7.146. openssh

Updated openssh packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.

Bug Fixes

Every first attempt to make a connection using the sftp utility, before the user information was stored in the System Security Services Daemon (SSSD) cache, failed. The sshd server no longer closes file descriptors before all the user information is loaded, and sftp connections in combination with SSSD work even when the SSSD cache is empty. Now, first sftp connection attempts succeed.
Printing extensions for v01 certificates using the "ssh-keygen -L -f" command did not display the certificate extensions correctly. Now, printing extensions for v01 certificates works as expected.
The sshd configuration test mode, executed by the "sshd -T" command, did not display all default options and displayed certain other options incorrectly. With this update, the sshd test mode outputs all required default options and also prints the above-mentioned other options correctly. Output of the configuration test mode can be now safely applied as configuration input.
Non-existing users logging in with ssh triggered two different audit messages in the log, which was not expected behavior. With this update, when a non-existing user attempts to log in using ssh, only one audit message is triggered. This message records a login attempt from an unknown user as expected.
When the ForceCommand option with a pseudoterminal was used and the MaxSession option was set to "2", multiplexed ssh connections did not work as expected. After the user attempted to open a second multiplexed connection, the attempt failed if the first connection was still open. This update modifies OpenSSH to issue only one audit message per session. The user is able to open two multiplexed connections in this situation.
Previously, OpenSSH did not correctly handle quoted multiple values defined on one configuration line. When the user specified, for example, multiple groups in quotes on one line, OpenSSH only honored the first specified group. The OpenSSH configuration parser has been modified, and OpenSSH honors all option values in this situation.
The ssh-copy-id utility failed if the account on the remote server did not use an sh-like shell. Remote commands have been modified to run in an sh-like shell, and ssh-copy-id now also works with non-sh-like shells.
The user could not generate ssh keys on hosts with a host name of 64 characters. The ssh-keygen utility failed in this situation. The buffer size for host names has been increased, and ssh-keygen no longer fails in the described situation.
All the messages obtained from an sftp server when using chroot were logged in the global log file through the sshd server even when a valid socket for logging was available. Now, events from the sftp server can be logged through the socket in chroot and forwarded into an independent log file.
The ssh-keyscan command did not scan for Elliptic Curve Digital Signature Algorithm (ECDSA) keys. The "ssh-keyscan -t ecdsa -v localhost" command did not display any output. The command now outputs the host ECDSA key as expected.
This update fixes memory leaks discovered in sshd.


This update adds support for adjusting LDAP queries. The administrator can adjust the LDAP query to obtain public keys from servers that use a different schema.
The PermitOpen option in sshd_config file now supports wildcards.
With this update, openssh can force exact permissions on files that are newly uploaded using sftp.
Users of openssh are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.