OBSOLETE Patch-ID# 148104-19
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security ssh sftp last sshd
Synopsis: Obsoleted by: 148104-20 SunOS 5.10: last, ssh/sshd patch
Date: Dec/13/2014
Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.
Solaris Release: 10
SunOS Release: 5.10
Unbundled Product:
Unbundled Release:
Xref: This patch available for x86 as patch 148105
Topic: SunOS 5.10: last, ssh/sshd patch
Relevant Architectures: sparc
Bugs fixed with this patch:
Changes incorporated in this version: 15387750 15533739
Patches accumulated and obsoleted by this patch: 148096-06
Patches which conflict with this patch:
Patches required with this patch: 120011-14 137137-09 139555-08 141444-09 144500-19 (or greater)
Obsoleted by:
Files included with this patch:
/etc/ssh/sshd_config
/usr/bin/last
/usr/bin/scp
/usr/bin/sftp
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-keygen
/usr/bin/ssh-keyscan
/usr/lib/ssh/sftp-server
/usr/lib/ssh/ssh-keysign
/usr/lib/ssh/sshd
Problem Description:
15387750 scp skips a file after a "set mode:" error
15533739 array overrun in scp
(from 148104-18)
19010426 sshd getgrouplist() should use _getgroupsbymember()
(from 148104-17)
18775931 sshd is not setting locale properly when LANG and LC_XXX env variables were sent
(from 148104-16)
15453735 resync server's conditional Match block from OpenSSH
15453736 resync server's ForceCommand from OpenSSH
15676709 SSH is missing an argument in snprintf() in process_escapes()
15686304 protect the SSH protocol 2 private keys with AES-128 instead of 3DES
15686307 add ForceCommand, AuthorizedKeysFile and HostbasedUsersNameFromPack
15699435 test for sshd_config option(HostbasedUsesNameFromPacketOnly) failed
15822755 sshd ignores LookupClientHostnames=no, doesn't disable DNS reverse lookups
16074348 sshd fix for 15822755 needs to cover more cases
(from 148104-15)
18483882 sshd session hangs when copy-pasting large amount of data
18537455 fix for 16212206 is not sufficient
(from 148104-14)
15896442 sshd auth.info message is shown as ja_JP.UTF-8 even if "LANG=PCK/EUC"
17446614 sshd: endless loop in fatal
(from 148104-13)
17313800 sshd should abort the connection when the user fails to change his password
17336872 SSH should provide better krb5 error
17403437 move debug output outside of a signal handler
17415150 memory-leaks in ssh detected by Parfait
17475399 sshd/ssh should deliver CTF information
(from 148104-12)
16345356 SSH Tunnel connect returns EINPROGRESS, must not invoke isatty() before select()
(from 148104-11)
15484784 SunSSH server leaks memory during initialization
15640462 keyboard-interactive configuration option handling needs to be fixed in SunSSH
16306194 problem with ssh
16538152 problem with ssh
(from 148104-10)
15436976 delegating creds should update creds when remote copy unexpired
15786285 GSSAPIDelegateCredentials issues with PAM_USER and 3rd-party module
(from 148104-09)
15917734 SSH truncates instruction field of SSH2_MSG_USERAUTH_INFO_REQUEST
16212206 sshd fails with buffer size greater than 2MB
16221564 uninitialized variable in source of scp.c:651
16221570 uninitialized variable in valid_request of ssh-keysign.c:138
16229840 uninitialized variable in session_loc_env_check of session.c:1968
(from 148104-08)
15816953 ssh connection with a forced tty allocation sometimes fails, under some conditions
15821465 sftp server fails to show date and time in ls localized output using certain locales
(from 148104-07)
This revision accumulates generic Sustaining patch 148096-06
into Solaris S10U11 update.
(from 148104-06)
This revision accumulates generic Sustaining patch 148096-05
into Solaris S10U11 update.
(from 148104-05)
This revision accumulates generic Sustaining patch 148096-04
into Solaris S10U11 update.
(from 148104-04)
This revision accumulates generic Sustaining patch 148096-03
into Solaris S10U11 update.
(from 148104-03)
This revision accumulates generic Sustaining patch 148096-02
into Solaris S10U11 update.
(from 148104-02)
5044096 ssh(1) is too picky, quits on unknown ~/.ssh/config options
(from 148104-01)
This revision accumulates generic Sustaining patch 148096-01
into Solaris S10U11 update.
