HPE Community
Operating System - HP-UX
1833012 Members
2829 Online
110048 Solutions
New Discussion

Re: HP-UX Secure Shell

 
SOLVED
Go to solution
Craig Cooper
Occasional Contributor

‎07-11-2002 10:25 AM

‎07-11-2002 10:25 AM

HP-UX Secure Shell

The HP-UX Secure Shell is based on and older version of Openssh. This older version has several security vulnerabilities. When will HP have a newer version out that is based on Openssh 3.4p1 ?
0 Kudos
Reply
7 REPLIES 7
harry d brown jr
Honored Contributor

‎07-11-2002 11:09 AM

‎07-11-2002 11:09 AM

Re: HP-UX Secure Shell

Craig,

You can try downloading the source and compiling it yourself, or you can try emailing hpux@hpux.cs.utah.edu. Usually, it's just a hurry up and wait for it to show up.

live free or die
harry
Live Free or Die
Reply
Daimian Woznick
Trusted Contributor

‎07-11-2002 11:42 AM

‎07-11-2002 11:42 AM

Solution

Re: HP-UX Secure Shell

I currently have a call in to support to answer this question and will post the answer when I receive it. The following is from the CERT advisory:

HP has issued a security bulletin (HPSBUX0206-195) for HP 9000 Servers running HP-UX release 11.00 and 11.11 only with the T1471AA SSH product installed.

It says in part:

As a short-term solution, disable PAMAuthenticationViaKbdInt in the sshd_config file; i.e.,

PAMAuthenticationViaKbdInt no

NOTE: ChallengeResponseAuthentication is not used in the HP product.
HP is working to produce a patch for its version which is based on OpenSSH release 3.1p1.

HPSBUX0206-195 will be updated when the patch is available.

Reply
Bryan Payne
Occasional Advisor

‎07-11-2002 06:31 PM

‎07-11-2002 06:31 PM

Re: HP-UX Secure Shell

Openssh 3.4 is available in depot format from this link.

http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-3.4p1/

I have not heard when HP will release their supported bundle.

Openssh requires zlib, and openssl also available from that site. I have not installed this version yet so I am unable to provide feedback on their compile options or any particulars.

Best Regards!
Bryan Payne
Senior Unix Admin
Reply
Craig Cooper
Occasional Contributor

‎07-12-2002 01:16 PM

‎07-12-2002 01:16 PM

Re: HP-UX Secure Shell

Bryan,

Thank you. I did try it and everything worked fine, except one of the files 3.4p1-run was corrupt and would not install. I removed all of the pieces and went back to the T1471AA depot from HP
0 Kudos
Reply
Daimian Woznick
Trusted Contributor

‎07-15-2002 07:19 AM

‎07-15-2002 07:19 AM

Re: HP-UX Secure Shell

This is the latest update received from HP:

""OpenSSH Vulnerabilities in Challenge Response Handling If the SKEY and BSD_AUTH authentication compile-time options are explicitly enabled, it may cause a remote denial of service attack on the OpenSSH daemon. Does this security problem exist with HP-UX Secure Shell? See CERT on OpenSSH ulnerabilities in Challenge Response Handling HP-UX Secure Shell does NOT enable either of these options. There is no denial of service risk with HP-UX Secure Shell.

I wanted to provide you with an update to this case. I have information
regarding CERT CA-2002-18, HP is not vulnerable to the first issue described
in the CERT noted below, we are vulnerable to the second issue and will have
a sw update available via a patch soon ( I believe by next week but I cant
supply any dates ).

The HP Security Doc is HPSBUX0206-195 and will be updated when the fix is
available, I'll also send you a email when it comes out.""

Hope this helps
Reply
Daimian Woznick
Trusted Contributor

‎07-16-2002 05:35 AM

‎07-16-2002 05:35 AM

Re: HP-UX Secure Shell

Here is the newest update I received from HP:

Regarding version 3.4 it appears there were
some issues during testing of this release, its possible HP will not releas
a version based on 3.4 at all and will skip to the next available version.
As a general rule there will be updates to the product once a quarter via
software.hp.com.
Reply
Daimian Woznick
Trusted Contributor

‎07-31-2002 05:03 AM

‎07-31-2002 05:03 AM

Re: HP-UX Secure Shell

I previously opened an issue with HP on a problem I encountered with Secure Shell and mentioned the CERT Advisory issue. HP has the depot files available to address the issue at:

http://www.software.hp.com/ISS_products_list.html

The following I received from HP in regards to advisory:


The ssh release 3.10.02 is available on http://software.hp.com this fixes the second part of CA-2002-18, HP was not ulnerable to the first part of the CERT:

PART I:

If the SKEY and BSD_AUTH authentication compile-time options are explicitly enabled, it may cause a remote denial of service attack on the OpenSSH daemon. Does this security problem exist with HP-UX Secure Shell? See CERT on OpenSSH Vulnerabilities in Challenge Response Handling
<> HP-UX Secure Shell does NOT enable either of these options. There is no denial of service risk with HP-UX Secure Shell.

Part II, we were vulnerable to, 3.10.002 fixed it and is now out on the software.hp.com portal.

Will there be a patch or a release to incorporate the fix for the Cert problem mentioned above?
HP-UX Secure Shell will be updated with a license file for OpenSSL to the product and the fix for the security cert on PAMAuthenticationViaKbdInt. The next version A.03.10.002 will be available for the software depot on 7/29
and the September HP-UX quarterly application release.

Hope this helps anyone looking at Secure Shell.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.