Weekly Edition
Return to the Development pageRecent Features
| |||||||||||||||||||
OpenSSH 5.7 released
OpenSSH 5.7 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html Changes since OpenSSH 5.6 ========================= Features: * Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656) is NOT implemented. Certificate host and user keys using the new ECDSA key types are supported - an ECDSA key may be certified, and an ECDSA key may act as a CA to sign certificates. ECDH in a 256 bit curve field is the preferred key agreement algorithm when both the client and server support it. ECDSA host keys are preferred when learning a host's keys for the first time, or can be learned using ssh-keyscan(1). * sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command * scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. * ssh(1): automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys, since these are now preferred when learning hostkeys for the first time. * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. bz#1733 * sftp(1): the sftp client is now significantly faster at performing directory listings, using OpenBSD glob(3) extensions to preserve the results of stat(3) operations performed in the course of its execution rather than performing expensive round trips to fetch them again afterwards. * ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races. stale server sockets are now automatically removed. (also fixes bz#1711) * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference. * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism and use it to add a bandwidth limit option to sftp(1). bz#1147 BugFixes: * ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories. bz#1809 * ssh(1): avoid NULL deref on receiving a channel request on an unknown or invalid channel; bz#1842 * sshd(8): remove a debug() that pollutes stderr on client connecting to a server in debug mode; bz#1719 * scp(1): pass through ssh command-line flags and options when doing remote-remote transfers, e.g. to enable agent forwarding which is particularly useful in this case; bz#1837 * sftp-server(8): umask should be parsed as octal * sftp(1): escape '[' in filename tab-completion * ssh(1): Typo in confirmation message. bz#1827 * sshd(8): prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block * sshd(8): Use default shell /bin/sh if $SHELL is "" * ssh(1): kill proxy command on fatal() (we already killed it on clean exit); * ssh(1): install a SIGCHLD handler to reap expiried child process; bz#1812 * Support building against openssl-1.0.0a Portable OpenSSH Bugfixes: * Use mandoc as preferred manpage formatter if it is present, followed by nroff and groff respectively. * sshd(8): Relax permission requirement on btmp logs to allow group read/write * bz#1840: fix warning when configuring --with-ssl-engine * sshd(8): Use correct uid_t/pid_t types instead of int. bz#1817 * sshd(8): bz#1824: Add Solaris Project support. * sshd(8): Check is_selinux_enabled for exact return code since it can apparently return -1 under some conditions. Checksums: ========== - SHA1 (openssh-5.7.tar.gz) = 67cb91772a33fb3a004b39bcdb9148218365494c - SHA1 (openssh-5.7p1.tar.gz) = 423e27475f06e1055847dfff7f61e1ac632b5372 Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. (Log in to post comments)
EC patents Posted Jan 24, 2011 19:20 UTC (Mon) by cesarb (subscriber, #6266) [Link]
At least Fedora will probably not include this code, due to software patent issues. I found a file at http://pkgs.fedoraproject.org/gitweb/?p=openssl.git;a=blob;... which says the relevant patents will only expire around 2020.
EC patents Posted Jan 24, 2011 20:13 UTC (Mon) by clint (subscriber, #7076) [Link]
One might wonder if putting alleged patent numbers into comments is potentially a terrible idea in terms of legal liability.
EC patents Posted Jan 24, 2011 21:26 UTC (Mon) by cesarb (subscriber, #6266) [Link]
Why? They explicitly are not including the code the patent is about, until it is expired and does not matter anymore.
It could be different if it were something like "this is a list of patents we looked at and think do not apply, so were are including the code anyway". At least if you subscribe to the legal theory that "if we admit we took even a slight glance at a patent, we will be three times as bankrupt than if we didn't". (This last sentence did not sound grammatically right; could someone help me find what is wrong with it?)
EC patents Posted Jan 25, 2011 0:16 UTC (Tue) by fandingo (subscriber, #67019) [Link]
If we admit that we knew about the patent, then we would be liable for treble damages for willful infringement.
