8.134. openssh

Security Fix

CVE-2010-5107

The default OpenSSH configuration made it easy for remote attackers to exhaust unauthorized connection slots and prevent other users from being able to log in to a system. This flaw has been addressed by enabling random early connection drops by setting MaxStartups to 10:30:100 by default. For more information, refer to the sshd_config(5) man page.

Bug Fixes

BZ#872169

An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. Previously, to fix this, a patch was applied to keep the syslog file descriptor open. However, the syslog library was changed and the used heuristic stopped working. As a consequence, the sftp commands were not logged in the chroot setup in the internal sftp subsystem. The patch has been adjusted to the new conditions and the sftp commands are logged in the chroot setup in the internal sftp subsystem.

BZ#880575

Previously, when the user attempted to use their own unprotected private key, the ssh utility displayed the following message:

It is recommended that your private key files are NOT accessible by others.

The key was subsequently rejected, which could have led to confusion as the behavior was inconsistent with the message. With this update, the message has been changed to:

It is required that your private key files are NOT accessible by others.

BZ#896561

The ssh-agent utility was unable to open more connections and could become unresponsive due to a race condition. The race condition has been fixed and ssh-agent no longer hangs in this scenario.

BZ#954094

If the "bindpw" option contained double quotes, it was not correctly parsed by the ssh-ldap-helper parser, and ssh-ldap-helper failed to bind to an LDAP server. With this update, ssh-ldap-helper parses the LDAP configuration files correctly.

BZ#955792

Prior to this update, non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly.

BZ#974096

Previously, if the /tmp/ directory of the target user was polyinstantiated, no credentials cache was found on the remote machine after the Pluggable Authentication Module (PAM) session was initiated. As a consequence, Kerberos ticket forwarding did not work. With this update, the cache is re-created in a new /tmp/ directory after the PAM session is initiated, and Kerberos ticket forwarding now works as expected.

BZ#993509

Previously, if the sshd daemon was configured to force the internal SFTP session, the daemon was unable to properly handle requests for an interactive session. Consequently, sshd did not terminate SSH connections and SSH clients could became unresponsive. With this update, sshd has been modified to return an error message that the service allows SFTP connections only, and the SSH clients no longer hang in this scenario.

Enhancements

BZ#906872

This update adds support for certificate authentication of users and hosts using a new OpenSSH certificate format. Certificates contain a public key, identity information, and validity constraints, and are signed with a standard SSH public key using the ssh-keygen utility. Note that the version of ssh-keygen shipped with Red Hat Enterprise Linux 6 uses the "-Z" option for specifying the principals. For more information on this functionality, refer to the /usr/share/doc/openssh-5.3p1/PROTOCOL.certkeys file.

BZ#908038

This update adds support for PKCS#11 tokens. Now, OpenSSH clients are able to use smart cards for authentication.

BZ#951704

The KexAlgorithms configuration option has been added to client and server configuration in both the ssh utility and the sshd daemon. Specifying KexAlgorithms enables the user and the administrator to select key exchange methods and their order or preference.

BZ#969565

This update adds support for the SHA-2 Secure Hash Algorithm in the Hash-based Message Authentication Code (HMAC) to OpenSSH.

BZ#993577

The new Federal Information Processing Standard (FIPS) validation requires the random number generator (RNG) seed to have at least 112 bits of entropy instead of previous 80 bits. Therefore, the minimum value of the SSH_USE_STRONG_RNG environment variable has been increased to 14.

BZ#1001565

The new Federal Information Processing Standard (FIPS) validation requires the Power On Self Test (POST) to run in all cases when the FIPS module is installed. With this update, the POST self test is run on the SSH client and the SSH server if the dracut-fips package has been installed.