the address or one with bits set in this
host portion of the address. For example, 192.0.2.0/33 and
192.0.2.0/8 respectively.
Only a subset of keywords can be used on the lines fol-
lowing a Match keyword. Available keywords are
AllowTcpForwarding, AuthorizedKeysFile, Banner, Chroot-
Directory, ForceCommand, GatewayPorts, GSSAPIAuthentica-
tion, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
KbdInteractiveAuthentication, PasswordAuthentication,
PermitEmptyPasswords, PermitRootLogin, PubkeyAuthentication,
RhostsRSAAuthentication, RSAAuthentication,
X11DisplayOffset, X11Forwarding, and X11UseLocalhost.
The following are four examples of using Match:
1. Disallowing user testuser to use TCP forward-
ing:
Match User testuser
AllowTcpForwarding no
2. Displaying a special banner for users not in
the staff group:
Match Group *,!staff
Banner /etc/banner.text
3. Allowing root login from host
rootallowed.example.com:
Match Host rootallowed.example.com
PermitRootLogin yes
4. Allowing anyone to use GatewayPorts from the
local net:
Match Address 192.168.0.0/24
GatewayPorts yes
Change from "3DES" to "128-bit AES" in ssh-keygen(1) in description
of $HOME/.ssh/id_{d,r}sa:
...
It is possible to specify a passphrase when generating
the key; that passphrase is used to encrypt the private
part of the file using 128-bit AES.
...
NOTE 6: This patch changes the default value of UseOpenSSLEngine. Currently,
it is enabled only on platforms which do not have OpenSSL hardware
support (like T2,T3).
NOTE 7: The default server cipher list is limited to "aes128-ctr, aes192-ctr,
aes256-ctr, arcfour." See "Ciphers" in sshd_config(4) for how to add
a different one.
NOTE 8: The following MACs have been added: "hmac-sha2-256, hmac-sha2-512,
hmac-sha2-256-96, hmac-sha2-512-96."
NOTE 9: The following options were added to sshd_config:
HostKeyAlgorithms
Specifies the host key algorithms that the server offers. The
default for this option is:
ssh-rsa,ssh-dss
HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased
authentication as a comma-separated pattern list. Alternately if
the specified value begins with a `+' character, then the speci-
fied key types will be appended to the default set instead of
replacing them. The default for this option is:
ssh-rsa,ssh-dss
PubkeyAcceptedKeyTypes
Specifies the key types that will be accepted for public key
authentication as a comma-separated pattern list. Alternately if
the specified value begins with a `+' character, then the speci-
fied key types will be appended to the default set instead of
replacing them. The default for this option is:
ssh-rsa, ssh-dss
KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Multiple
algorithms must be comma-separated. Alternately if the specified
value begins with a `+' character, then the specified methods
will be appended to the default set instead of replacing them.
The supported and default algorithms are:
diffie-hellman-group-exchange-sha256
diffie-hellman-group-exchange-sha1
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
The following new options were added to ssh_config:
HostbasedKeyTypes
Specifies the key types that will be used for hostbased authenti-
cation as a comma-separated pattern list. Alternately if the
specified value begins with a `+' character, then the specified
key types will be appended to the default set instead of replac-
ing them. The default for this option is:
ssh-rsa,ssh-dss
PubkeyAcceptedKeyTypes
Specifies the key types that will be used for public key authen-
tication as a comma-separated pattern list. Alternately if the
specified value begins with a `+' character, then the key types
after it will be appended to the default instead of replacing it.
The default for this option is:
ssh-rsa,ssh-dss
KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Multiple
algorithms must be comma-separated. Alternately if the specified
value begins with a `+' character, then the specified methods
will be appended to the default set instead of replacing them.
The default is:
diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,
diffie-hellman-group1-sha1
README -- Last modified date: Thursday, April 15, 2021