7.167. openssh

Security Fix

CVE-2012-5536

Due to the way the pam_ssh_agent_auth PAM module was built in Red Hat Enterprise Linux 6, the glibc's error() function was called rather than the intended error() function in pam_ssh_agent_auth to report errors. As these two functions expect different arguments, it was possible for an attacker to cause an application using pam_ssh_agent_auth to crash, disclose portions of its memory or, potentially, execute arbitrary code.

Bug Fixes

BZ#821641

All possible options for the new RequiredAuthentications directive were not documented in the sshd_config man page. This update improves the man page to document all the possible options.

BZ#826720

When stopping one instance of the SSH daemon (sshd), the sshd init script (/etc/rc.d/init.d/sshd) stopped all sshd processes regardless of the PID of the processes. This update improves the init script so that it only kills processes with the relevant PID. As a result, the init script now works more reliably in a multi-instance environment.

BZ#836650

Due to a regression, the ssh-copy-id command returned an exit status code of zero even if there was an error in copying the key to a remote host. With this update, a patch has been applied and ssh-copy-id now returns a non-zero exit code if there is an error in copying the SSH certificate to a remote host.

BZ#836655

When SELinux was disabled on the system, no on-disk policy was installed, a user account was used for a connection, and no "~/.ssh" configuration was present in that user's home directory, the SSH client terminated unexpectedly with a segmentation fault when attempting to connect to another system. A patch has been provided to address this issue and the crashes no longer occur in the described scenario.

BZ#857760

The "HOWTO" document /usr/share/doc/openssh-ldap-5.3p1/HOWTO.ldap-keys incorrectly documented the use of the AuthorizedKeysCommand directive. This update corrects the document.

Enhancements

BZ#782912

When attempting to enable SSH for use with a Common Access Card (CAC), the ssh-agent utility read all the certificates in the card even though only the ID certificate was needed. Consequently, if a user entered their PIN incorrectly, then the CAC was locked, as a match for the PIN was attempted against all three certificates. With this update, ssh-add does not try the same PIN for every certificate if the PIN fails for the first one. As a result, the CAC will not be disabled if a user enters their PIN incorrectly.

BZ#860809

This update adds a "netcat mode" to SSH. The "ssh -W host:port ..." command connects standard input and output (stdio) on a client to a single port on a server. As a result, SSH can be used to route connections via intermediate servers.

BZ#869903

Due to a bug, arguments for the RequiredAuthentications2 directive were not stored in a Match block. Consequently, parsing of the config file was not in accordance with the man sshd_config documentation. This update fixes the bug and users can now use the required authentication feature to specify a list of authentication methods as expected according to the man page.