7.146. openssh

Bug Fixes

BZ#1085710

Every first attempt to make a connection using the sftp utility, before the user information was stored in the System Security Services Daemon (SSSD) cache, failed. The sshd server no longer closes file descriptors before all the user information is loaded, and sftp connections in combination with SSSD work even when the SSSD cache is empty. Now, first sftp connection attempts succeed.

BZ#1093869

Printing extensions for v01 certificates using the "ssh-keygen -L -f" command did not display the certificate extensions correctly. Now, printing extensions for v01 certificates works as expected.

BZ#1109251

The sshd configuration test mode, executed by the "sshd -T" command, did not display all default options and displayed certain other options incorrectly. With this update, the sshd test mode outputs all required default options and also prints the above-mentioned other options correctly. Output of the configuration test mode can be now safely applied as configuration input.

BZ#1127312

Non-existing users logging in with ssh triggered two different audit messages in the log, which was not expected behavior. With this update, when a non-existing user attempts to log in using ssh, only one audit message is triggered. This message records a login attempt from an unknown user as expected.

BZ#1131585

When the ForceCommand option with a pseudoterminal was used and the MaxSession option was set to "2", multiplexed ssh connections did not work as expected. After the user attempted to open a second multiplexed connection, the attempt failed if the first connection was still open. This update modifies OpenSSH to issue only one audit message per session. The user is able to open two multiplexed connections in this situation.

BZ#1134938

Previously, OpenSSH did not correctly handle quoted multiple values defined on one configuration line. When the user specified, for example, multiple groups in quotes on one line, OpenSSH only honored the first specified group. The OpenSSH configuration parser has been modified, and OpenSSH honors all option values in this situation.

BZ#1135521

The ssh-copy-id utility failed if the account on the remote server did not use an sh-like shell. Remote commands have been modified to run in an sh-like shell, and ssh-copy-id now also works with non-sh-like shells.

BZ#1161454

The user could not generate ssh keys on hosts with a host name of 64 characters. The ssh-keygen utility failed in this situation. The buffer size for host names has been increased, and ssh-keygen no longer fails in the described situation.

BZ#1172224

All the messages obtained from an sftp server when using chroot were logged in the global log file through the sshd server even when a valid socket for logging was available. Now, events from the sftp server can be logged through the socket in chroot and forwarded into an independent log file.

BZ#1196331

The ssh-keyscan command did not scan for Elliptic Curve Digital Signature Algorithm (ECDSA) keys. The "ssh-keyscan -t ecdsa -v localhost" command did not display any output. The command now outputs the host ECDSA key as expected.

BZ#1208584

This update fixes memory leaks discovered in sshd.

Enhancements

BZ#1119506

This update adds support for adjusting LDAP queries. The administrator can adjust the LDAP query to obtain public keys from servers that use a different schema.

BZ#1159055

The PermitOpen option in sshd_config file now supports wildcards.

BZ#1191055

With this update, openssh can force exact permissions on files that are newly uploaded using sftp.