Quest OpenSSH

Quest OpenSSH Change Summary

http://rc.quest.com/topics/openssh/


Configuration defaults changed:

* sshd_config:
	GSSAPIAuthentication      no  -> yes
	GSSAPIKeyExchange         no  -> yes
	GSSAPIStrictAcceptorCheck yes -> no
	HostKeys                  -      yes
	UsePAM                    no  -> yes
	X11Forwarding             no  -> yes

* ssh_config:
	GSSAPIAuthentication      no  -> yes
	GSSAPIKeyExchange         no  -> yes
	GSSAPIDelegateCredentials no  -> yes
	HashKnownHosts            no  -> yes
	ServicePrincipalName      -      NULL
	Protocol                  2,1 -> 2


Change History:
5.2p1q16e
------
- Fix for http://www.openssh.com/txt/portable-keysign-rand-helper.adv

5.2p1q16d
------
- On Linux, include a Provides for 'openssh'.

5.2p1q16c
------
- On AIX, if the file "/var/opt/quest/.sshd_disable_lam" exists LAM auth isn't tried. 

5.2p1q16b
------
- Work to make sure that if a login changes information ( like nested group membership
  makes a new override apply to the user, and/or new group memberships ) that the new
  information is used. This might slow down logings slightly as information is re-queried. 

5.2p1q16
------
- On AIX, include a PAM comfiguration copied from the login section of pam.conf if not already configured.
- Re-aquire user's information after authentication in case processing the login changed it. 
- On AIX, if the file "/var/opt/quest/.sshd_disable_lam" exists, LAM auth is disabled.

5.2p1q15
------
- pam_open_session called with dropped privs
- https://bugzilla.mindrot.org/show_bug.cgi?id=1249

- Insufficient privileges to chroot() on AIX
- https://bugzilla.mindrot.org/show_bug.cgi?id=1567

- Openssh doesn't support UTMPS/BTMPS/WTMPS database
- https://bugzilla.mindrot.org/show_bug.cgi?id=979

5.2p1q14
------
- Fix linking so AIX package doens't require QAS 4.0 library. 
- Change version ( remove _ ) so the package is accepted on Debian. 
- Add back the HPN patch. openssh5.2 - HPN 13 - dynwindow_noneswitch

5.2p1_q13
------
- AIX src integration now works. 

5.2p1_q12
------
- Let sshd manage its own PID file. This keeps remote restarts from hanging due to 
  the old sshd & echo $! method to obtain the pid failing if there is no job control.
- Worked on the HP init scripts, some variables were expanded in making the script, 
  when they should expand only when the script it run. 

5.2p1_q11
------
- For SMF, have the process ignore child cores.

5.2p1_q10
------
- Update openSSL to 0.9.8o.
- Bug 499, SMF integration on Solaris. 

5.2p1_q9
-------
- Fix an X11 forwarding issue, native IPV6 address without IPV6 enabled.

5.2p1_q8
-------
- Bug 745: Back port openSSH upstream fix for bug 1528:
           https://bugzilla.mindrot.org/show_bug.cgi?id=1528

5.2p1_q7
-------
- Bug 724: No /etc/rc?.d/*sshd-quest files made using response file for install
- Bug 481: /etc/pam.d/sshd layed down is only RH4+ compatable, fails on RH3  

5.2p1_q6
-------
- Update copyright year on auth-lam.c

5.2p1_q5
-------
- sshd-quest service no longer optional on Solaris

5.2p1_q4
--------
- Fix Quest revision missing from version number on AIX

5.2p1_q3
--------
- Deny root if PermitRootLogin is not "yes" during LAM authentication
  (bug #712).

5.2p1_q2
--------
- Fix double-free bug in AIX LAM authentication code (bug #679)
- Don't explicitly link to libgcc_s, despite what krb5-config might say
  (bug #703)

5.0p1_q1
--------
  - bug 564: Enabled IPv6 in tcp_wrappers
  - bug 514: specifying -h hostkey option to sshd caused corruption
  - bug 405: improve build checks
  - bug 451: on Solaris 2.6, put PID files in /tmp instead of /var/run
  - use openssl-0.9.8g
  - bug 409: don't print "Killed by signal 15"
  - bug 11:  don't use /var/log/btmp on Debian
  - show all host fingerprints in HP-UX SAM module
  - merge with sxw's openssh-5.0p1-gsskex-20080404.patch

4.7p1_q1
--------
  - bug 368: merge with OpenSSH 4.7p1
  - bug 185: double stop init script messages
  - bug 346: install PAM files
  - moved manual pages into the main package 
  - upstream bug 1368: added -R option to scp

4.6p1_q1
--------
  - bug 222: merge with OpenSSH 4.6p1 release
  - bug 281: merge with HPN 12v17 patch
  - merge with sxw's openssh-4.6p1-gsskex-20070312
  - bug 207: 64bit support on Linux/s390x
  - OS X build support
  - bug 280: NIS+/pam_dhkeys credentials were not established (upstream 1339)
  - bug 253: put pid files in /var/run instead of /var/opt/quest/run
  - bug 110: add /opt/quest/bin into default PATH for AIX systems (for scp)
  - bug 186: correct missing summary information in packages
  - KbdInteractiveAuthentication defaults to enabled when UsePAM is enabled
  - correct documentation for GSSAPIKeyExchange default
  - improved tests for Debian; and aliased host/
  - use openssl-0.9.8e; s/390 supoprt + patch from upstream bug 1291

