- Issued:
- 2015-07-22
- Updated:
- 2015-07-22
RHBA-2015:1335 - openssh bug fix and enhancement update
Synopsis
openssh bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Topic
Updated openssh packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Description
OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.
Bug fixes:
-
Every first attempt to make a connection using the sftp utility, before the user information was stored in the System Security Services Daemon (SSSD) cache, failed. The sshd server no longer closes file descriptors before all the user information is loaded, and sftp connections in combination with SSSD work even when the SSSD cache is empty. Now, first sftp connection attempts succeed. (BZ#1085710)
-
Printing extensions for v01 certificates using the "ssh-keygen -L -f" command did not display the certificate extensions correctly. Now, printing extensions for v01 certificates works as expected. (BZ#1093869)
-
The sshd configuration test mode, executed by the "sshd -T" command, did not display all default options and displayed certain other options incorrectly. With this update, the sshd test mode outputs all required default options and also prints the above-mentioned other options correctly. Output of the configuration test mode can be now safely applied as configuration input. (BZ#1109251)
-
Non-existing users logging in with ssh triggered two different audit messages in the log, which was not expected behavior. With this update, when a non-existing user attempts to log in using ssh, only one audit message is triggered. This message records a login attempt from an unknown user as expected. (BZ#1127312)
-
When the ForceCommand option with a pseudoterminal was used and the MaxSession option was set to "2", multiplexed ssh connections did not work as expected. After the user attempted to open a second multiplexed connection, the attempt failed if the first connection was still open. This update modifies OpenSSH to issue only one audit message per session. The user is able to open two multiplexed connections in this situation. (BZ#1131585)
-
Previously, OpenSSH did not correctly handle quoted multiple values defined on one configuration line. When the user specified, for example, multiple groups in quotes on one line, OpenSSH only honored the first specified group. The OpenSSH configuration parser has been modified, and OpenSSH honors all option values in this situation. (BZ#1134938)
-
The ssh-copy-id utility failed if the account on the remote server did not use an sh-like shell. Remote commands have been modified to run in an sh-like shell, and ssh-copy-id now also works with non-sh-like shells. (BZ#1135521)
-
The user could not generate ssh keys on hosts with a host name of 64 characters. The ssh-keygen utility failed in this situation. The buffer size for host names has been increased, and ssh-keygen no longer fails in the described situation. (BZ#1161454)
-
All the messages obtained from an sftp server when using chroot were logged in the global log file through the sshd server even when a valid socket for logging was available. Now, events from the sftp server can be logged through the socket in chroot and forwarded into an independent log file. (BZ#1172224)
-
The ssh-keyscan command did not scan for Elliptic Curve Digital Signature Algorithm (ECDSA) keys. The "ssh-keyscan -t ecdsa -v localhost" command did not display any output. The command now outputs the host ECDSA key as expected. (BZ#1196331)
-
This update fixes memory leaks discovered in sshd. (BZ#1208584)
Enhancements:
-
This update adds support for adjusting LDAP queries. The administrator can adjust the LDAP query to obtain public keys from servers that use a different schema. (BZ#1119506)
-
The PermitOpen option in sshd_config file now supports wildcards. (BZ#1159055)
-
With this update, openssh can force exact permissions on files that are newly uploaded using sftp. (BZ#1191055)
Users of openssh are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Scientific Computing | 6 | x86_64 |
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- openssh-server-5.3p1-111.el6.x86_64.rpm
- openssh-askpass-5.3p1-111.el6.i686.rpm
- openssh-askpass-5.3p1-111.el6.x86_64.rpm
- openssh-clients-5.3p1-111.el6.ppc64.rpm
- openssh-5.3p1-111.el6.s390x.rpm
- openssh-debuginfo-5.3p1-111.el6.x86_64.rpm
- openssh-5.3p1-111.el6.ppc64.rpm
- pam_ssh_agent_auth-0.9.3-111.el6.i686.rpm
- openssh-server-5.3p1-111.el6.s390x.rpm
- pam_ssh_agent_auth-0.9.3-111.el6.x86_64.rpm
- openssh-clients-5.3p1-111.el6.i686.rpm
- openssh-debuginfo-5.3p1-111.el6.ppc.rpm
- pam_ssh_agent_auth-0.9.3-111.el6.ppc64.rpm
- openssh-askpass-5.3p1-111.el6.s390x.rpm
- openssh-5.3p1-111.el6.x86_64.rpm
- openssh-debuginfo-5.3p1-111.el6.ppc64.rpm
- openssh-ldap-5.3p1-111.el6.ppc64.rpm
- openssh-server-5.3p1-111.el6.i686.rpm
- openssh-5.3p1-111.el6.src.rpm
- openssh-clients-5.3p1-111.el6.x86_64.rpm
- openssh-debuginfo-5.3p1-111.el6.s390.rpm
- pam_ssh_agent_auth-0.9.3-111.el6.s390x.rpm
- openssh-ldap-5.3p1-111.el6.i686.rpm
- openssh-clients-5.3p1-111.el6.s390x.rpm
- pam_ssh_agent_auth-0.9.3-111.el6.ppc.rpm
- openssh-server-5.3p1-111.el6.ppc64.rpm
- openssh-debuginfo-5.3p1-111.el6.i686.rpm
- openssh-debuginfo-5.3p1-111.el6.s390x.rpm
- openssh-ldap-5.3p1-111.el6.s390x.rpm
- openssh-5.3p1-111.el6.i686.rpm
- openssh-askpass-5.3p1-111.el6.ppc64.rpm
- pam_ssh_agent_auth-0.9.3-111.el6.s390.rpm
- openssh-ldap-5.3p1-111.el6.x86_64.rpm
Fixes
- This content is not included.BZ - 1109251
- This content is not included.BZ - 1127312
- This content is not included.BZ - 1135521
- This content is not included.BZ - 1160487
- This content is not included.BZ - 1161449
- This content is not included.BZ - 1161454
- This content is not included.BZ - 1172224
- This content is not included.BZ - 1191055
- This content is not included.BZ - 1197072
- This content is not included.BZ - 1197763
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.