Weekly Edition
Return to the Development page
| |||||||||||||
OpenSSH 4.4 released
OpenSSH 4.4 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots and purchased T-shirts or posters. T-shirt, poster and CD sales directly support the project. Pictures and more information can be found at: http://www.openbsd.org/tshirts.html and http://www.openbsd.org/orders.html For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu Changes since OpenSSH 4.3: ============================ Security bugs resolved in this release: * Fix a pre-authentication denial of service found by Tavis Ormandy, that would cause sshd(8) to spin until the login grace time expired. * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. * On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. This release includes the following new functionality and fixes: * Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post- authentication options are supported and more are expected to be added in future releases. * Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. * Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. * Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. * Add optional logging of transactions to sftp-server(8). * ssh(1) will now record port numbers for hosts stored in ~/.ssh/authorized_keys when a non-standard port has been requested. * Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. * Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. * Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. * Many manpage fixes and improvements * New portable OpenSSH-specific features: - Add optional support for SELinux, controlled using the --with-selinux configure option (experimental) - Add optional support for Solaris process contracts, enabled using the --with-solaris-contracts configure option (experimental) This option will also include SMF metadata in Solaris packages built using the "make package" target - Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. * Bugs from http://bugzilla.mindrot.org fixed: #482 - readconf doesn't accept paths with spaces in them. #906 - syslog messages from sshd [net] lost. #975 - Kerberos authentication timing can leak information about account validity. #981 - Flow stop in SSH2. #1102 - C program 'write' with zero length hangs. #1129 - sshd hangs for command-only invocations due to fork/child signals. #1131 - error "buffer_append_space:alloc not supported" #1138 - Passphrase asked for (but ignored) if key file permissions too liberal.. #1156 - Closes connection after C-c is pressed on QNX. #1157 - ssh-keygen doesn't handle DOS line breaks. #1159 - %u and %h not handled in IdentityFile. #1161 - scp -r fails. #1162 - Inappropriate sequence of syslog messages. #1166 - openssh-4.3p1 has some issues compiling. #1171 - configure can't always figure out LLONG_MAX.. #1173 - scp reports lost connection for very large files. #1177 - Incorrect sshrc file location in Makefile.in. #1179 - sshd incorrectly rejects connections due to IP options. #1181 - configure should detect when openssl-0.9.8x needs -ldl. #1186 - ssh tries multiple times to open unprotected keys. #1188 - keyboard-interactive should not allow retry after pam_acct_mgmt fails. #1193 - Open ssh will not allow changing of passwords on usernames greater than 8 characters.. #1201 - Bind address information is not specified in command line help messages. #1203 - configure.ac is missing an open [. #1207 - sshd does not clear unsuccessful login count on non-interactive logins. #1218 - GSSAPI client code permits SPNEGO usage. #1221 - Banner only suppressed at log level = QUIET (used to be at log level < INFO). * Fixes to memory and file descriptor leaks reported by the Coverity static analysis tool * Fixes to inconsistent pointer checks reported by the Stanford SATURN tool Thanks to everyone who has contributed patches, reported bugs and tested releases. Checksums: ========== - SHA1 (openssh-4.4.tar.gz) = 2294b5e5a591420aa05ff607c1890ab622ace878 - SHA1 (openssh-4.4p1.tar.gz) = 6a52b1dee1c2c9862923c0008d201d98a7fd9d6c Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. (Log in to post comments)
OpenSSH 4.4 and SELinux Posted Sep 28, 2006 18:00 UTC (Thu) by JoeBuck (subscriber, #2330) [Link] Can anyone say more about the SELinux support? What features does it provide?
OpenSSH 4.4 and SELinux Posted Sep 28, 2006 18:10 UTC (Thu) by smoogen (subscriber, #97) [Link] I think it is for tagged packets on multiple role systems.
If I login with my Confidential capabilities and ssh to another system.. I will be logged in as a Confidential user versus Unclassified or Secret.
VPN Posted Sep 28, 2006 20:05 UTC (Thu) by kh (subscriber, #19413) [Link] Anyone with experiences using it as a VPN server? With multiple OS clients?
VPN Posted Sep 28, 2006 20:27 UTC (Thu) by larryn (guest, #3457) [Link] I only found 2 successful VPN usages from searching the net. I could not make mine to work. It keeps saying something in regards to the tun device is not available even after modprobing tun Both servers were Linux (Mandriva and Ubuntu Hoaray with self-compiled OpenSSH-4.3).
VPN Posted Sep 29, 2006 2:19 UTC (Fri) by jhs (guest, #12429) [Link] I've done PPP over SSH, but really, for the effort, you could probably get IPSec configured in about the same time. OpenVPN would be half of that and I am a big fan. If I'm not wrong, it uses the key management protocols of SSL but the encryption protocols of IPSec, and it runs on Windows and Solaris, too. Data goes over standard UDP/IP so firewall rules are more maintainable IMO. And like the old FreeS/WAN, you get a nice virtual interface where you can tcpdump and see the plaintext data inside the tunnel (but PPP-over-SSH would have that too I guess).
