OBSOLETE Patch-ID# 148104-19


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security ssh sftp last sshd
Synopsis: Obsoleted by: 148104-20 SunOS 5.10: last, ssh/sshd patch
Date: Dec/13/2014


Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10

SunOS Release: 5.10

Unbundled Product:

Unbundled Release:

Xref: This patch available for x86 as patch 148105

Topic: SunOS 5.10: last, ssh/sshd patch

Relevant Architectures: sparc

Bugs fixed with this patch:

Sun CR # Bug #
654117215387750
662726215436976
665561315453735
665561415453736
670996315484784
679129315533739
694904915640462
699418315676709
700594915686304
700595315686307
702269515699435
716238915786285
719948515816953
720366115821465
720471515822755
15896442
15917734
16074348
16212206
16221564
16221570
16229840
16306194
16345356
16538152
17313800
17336872
17403437
17415150
17446614
17475399
18483882
18537455
18775931
19010426
504409615210351
640984115323891
648074115355058
662806415437481
687595415585137
690848215608878
695387415644277
705093715719710
713187915767654
718842815807459


Changes incorporated in this version: 15387750 15533739

Patches accumulated and obsoleted by this patch: 148096-06

Patches which conflict with this patch:

Patches required with this patch: 120011-14 137137-09 139555-08 141444-09 144500-19 (or greater)

Obsoleted by:

Files included with this patch:

/etc/ssh/sshd_config
/usr/bin/last
/usr/bin/scp
/usr/bin/sftp
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-keygen
/usr/bin/ssh-keyscan
/usr/lib/ssh/sftp-server
/usr/lib/ssh/ssh-keysign
/usr/lib/ssh/sshd

Problem Description:

15387750 scp skips a file after a "set mode:" error
15533739 array overrun in scp
 
(from 148104-18)
 
19010426 sshd getgrouplist() should use _getgroupsbymember()
 
(from 148104-17)
 
18775931 sshd is not setting locale properly when LANG and LC_XXX env variables were sent
 
(from 148104-16)
 
15453735 resync server's conditional Match block from OpenSSH
15453736 resync server's ForceCommand from OpenSSH
15676709 SSH is missing an argument in snprintf() in process_escapes()
15686304 protect the SSH protocol 2 private keys with AES-128 instead of 3DES
15686307 add ForceCommand, AuthorizedKeysFile and HostbasedUsersNameFromPack
15699435 test for sshd_config option(HostbasedUsesNameFromPacketOnly) failed
15822755 sshd ignores LookupClientHostnames=no, doesn't disable DNS reverse lookups
16074348 sshd fix for 15822755 needs to cover more cases
 
(from 148104-15)
 
18483882 sshd session hangs when copy-pasting large amount of data
18537455 fix for 16212206 is not sufficient
 
(from 148104-14)
 
15896442 sshd auth.info message is shown as ja_JP.UTF-8 even if "LANG=PCK/EUC"
17446614 sshd: endless loop in fatal
 
(from 148104-13)
 
17313800 sshd should abort the connection when the user fails to change his password
17336872 SSH should provide better krb5 error
17403437 move debug output outside of a signal handler
17415150 memory-leaks in ssh detected by Parfait
17475399 sshd/ssh should deliver CTF information
 
(from 148104-12)
 
16345356 SSH Tunnel connect returns EINPROGRESS, must not invoke isatty() before select()
 
(from 148104-11)
 
15484784 SunSSH server leaks memory during initialization
15640462 keyboard-interactive configuration option handling needs to be fixed in SunSSH
16306194 problem with ssh
16538152 problem with ssh
 
(from 148104-10)
 
15436976 delegating creds should update creds when remote copy unexpired
15786285 GSSAPIDelegateCredentials issues with PAM_USER and 3rd-party module
 
(from 148104-09)
 
15917734 SSH truncates instruction field of SSH2_MSG_USERAUTH_INFO_REQUEST
16212206 sshd fails with buffer size greater than 2MB
16221564 uninitialized variable in source of scp.c:651
16221570 uninitialized variable in valid_request of ssh-keysign.c:138
16229840 uninitialized variable in session_loc_env_check of session.c:1968
 
(from 148104-08)
 
15816953 ssh connection with a forced tty allocation sometimes fails, under some conditions
15821465 sftp server fails to show date and time in ls localized output using certain locales
 
(from 148104-07)
 
        This revision accumulates generic Sustaining patch 148096-06
        into Solaris S10U11 update.
 
(from 148104-06)
 
        This revision accumulates generic Sustaining patch 148096-05
        into Solaris S10U11 update.
 
(from 148104-05)
 
        This revision accumulates generic Sustaining patch 148096-04
        into Solaris S10U11 update.
 
(from 148104-04)
 
        This revision accumulates generic Sustaining patch 148096-03
        into Solaris S10U11 update.
 
(from 148104-03)
 
        This revision accumulates generic Sustaining patch 148096-02
        into Solaris S10U11 update.
 
(from 148104-02)
 
5044096 ssh(1) is too picky, quits on unknown ~/.ssh/config options
 
(from 148104-01)
 
        This revision accumulates generic Sustaining patch 148096-01
        into Solaris S10U11 update.
 
