1.190. openssh

Updated openssh packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.
Bug Fixes
BZ#631757
When the ~/.bashrc startup file contained a command that produced output to standard error, the sftp utility was unable to log in to the user account. This bug has been fixed, and output to standard error is discarded and no longer prevents the sftp utility from establishing the connection.
BZ#631787
Due to the limitations of the data type that was used to store user identifier (UID) numbers, the lastlog record was not created for a user with a UID larger than 2147483647. With this update, this data type has been changed to unsigned long integer, and the /var/log/lastlog database is now updated as expected.
BZ#646286
Previously, GSSAPI key exchange functionality was not supported. With this update, GSSAPI key exchange is now supported and works as expected.
BZ#652249
Previously, the openssh package did not contain the README.nss file. This update adds the file to the documentation.
BZ#656415
Logging in to a system caused pam_ssh_agent_auth to temporarily set the EUID (Effective User ID) to the user's current UID. However, if the connection failed, the original EUID was not restored. This update corrects this coding error so that the EUID is restored in this situaton.
BZ#656844
Previously, openssh could have terminated with a segmentation fault if used as a SOCKS proxy. This occurred due to an unhandled null pointer. With this update the underlying code has been fixed and the problem no longer occurs.
BZ#670515
Previously, the ssh-keygen(1) manual page did not document the "-n" option. This update adds the option description to the manual page.
BZ#672870
Previously, the sshd daemon could have failed to start on a server in FIPS (Federal Information Processing Standards) mode. This happened because the daemon expected an RSA1 server key to be created on startup and checked if the key was available. However, in FIPS mode, no RSA1 key is generated on startup. With this update, the underlying code has been changed and the check is no longer performed when in FIPS mode.
BZ#676665
Previously, the sshd daemon could have failed to locate an authorized key if both MLS (Multi-Level Security) SELinux policy and polyinstantiation of home directories were enabled. This occurred because the daemon was searching for authorized keys in the wrong home directories. This update adds the ssh-keycat helper program, which locates and passes the keys to sshd.
BZ#681296
By default, OpenSSH utilities use the /dev/urandom random number generator (RNG). This update adds the "SSH_USE_STRONG_RNG" environment variable. Setting "SSH_USE_STRONG_RNG=1" (the recommended location to set this environment variable is in the /etc/sysconfig/sshd configuration file) causes OpenSSH utilities to use the stronger /dev/random RNG, which is better at ensuring the RNG always has sufficient entropy.

Note

Setting "SSH_USE_STRONG_RNG=1" is resource-intensive, and should generally only be done on servers which have a hardware-enabled random number generator.
BZ#690127
Prior to this update, the openssh-keycat subpackage was optional and OpenSSH thus failed to meet Common Criteria. With this update, the package is included in the openssh-server package.
BZ#690391
Previously, if the user sent two SIGHUP signals to the sshd daemon, the daemon terminated unexpectedly. With this update, the underlying code has been changed and the daemon no longer crashes in such circumstances.
Enhancements
BZ#455350
Previously, openssh only allowed users to store their authorized public keys in a local file on each system they wanted to log in to using their private SSH key. With this update, sshd can be configured, using the AuthorizedKeysCommand directive, to extract users' authorized keys from an arbitrary source using the "external" command. This update also adds the standalone "ssh-ldap-helper" utility, which can be used to extract public keys from an LDAP server. This new functionality thus enables centralized key management.
BZ#642927
The sshd daemon is now built using RELRO protection.
BZ#577998
Previously, the .k5login file was processed on every kerberos authentication. This update adds the KerberosUseKuserok option to the sshd_config file, which allows the user to configure whether user aliases should be verified against the entries in the .k5login file.
BZ#633404
This update adds support for hardware-accelerated encryption modules which are supported by OpenSSL
BZ#642792
Previously, the sshd daemon did not log information regarding logins using key-based authentication to the audit log. With this update, sshd logs the same information that PAM (Pluggable Authentication Modules) logs upon password-based logins, but for key-based logins. Additionally, sshd logs the following additional detail for key-based logins: key type and size, as well as its fingerprint.
BZ#644877
OpenSSH's audit logging support has been updated.
BZ#657059
Previously, the sftp command worked with the default file mode creation mask (umask) only. With this update, the user may change the umask.
BZ#665112
When an authentication key is destroyed, OpenSSH now logs the key destructions to the audit log.
All users of openssh are advised to upgrade to these updated packages, which resolve these issues and provide these enhancements.
Updated openssh packages that fix a bug are now available for Red Hat Enterprise Linux 6.
OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.
Bug Fix
BZ#708924
Previously, when the SSH_USE_STRONG_RNG variable was set to 1, openssh read 48 bytes from the /dev/random number generator to generate a seed. This seed was too long and caused long delays on ssh or sshd startup and when connections were received. Now, the SSH_USE_STRONG_RNG variable contains number of bytes that should be pulled from /dev/random (with a minimum default value of six) and the delays no longer occur.
All openssh users are advised to upgrade to these updated packages, which fix this bug.