I also remember some sort of "PPP over SSH considered harmful" article I read, but now I cannot find it, sorry. IIRC, the point is that you have two IP layers, and it's common to get the pathological case where the sliding windows in the TCP protocols fight each other. The best I can find is the drawbacks section of a PPP-over-SSH FAQ:
http://tldp.org/HOWTO/ppp-ssh/introduction.html#DRAWBACKS
HTH
VPN Posted Sep 29, 2006 2:22 UTC (Fri) by jhs (guest, #12429) [Link] Oh, I forgot to mention, one drawback for OpenVPN is that is newer than OpenSSH and so one could argue that it has had less security auditing of the code or is less mature. I don't know about that, as I don't follow either project very closely (that is what LWN is for).
VPN Posted Sep 30, 2006 13:22 UTC (Sat) by drag (subscriber, #31333) [Link] The only thing I figure for OpenVPN security-wise is that it uses OpenSSL libs for doing the ssl stuff.
This is good since OpenSSL is very widly used and is audited. It may not be so good since OpenSSL hasn't had the best track record. But it's good enough for me!
OpenVPN rocks. Recently I had trouble with my email which I used through my ISP. It wouldn't accept email unless I had it had originated from within their network and since I was roaming around with my laptop.. then I couldn't send messages.
So since I was using OpenVPN already with my IPcop firewall.. I figured I'd just route all traffic through the vpn.
So I just setup a host-specific route to what would normally be the 'default gateway' on the local network. Then I set the OpenVPN Tun0 connection as the default gateway and my home's router as the DNS server (with the local DNS server as secondary DNS entry.) Worked like a charm. Now all my traffic is sent encrypted to my house and I now have the benifit of my home router's NAT firewall for my laptop no matter what network I am on.
Plus when you considure the wireless fishing stuff people do nowadays. For example setting up a laptop as a wireless access point and advertising it's essid as 'starbucks' while sitting at a starbucks coffee house. A sort of wireless hijack or social engineering thing. That way they can easily interecept all traffic going through his laptop. Using a VPN in that manner would help you protect yourself a lot.
And as a added bonus it's suppose to be nearly impossible for people to stop you from using OpenVPN on their networks. Sometimes you go to places and they'll have PPTP blocked or it just won't work and maybe they'll try to charge you extra to allow 'business class' access or something like that. Other times you may end up on a network that has all the network access blocked except for HTTP. OpenVPN will work fine with that setup. Its even suppose to work through a HTTP Proxy! Of course I wouldn't recommend using it to try to get around workplace restrictions. ;)
For that fact alone I considure OpenVPN most usefull. More usefull then PPTP, even when your dealing with Windows-using road warriors. The likelihood of having good vpn access seems much greater.
As far as the extra newtork overhead goes.. I don't notice any difference.
I've used SSH before for setting up a 'VPN' of sorts. It was pretty primitive, but it worked great. Used it conjunction with manually launching PPP and it is great for working around firewalls as a administrator. Trouble was that you had to have root access to setup the PPP connection, so that sucked. I think that you are suppose to be able to use SLIP to do the same thing, but not require root but I don't know for sure anymore.
There maybe a better way to set it up, but I don't know what it would be.
But I still especially like Openssh. If I had to give one up.. OpenSSH vs OpenVPN.. I would choose to keep OpenSSH every time. No contest.
VPN Posted Oct 1, 2006 7:55 UTC (Sun) by job (guest, #670) [Link] More usefull then PPTP, even when your dealing with Windows-using road warriors. To be fair, most products are more useful than PPTP. PPTP has had known security holes since it's release. Microsoft themselves recommends using L2TP, which in turn encrypts traffic using IPsec.
VPN Posted Sep 29, 2006 7:55 UTC (Fri) by job (guest, #670) [Link] Right, you don't want to run TCP inside TCP for the reasons you state.
I used to do PPP-over-SSH as well where I need a simple userspace VPN solution where IPsec is too complex, but now when OpenVPN exists it is in every way a better solution. It's really very simple to set up.
I also get the impression that OpenVPN seems to handle as little of cryptography as possible, using well proven libraries for the work, which makes me feel good about it. Between that and "real" IPsec (where at least the protocols are throughly studied and interoperable) I don't need another VPN solution.
VPN Posted Sep 29, 2006 23:15 UTC (Fri) by larryn (guest, #3457) [Link] I don't think the new VPN tunnel in openssh-4.3 is the same as ppp over ssh.
Re: TCP over TCP (was Re: VPN) Posted Oct 6, 2006 6:20 UTC (Fri) by ldo (subscriber, #40946) [Link] >I also remember some sort of "PPP over SSH considered harmful" article I>read, but now I cannot find it, sorry. IIRC, the point is that you have >two IP layers, and it's common to get the pathological case where the >sliding windows in the TCP protocols fight each other. Is this what you meant?
port forwarding, SOCKS Posted Oct 6, 2006 9:38 UTC (Fri) by donio (subscriber, #94) [Link] Not quite VPN but in my experience the port forwarding (-L, -R) andthe SOCKS proxy (-D) built into OpenSSH are often sufficient and much simpler to setup than a full VPN.
The SOCKS support is especially useful when used with something like
|
|||||||||||||