(from 148096-06)
 
6908482 missing SSH host keys should be reported properly
 
(from 148096-05)
 
6875954 fork error is reported with wrong errno in sshd.c
7188428 sftp does not use the commands from batch file from -b option after installing 148096-03/148097-03
 
(from 148096-04)
 
7131879 fix for 6628064 is not optimal: ssh receive window should be increased more on server
 
(from 148096-03)
 
6480741 command line editing is desired for sftp(1)
 
(from 148096-02)
 
6628064 high-performance ssh/scp
 
(from 148096-01)
 
6409841 multiple ssh connections from same user cause previous sshd wtmpx entries to get logged out
6953874 ssh client does not propagate SIGPIPE to server side and hangs
7050937 monitor header files should be removed from source tree


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  The fix for 6628064 (high-performance ssh/scp) increases ssh/scp
         performance on high bandwidth/high latency links by increasing the
         SSH receive window size and by sending window adjust packets more
         often. SSH receive window size is set to 4 times the value of TCP
         receive buffer.  Lower boundary for window size is 128kB, upper
         boundary 64MB.  The TCP receive buffer can be set by following
         command:
 
         /usr/sbin/ndd -set /dev/tcp  tcp_recv_hiwat <window size>
 
         This tuning is recommended for networks with latency over ten
         milliseconds.
 
NOTE 2:  After patch application the sshd daemon has to be restarted using
         the following command:
 
         svcadm restart ssh
 
         The changes then apply only on new ssh connections.  Already
         established connections remain unchanged.
 
NOTE 3:  The fix for 6480741 (command line editing is desired for sftp(1))
         adds a dependency of sftp on libtecla (SUNWtecla), which is part
         of a minimal installation and should be available on the system.
         If not, SUNWtecla has to be installed for sftp to work properly.
 
NOTE 4:  The fix for:
 
         16538152 problem with ssh
         16306194 problem with ssh
         15484784 SunSSH server leaks memory during initialization
 
         changes the default value of ssh MaxStartups to "10:30:100".
 
NOTE 5:  This patch introduces new keywords (Match and ForceCommand)
         which can be used in sshd_config(4). Before patch uninstall,
         make sure the configuration file is reverted to previous
         version and the new keywords are no longer present. Otherwise
         sshd would fail to be started.
 
         Man page changes:
         -------------------------------------------------------
         New keyword "ForceCommand" in sshd_config(4):
         ForceCommand
             Forces the execution of the command  specified  by  For-
             ceCommand,  ignoring any command supplied by the client,
             and, if present, ~/.ssh/rc. The command  is  invoked  by
             using  the  user's  login shell with the -c option. This
             applies to shell, command, or subsystem execution. It is
             most useful inside a Match block. The command originally
             supplied   by   the   client   is   available   in   the
             SSH_ORIGINAL_COMMAND  environment variable. Specifying a
             command of internal-sftp forces the use of an in-process
             sftp  server  that  requires  no support files when used
             with ChrootDirectory.
 
         New paragraph for "LookupClientHostnames" in sshd_config(4):
             It is an error to set up a Match Block with Host matching
             and also set "LookupClientHostnames" to "no". If there is
             a Match Block with Host matching, then even if
             "LookupClientHostnames" is set to "no", "LookupClientHostnames"
             will be re-enabled, so that the security requirements of
             the match block are honored. In such a case, "sshd" issues
             an error message to the console, and will also "syslog" an
             ERROR if someone logs in while the misconfiguration remains
             in the "sshd_config" file.
 
         New keyword "Match" in sshd_config(4):
         Match
             Introduces a conditional block. If all of  the  criteria
             on  the  Match  line  are satisfied, the keywords on the
             following lines override those set in the global section
             of  the  config file, until either another Match line or
             the end of the file. Match blocks must be located at the
             end of the file, after all the global settings.
 
             The arguments to Match are one or more  criteria-pattern
             pairs. The available criteria are User, Group, Host, and
             Address.  The  match  patterns  can  consist  of  single
             entries  or  comma-separated lists and can use the wild-
             card (Asterisk * and question mark ?) and  negation  (!)
             operators.
 
             The patterns in a Host criteria should be hostname.  The
             patterns in an Address criteria should be an IP address,
             which can additionally contain  addresses  to  match  in
             CIDR  address/masklen  format, for example, 192.0.2.0/24.
             The mask length provided must be consistent with the
             address - it is an error to specify a mask length that is
             too long for the address or one with bits set in this
             host portion of the address. For example, 192.0.2.0/33 and
             192.0.2.0/8 respectively.
 
             Only a subset of keywords can be used on the lines  fol-
             lowing   a   Match   keyword.   Available  keywords  are
             AllowTcpForwarding, AuthorizedKeysFile, Banner,  Chroot-
             Directory, ForceCommand, GatewayPorts, GSSAPIAuthentica-
             tion, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
             KbdInteractiveAuthentication, PasswordAuthentication,
             PermitEmptyPasswords, PermitRootLogin, PubkeyAuthentication,
             RhostsRSAAuthentication, RSAAuthentication,
             X11DisplayOffset, X11Forwarding, and X11UseLocalhost.
 
             The following are four examples of using Match:
 
                 1.   Disallowing user testuser to use  TCP  forward-
                      ing:
 
                        Match User testuser
                          AllowTcpForwarding no
 
                 2.   Displaying a special banner for  users  not  in
                      the staff group:
 
                        Match Group *,!staff
                          Banner /etc/banner.text
 
                 3.   Allowing     root     login      from      host
                      rootallowed.example.com:
 
                        Match Host rootallowed.example.com
                          PermitRootLogin yes
 
                 4.   Allowing anyone to use  GatewayPorts  from  the
                      local net:
 
                        Match Address 192.168.0.0/24
                          GatewayPorts yes
 
         Change from "3DES" to "128-bit AES" in ssh-keygen(1) in description
         of $HOME/.ssh/id_{d,r}sa:
             ...
             It is possible to specify a passphrase when generating
             the key; that passphrase is used to encrypt the private
             part of the file using 128-bit AES.
             ...


README -- Last modified date: Wednesday, October 14, 2015