EC patents Posted Jan 25, 2011 4:47 UTC (Tue) by gmaxwell (subscriber, #30048) [Link] This is pretty much misinformation.Please see In Re Seagate or an analysis of it (with copious background). The system is screwy and not working in our best interests, but in general I've found these pithy statements about the law are no more accurate than the pithy statement the computer-clueless throw around about computing: Often they are the smallest outdated grain of truth expanded and misinterpreted into something sad and twisted. Please do your part in keeping the internet idea space clean by at least researching these sorts of statements before repeating them when commenting outside of your area of expertise. (I certainly screw up on this count, but I hope and welcome people to correct me)
EC patents Posted Jan 25, 2011 4:54 UTC (Tue) by gmaxwell (subscriber, #30048) [Link]
(er. hit send a bit prematurely) I should make it clear: willful infringement absolutely does exist, but it basically requires exactly that 'willfully infringement'. It's not magically created by somehow coming into proximity of a patent, as is often suggested. If you want to avoid willful infringement, you should not willfully infringe. Regardless: Regular damages are almost certainly enough to ruin everything for you and they don't require any of the much higher standards for willful infringement.
EC patents Posted Jan 25, 2011 11:20 UTC (Tue) by cesarb (subscriber, #6266) [Link]
Even then, they are admitting they know about a patent *they are explicitly working around* (by completely excising the relevant code). There cannot be willful infringement if they are willfully avoiding infringement in the most extreme way possible. They are not trying to "language lawyer" the patent claims by coding in such a way that would not hit them; they are explicitly *removing* the related code, so as to not even get near what the patents claim to cover.
OpenSSH 5.7 released Posted Jan 24, 2011 20:06 UTC (Mon) by nix (subscriber, #2304) [Link]
I must say, speaking as someone who's had to maintain code in the past that talks to SSH via a pipe, it is very annoying when existing commands (such as ln) change behaviour between versions like this. (You have to try an ln -s first, trap the failure, and only then can you proceed to use ln safely: ls -1 is another example).
You'd think you could version-test it, but the sftp command-line client has no option to report its version!
OpenSSH 5.7 released Posted Jan 25, 2011 5:31 UTC (Tue) by madscientist (subscriber, #16861) [Link]
According to what I read, the "symlink" command used to work in previous versions and still does here. It does involve changes if you used "ln" instead of "symlink", but (at least if I understood what was meant by "preexisting [...] command") you can have a single syntax that works across multiple versions.
OpenSSH 5.7 released Posted Jan 25, 2011 21:07 UTC (Tue) by Tobu (subscriber, #24111) [Link] The change is bad API design for three reasons:
What is actually afforded that couldn't be done before is the option to hardlink from the sftp protocol when the server supports it, detecting the feature using the method nix suggested (try "ln -s" once, failure means ln symlinks), which may break if the OpenSSH developers keep changing the behaviour of existing commands. If the feature isn't supported it is still possible to say "upgrade your sshd" or to reimplement ln using ssh commands instead of sftp commands. If you start with the second option you'll be mixing two protocols, and ditching the sftp protocol can become more attractive. The "extra" API is hard to use and easy to misuse, and it doesn't provide a lot of value when compared to rolling your own. It also broke existing API for no good reason.
OpenSSH 5.7 released Posted Jan 25, 2011 21:09 UTC (Tue) by Tobu (subscriber, #24111) [Link] (two reasons. I can't count, or I edit too much)
OpenSSH 5.7 released Posted Jan 25, 2011 23:33 UTC (Tue) by nix (subscriber, #2304) [Link]
Quite so.
It would be tolerable if this was the only time they'd done it... but it's the third or fourth, and my initially-simple interaction scripts have had to compensate for all of them :(
OpenSSH 5.7 released Posted Jan 29, 2011 23:18 UTC (Sat) by jamesh (guest, #1159) [Link]
From the description of the change, there are two parts: an addition to the SFTP protocol, and support for said extension in the bundled client implementation.
If you use an old client against a new server, you should notice no difference. If you use a new client against an old server, presumably it will complain when you send it an unknown command if you try to create a hard link.
OpenSSH 5.7 released Posted Jan 31, 2011 22:09 UTC (Mon) by Tobu (subscriber, #24111) [Link] I found the relevant internet draft (2006). Apparently the protocol has supported hardlinks for a while, and the broken design is strictly client side. That can be version checked (with the package manager, because there is no --version). I'm not about to check the openssh source diff though.
OpenSSH 5.7 released Posted Jan 24, 2011 22:20 UTC (Mon) by Tobu (subscriber, #24111) [Link]
|
|||||||||||||||||||