(from 148096-06)
6908482 missing SSH host keys should be reported properly
(from 148096-05)
6875954 fork error is reported with wrong errno in sshd.c
7188428 sftp does not use the commands from batch file from -b option after installing 148096-03/148097-03
(from 148096-04)
7131879 fix for 6628064 is not optimal: ssh receive window should be increased more on server
(from 148096-03)
6480741 command line editing is desired for sftp(1)
(from 148096-02)
6628064 high-performance ssh/scp
(from 148096-01)
6409841 multiple ssh connections from same user cause previous sshd wtmpx entries to get logged out
6953874 ssh client does not propagate SIGPIPE to server side and hangs
7050937 monitor header files should be removed from source tree
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: The fix for 6628064 (high-performance ssh/scp) increases ssh/scp
performance on high bandwidth/high latency links by increasing the
SSH receive window size and by sending window adjust packets more
often. SSH receive window size is set to 4 times the value of TCP
receive buffer. Lower boundary for window size is 128kB, upper
boundary 64MB. The TCP receive buffer can be set by following
command:
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat <window size>
This tuning is recommended for networks with latency over ten
milliseconds.
NOTE 2: After patch application the sshd daemon has to be restarted using
the following command:
svcadm restart ssh
The changes then apply only on new ssh connections. Already
established connections remain unchanged.
NOTE 3: The fix for 6480741 (command line editing is desired for sftp(1))
adds a dependency of sftp on libtecla (SUNWtecla), which is part
of a minimal installation and should be available on the system.
If not, SUNWtecla has to be installed for sftp to work properly.
NOTE 4: The fix for:
16538152 problem with ssh
16306194 problem with ssh
15484784 SunSSH server leaks memory during initialization
changes the default value of ssh MaxStartups to "10:30:100".
NOTE 5: This patch introduces new keywords (Match and ForceCommand)
which can be used in sshd_config(4). Before patch uninstall,
make sure the configuration file is reverted to previous
version and the new keywords are no longer present. Otherwise
sshd would fail to be started.
Man page changes:
-------------------------------------------------------
New keyword "ForceCommand" in sshd_config(4):
ForceCommand
Forces the execution of the command specified by For-
ceCommand, ignoring any command supplied by the client,
and, if present, ~/.ssh/rc. The command is invoked by
using the user's login shell with the -c option. This
applies to shell, command, or subsystem execution. It is
most useful inside a Match block. The command originally
supplied by the client is available in the
SSH_ORIGINAL_COMMAND environment variable. Specifying a
command of internal-sftp forces the use of an in-process
sftp server that requires no support files when used
with ChrootDirectory.
New paragraph for "LookupClientHostnames" in sshd_config(4):
It is an error to set up a Match Block with Host matching
and also set "LookupClientHostnames" to "no". If there is
a Match Block with Host matching, then even if
"LookupClientHostnames" is set to "no", "LookupClientHostnames"
will be re-enabled, so that the security requirements of
the match block are honored. In such a case, "sshd" issues
an error message to the console, and will also "syslog" an
ERROR if someone logs in while the misconfiguration remains
in the "sshd_config" file.
New keyword "Match" in sshd_config(4):
Match
Introduces a conditional block. If all of the criteria
on the Match line are satisfied, the keywords on the
following lines override those set in the global section
of the config file, until either another Match line or
the end of the file. Match blocks must be located at the
end of the file, after all the global settings.
The arguments to Match are one or more criteria-pattern
pairs. The available criteria are User, Group, Host, and
Address. The match patterns can consist of single
entries or comma-separated lists and can use the wild-
card (Asterisk * and question mark ?) and negation (!)
operators.
The patterns in a Host criteria should be hostname. The
patterns in an Address criteria should be an IP address,
which can additionally contain addresses to match in
CIDR address/masklen format, for example, 192.0.2.0/24.
The mask length provided must be consistent with the
address - it is an error to specify a mask length that is
too long for the address or one with bits set in this
host portion of the address. For example, 192.0.2.0/33 and
192.0.2.0/8 respectively.
Only a subset of keywords can be used on the lines fol-
lowing a Match keyword. Available keywords are
AllowTcpForwarding, AuthorizedKeysFile, Banner, Chroot-
Directory, ForceCommand, GatewayPorts, GSSAPIAuthentica-
tion, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly,
KbdInteractiveAuthentication, PasswordAuthentication,
PermitEmptyPasswords, PermitRootLogin, PubkeyAuthentication,
RhostsRSAAuthentication, RSAAuthentication,
X11DisplayOffset, X11Forwarding, and X11UseLocalhost.
The following are four examples of using Match:
1. Disallowing user testuser to use TCP forward-
ing:
Match User testuser
AllowTcpForwarding no
2. Displaying a special banner for users not in
the staff group:
Match Group *,!staff
Banner /etc/banner.text
3. Allowing root login from host
rootallowed.example.com:
Match Host rootallowed.example.com
PermitRootLogin yes
4. Allowing anyone to use GatewayPorts from the
local net:
Match Address 192.168.0.0/24
GatewayPorts yes
Change from "3DES" to "128-bit AES" in ssh-keygen(1) in description
of $HOME/.ssh/id_{d,r}sa:
...
It is possible to specify a passphrase when generating
the key; that passphrase is used to encrypt the private
part of the file using 128-bit AES.
...
README -- Last modified date: Wednesday, October 14, 2015