4.5p1_q1.116
-------------
  - merge with OpenSSH 4.5p1 release
  - bug 123: local account logins failed on hpux11.11 with vas3.1
  - bugs 127 128 174: install missing directories
  - bug 173: correct problem where ssh*_config not installed
  - package name changes
  - bug 134: source dist improvements; add build-2.6 make target for VAS2.6

4.4p1q89
--------
  - merge with OpenSSH 4.4p1 release
  - vintela bug 4150: check VAS version during install
  - vintela bug 4319: sshd option GSSAPIStrictAcceptorCheck yes->no
  - vintela bug 5428: don't ship ssh-keysign as setuid
  - vintela bug 7747: look in VAS2.6 sysconfdir for old host keys first
  - vintela bug 8249: revert GSSAPICleanupCredentials to default to yes
  - bug 31: home directory creation failed on aix
  - bug 49: ssh option HashKnownHosts no->yes
  - bug 74: keyboard-interactive for AIX when PAM unavailable
  - bug 90: merge with sxw's openssh-4.4p1-gsskex-20061002.patch
  - bug 92: sshd option GSSAPIKeyExchange default no->yes
  - bug 95: ssh option Protocol default 2,1->2
  - bug 99: maintain /etc/pam.d/sshd when suse openssh is uninstalled
  - using polypkg for package generation
  - bug 54: build with tcp_wrappers

4.3p2q1
-------
  - New version numbering scheme.
  - use root:bin to own executable files; not root:sys.
  - Add RC licence text which shows up under AIX installs.
  - allow config.local to specifiy the SRC name
  - VAS3 test support
  - Merge with OpenSSH 4.3p2 release.

vrc1.9.3
--------
  - Merge with OpenSSH 4.3p1 release
  - bug 5895: try gssapi before public-key
  - bug 6042: empty usernames mapped using GSSAPI 
	(requires 'UsePrivilegeSeparation no', for now)
  - bug 6594: RSA (publickey) failures on Solaris

vrc1.9.2 (unreleased)
--------
  - bug 5934: unnecessary initgroup calls delayed
	login on systems with many VAS-enabled groups
  - bug 6068: user credential cache was lost when using
	pam_vas with keyboard-interactive and privsep
  - merge with openssh-4.2p1-gsskex-20050926-2.patch
	(http://www.sxw.org.uk/computing/patches/openssh.html)
  - bug 6379: detect gss gex bugs in vintela putty versions and disable
  - bug 6115 (upstream bug 1087): show PAM password expiry messages

vrc1.9.1
--------
  - bug 5899: cross-realm authentication workarounds

vrc1.9.0
--------
  - Merge with OpenSSH 4.2p1 release
  - Change GSSAPIServiceName to ServicePrincipalName

vrc1.8.0
--------
  - bug 5651: Add GSSAPIServiceName option
  - Add HostKeys and GSSAPIKexExchange options to server
  - improve diagnostics for aix credentials
  - bugfix: gsskex rekey no longer fails with privsep
  - bugfix: occasional superfluous chars after realm

vrc1.7.2
--------
* Merge with OpenSSH 4.1p1 release

vrc1.7.1
--------
  - Include gsskex (GSSAPI key exchange) (enhancement bug 3943)
        See <http://www.sxw.org.uk/computing/patches/openssh.html>
  - bugfix: core dump in AIX on LAM pw expire (bug 4918; mindrot.org bug 1006)
  - bugfix: missing pam messages on auth fail (bug 4618; mindrot.org bug 1028)

vrc1.6
------
* Merge with OpenSSH 4.0p1 release

vrc1.5
------

* Do not use a GSSAPI service name constructed from gethostname();
  instead let GSSAPI (VAS) choose the service name.
  <http://bugzilla.mindrot.org/show_bug.cgi?id=918>

vrc1.4
------

Changes configuration defaults. The rationale behind this was to ease
migration from existing SSH installtions, and to enable by default
features provided by VAS.

sshd_config:
    UsePAM no -> yes
       - Use VAS (via PAM) to set up user context, mount home etc
    GSSAPIAuthentication no -> yes
       - prefer use of VAS (via GSSAPI)
    GSSAPICleanupCredentials yes -> no
       - rely on VAS to remove credentials on session close
    X11Forwarding no -> yes
       - required for VMX

ssh_config:
    GSSAPIAuthentication no->yes
       - prefer use of VAS (via GSSAPI)
    GSSDelegateCredentials no->yes
       - allow credentials to be copied to remote host (improves SSO)

Source: http://rc.quest.com/gitweb/gitweb.cgi?p=openssh.git;a=blob_plain;hb=HEAD;f=ChangeLog.Quest