Quest OpenSSH Change Summary http://rc.quest.com/topics/openssh/ Configuration defaults changed: * sshd_config: GSSAPIAuthentication no -> yes GSSAPIKeyExchange no -> yes GSSAPIStrictAcceptorCheck yes -> no HostKeys - yes UsePAM no -> yes X11Forwarding no -> yes * ssh_config: GSSAPIAuthentication no -> yes GSSAPIKeyExchange no -> yes GSSAPIDelegateCredentials no -> yes HashKnownHosts no -> yes ServicePrincipalName - NULL Protocol 2,1 -> 2 Change History: 5.0p1_q1 -------- - bug 564: Enabled IPv6 in tcp_wrappers - bug 514: specifying -h hostkey option to sshd caused corruption - bug 405: improve build checks - bug 451: on Solaris 2.6, put PID files in /tmp instead of /var/run - use openssl-0.9.8g - bug 409: don't print "Killed by signal 15" - bug 11: don't use /var/log/btmp on Debian - show all host fingerprints in HP-UX SAM module - merge with sxw's openssh-5.0p1-gsskex-20080404.patch 4.7p1_q1 -------- - bug 368: merge with OpenSSH 4.7p1 - bug 185: double stop init script messages - bug 346: install PAM files - moved manual pages into the main package - upstream bug 1368: added -R option to scp 4.6p1_q1 -------- - bug 222: merge with OpenSSH 4.6p1 release - bug 281: merge with HPN 12v17 patch - merge with sxw's openssh-4.6p1-gsskex-20070312 - bug 207: 64bit support on Linux/s390x - OS X build support - bug 280: NIS+/pam_dhkeys credentials were not established (upstream 1339) - bug 253: put pid files in /var/run instead of /var/opt/quest/run - bug 110: add /opt/quest/bin into default PATH for AIX systems (for scp) - bug 186: correct missing summary information in packages - KbdInteractiveAuthentication defaults to enabled when UsePAM is enabled - correct documentation for GSSAPIKeyExchange default - improved tests for Debian; and aliased host/ - use openssl-0.9.8e; s/390 supoprt + patch from upstream bug 1291 4.5p1_q1.116 ------------- - merge with OpenSSH 4.5p1 release - bug 123: local account logins failed on hpux11.11 with vas3.1 - bugs 127 128 174: install missing directories - bug 173: correct problem where ssh*_config not installed - package name changes - bug 134: source dist improvements; add build-2.6 make target for VAS2.6 4.4p1q89 -------- - merge with OpenSSH 4.4p1 release - vintela bug 4150: check VAS version during install - vintela bug 4319: sshd option GSSAPIStrictAcceptorCheck yes->no - vintela bug 5428: don't ship ssh-keysign as setuid - vintela bug 7747: look in VAS2.6 sysconfdir for old host keys first - vintela bug 8249: revert GSSAPICleanupCredentials to default to yes - bug 31: home directory creation failed on aix - bug 49: ssh option HashKnownHosts no->yes - bug 74: keyboard-interactive for AIX when PAM unavailable - bug 90: merge with sxw's openssh-4.4p1-gsskex-20061002.patch - bug 92: sshd option GSSAPIKeyExchange default no->yes - bug 95: ssh option Protocol default 2,1->2 - bug 99: maintain /etc/pam.d/sshd when suse openssh is uninstalled - using polypkg for package generation - bug 54: build with tcp_wrappers 4.3p2q1 ------- - New version numbering scheme. - use root:bin to own executable files; not root:sys. - Add RC licence text which shows up under AIX installs. - allow config.local to specifiy the SRC name - VAS3 test support - Merge with OpenSSH 4.3p2 release. vrc1.9.3 -------- - Merge with OpenSSH 4.3p1 release - bug 5895: try gssapi before public-key - bug 6042: empty usernames mapped using GSSAPI (requires 'UsePrivilegeSeparation no', for now) - bug 6594: RSA (publickey) failures on Solaris vrc1.9.2 (unreleased) -------- - bug 5934: unnecessary initgroup calls delayed login on systems with many VAS-enabled groups - bug 6068: user credential cache was lost when using pam_vas with keyboard-interactive and privsep - merge with openssh-4.2p1-gsskex-20050926-2.patch (http://www.sxw.org.uk/computing/patches/openssh.html) - bug 6379: detect gss gex bugs in vintela putty versions and disable - bug 6115 (upstream bug 1087): show PAM password expiry messages vrc1.9.1 -------- - bug 5899: cross-realm authentication workarounds vrc1.9.0 -------- - Merge with OpenSSH 4.2p1 release - Change GSSAPIServiceName to ServicePrincipalName vrc1.8.0 -------- - bug 5651: Add GSSAPIServiceName option - Add HostKeys and GSSAPIKexExchange options to server - improve diagnostics for aix credentials - bugfix: gsskex rekey no longer fails with privsep - bugfix: occasional superfluous chars after realm vrc1.7.2 -------- * Merge with OpenSSH 4.1p1 release vrc1.7.1 -------- - Include gsskex (GSSAPI key exchange) (enhancement bug 3943) See - bugfix: core dump in AIX on LAM pw expire (bug 4918; mindrot.org bug 1006) - bugfix: missing pam messages on auth fail (bug 4618; mindrot.org bug 1028) vrc1.6 ------ * Merge with OpenSSH 4.0p1 release vrc1.5 ------ * Do not use a GSSAPI service name constructed from gethostname(); instead let GSSAPI (VAS) choose the service name. vrc1.4 ------ Changes configuration defaults. The rationale behind this was to ease migration from existing SSH installtions, and to enable by default features provided by VAS. sshd_config: UsePAM no -> yes - Use VAS (via PAM) to set up user context, mount home etc GSSAPIAuthentication no -> yes - prefer use of VAS (via GSSAPI) GSSAPICleanupCredentials yes -> no - rely on VAS to remove credentials on session close X11Forwarding no -> yes - required for VMX ssh_config: GSSAPIAuthentication no->yes - prefer use of VAS (via GSSAPI) GSSDelegateCredentials no->yes - allow credentials to be copied to remote host (improves SSO)