OpenBSD Journal

OpenSSH 4.2 released

Contributed by grey on from the w00t! dept.

The complete announcement message and details may be found here:
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=112558674928977&w=2

Downloads and more may be found from the official site: http://www.openssh.com/

(Comments are closed)


Comments
  1. By Anonymous Coward (80.90.29.7) on

    - Increase the default size of new RSA/DSA keys generated by ssh-keygen from 1024 to 2048 bits. http://hacking.openbsd.it/ RFC#14 - should change icon :) btw: are we pwn3d!? http://marc.theaimsgroup.com/?l=openbsd-tech&m=106676742717959&w=2

    Comments
    1. By Anonymous Coward (204.209.209.129) on

      I agree with alot of points on that RFC list. Wouldn't mind seeing most of those imported. Some of them however are touching on old arguments :)

      Richard

      Comments
      1. By Anonymous Coward (218.214.194.113) on

        And a whole lot are personal barrows he wants to push.

        I cannot find a serious point amongst the "RFCs" (whatever RFC means in this context - and it's not Really Bloody Clever!) that would have me patching or reconfigging what I do now.

        OpenBSD provides tools. Craftsmen use them. Some may choose to toss out various tools or to sharpen them in an unusual way.

        Personal choice is not hampered. He can still shoot himself in the foot if he likes or waste bullets on the clouds. So can anybody.

        The default settings are good enough for most and hey, if somebody exploits something he wanted changed then he can boast widely.

        Meanwhile the real world goes on.

        Comments
        1. By Anonymous Coward (195.122.29.101) on

          talk, talk... it seems that ssh4.2 is imported in -stable(3.7)

          Comments
          1. By Brad (216.138.195.228) brad at comstyle dot com on

            OpenSSH releases are put into the -stable branches no matter what. .. from stable.html "As an exception to the above rules, OpenSSH release versions will be merged into the patch branch."

        2. By Anonymous Coward (195.224.109.30) on

          Most of the RFCs on that page are stupid and pointless, and are about personal preference rather than being something that should be incorporated as default for all users.

          Comments
          1. By Anonymous Coward (213.118.165.79) on

            It however does contain some valid points. You could of course call every setting a matter of personal preference, but some things mentioned in that list really do make sense

            Comments
            1. By Anonymous Coward (195.224.109.30) on

              You mean like turning off the system beep ?

              Comments
              1. By Anonymous Coward (195.122.29.101) on

                like be able to set to not decrease ttl when forwarding packets, not tu much with pf's scrub minttl.

              2. By tedu (64.173.147.27) on

                if you learn to type correctly, you don't have to hear the beeps. :)

    2. By Anonymous Coward (128.151.92.148) on

      Some of those opinions are kind of strange. For instance, the argument for bzip. It says that bzip has "better performance". (a direct quote) By this they mean it compresses better. But AFAIK it also is slower and uses more memory. They've neglected to mention that.

      Some of them may be valid points, but as has been mentioned, these are mostly minor stylistic issues.

  2. By Alan Post (204.89.131.79) aisa@cybermesa.com on http://livejournal.com/users/aisa0/

    i think the note about delayed zlib compression until after authentication is a perfect example of layered security.

    we've had two zlib security problems recently, there might or might not be more of them.

    but for ssh, we now have an option to just ignore compression in the most critical part of ssh, during authentication.

    with or without recent zlib problems, the openssh team just factored out code from this critical path. so future problems won't be the kind of issue that past problems have been (for zlib+openssh).

    this kind of layered thinking about security, exploits, and safety is just amazing. particularly when it is applied to an existing codebase in real-world situations.

    kudos.

    Comments
    1. By Anonymous Coward (195.122.29.101) on

      of course you can ask why it wasn't implementing in the begining ;) if you are realy paranoid you wouldn't fully trust some 3-rd part code.

  3. By Anonymous Coward (64.92.206.84) on

    There are a number of things I can't stand about the OpenBSD developers, and I would just love to share them with you. With this letter, I hope to break the neck of the OpenBSD developers's policy of fetishism once and for all. But first, I would like to make the following introductory remark: It's astounding that the OpenBSD developers has found a way to work the words "historiographical" and "interdifferentiation" into its smears. However, you may find it even more astounding that its artifices promote a redistribution of wealth. This is always an appealing proposition for the OpenBSD developers's loyalists because much of the redistributed wealth will undoubtedly end up in the hands of the redistributors as a condign reward for their loyalty to the OpenBSD developers. By framing the question in this way, we see that the OpenBSD developers thinks it would be a great idea to subordinate all spheres of society to an ideological vision of organic community. Even if we overlook the logistical impossibilities o

    While everybody believes in something, the OpenBSD developers's simple faith in egotism will squeeze every last drop of blood from our overworked, overtaxed bodies. Some would say that this is a platitude. Would that it were! Rather, if you can make any sense out the OpenBSD developers's Maoism-prone paroxysms, then you must have gotten higher marks in school than I did. Be that as it may, I suppose it's predictable, though terribly sad, that foolhardy sluggards with stronger voices than minds would revert to crotchety behavior. But the OpenBSD developers's rapacious methods of interpretation criticize other people's beliefs, fashion sense, and lifestyle. The OpenBSD developers then blames us for that. Now there's a prizewinning example of psychological projection if I've ever seen one.

    If the OpenBSD developers wants to be taken seriously, it should counter the arguments in this letter with facts, not illogical panaceas, personal anecdotes, or insults. The OpenBSD developers has recently been going around claiming that there is something intellectually provocative in the tired rehashing of uncompromising stereotypes. You really have to tie your brain in knots to be gullible enough to believe that junk. At first, you might be unsure as to whether all the OpenBSD developers does is complain, complain, complain. But on deeper inspection, you'll indubitably conclude that the OpenBSD developers's vituperations are merely a stalking horse. They mask its secret intention to undermine the basic values of work, responsibility, and family. All of this once again proves the old saying that the OpenBSD developers embraces frotteurism with open arms.

    Comments
    1. By Anonymous Coward (213.84.159.249) on

      Did Cisco finally fire you?

      I don't like rants with grammatical errors, as I don't like code with errors. Especially if it is intended. That should say enough. You either are good at coding (or ranting for that matter) or you do something else with your life. Get a life!

    2. By Anonymous Coward (195.224.109.30) on

      >Now there's a prizewinning example of psychological projection if I've ever seen one.

      back at ya buddy :)

    3. By Charles (216.229.170.65) on

      D+, for effort.

      Where'd you cut and paste this from? That sounds suspiciously like some 1950's anti-communist rant, but I can't quite put my finger on the source. The grammer indicates you cut-and-pasted "OpenBSD developers" in for some other phrase like "communist philosophy". "Developers" is plural, but you consistantly follow it with singular verb forms.

      The style is also reminiscent of late 19th Century pamphleteers, who just adored making their tracts look intelligent by overusing a thesaurus but not following the basics of grammar and style. There are a lot of big words, but no point is ever actually made.

      Just curious.

      Comments
      1. By Anonymous Coward (213.118.165.79) on

        It looks like something that was generated by Scott Pakin's automatic complaint-letter generator: http://www.pakin.org/complaint

        Of course you'll get a different text from it, but some sentences reappear.

        So all in all it is just a cheap troll ;-)

        Comments
        1. By Anonymous Coward (69.70.207.240) on

          LOL, that's exactly it...

        2. By Anonymous Coward (70.66.3.210) on

          LOL, never heard of that site before :)

      2. By sng (12.18.141.172) on

        I thought he was just channeling Theodore Kaczynski.

    4. By Clay Dowling (12.37.120.99) clay@lazarusid.com on http://www.ceamus.com

      Sounds like somebody's been self-medicating again, or maybe more to the point he's stopped taking them completely.

      Would the decent humanitarian thing to do be to track down that IP address and send the boys in white coats for our friend, until he gets back to something like balance?

    5. By tedu (64.173.147.27) on

      I may be risking my life by telling you this, but we must always be looking towards the future while keeping the past in mind. Before examining the present situation, however, it is important that I address a number of important issues. It is more than a purely historical question to ask, "How did cheap troll's reign of terror start?" or even the more urgent question, "How might it end?". No, we must ask, "How can something that claims to be so educated and so open-minded dare to outrage the very sensibilities of those who value freedom and fairness?" You know the answer, don't you? You probably also know that cheap troll believes that it has been robbed of all it does not possess. That's just wrong. It further believes that skin color means more than skill and gender is more impressive than genius. Wrong again!

      Couldn't you figure that out for yourself, cheap troll? In a recent essay, cheap troll stated that "the norm" shouldn't have to worry about how the exceptions feel. Since the arguments it made in the rest of its essay are based in part on that assumption, it should be aware that it just isn't true. Not only that, but its true goal is to mold the mind of virtually every citizen -- young or old, rich or poor, simple or sophisticated. All the statements that its secret police make to justify or downplay that goal are only apologetics; they do nothing to do what comes naturally. Cheap troll is entirely gung-ho about mercantalism because it lacks more pressing soapbox issues. Unless we increase awareness and understanding of our similarities and differences, our whole social structure will gradually disintegrate and crumble into ruins. Let me try to put this in perspective: If I seem a bit cold-blooded, it's only because I'm trying to communicate with cheap troll on its own level. Cheap troll is like a magician who produces a dove in one hand, while the other hand is busy trying to consign most of us to the role of its servants or slaves.

      Cheap troll has a strategy. Its strategy is to make our lives an endless treadmill of government interferences while providing few real benefits to our health and happiness. Wherever you encounter that strategy, you are dealing with cheap troll. Finally, any mistakes in this letter are strictly my fault. But if you find any factual error or have more updated information on the subject of cheap troll, cheap troll-inspired versions of sensationalism, etc., please tell me, so I can write an even stronger letter next time.

  4. By Biff (67.165.214.212) on

    From the announcement I gathered two things: if you update, you should also update any <3.5 systems or you won't be able to connect, seems like a flag day in that respect, and no announcement of a built in method to defeat brute force connections.

    For me, my standard method is to use pf to allow ssh connections from addresses or networks I know I'm going to be at (work, family, etc). But I have to advise people with student systems that allow ssh from the Internet at large. What is the best way today, and is their thought to an IP address lockout ot tarpit for repeat connections that are guessing passwords?

    Comments
    1. By m0rf (68.104.17.51) on

      from http://www.undeadly.org/cgi?action=article&sid=20041231195454&mode=expanded and elaborated on in pf.conf(5):

      pass in on $ext_if proto tcp to $ext_if port ssh flags S/SA \
      keep state (max-src-conn-rate 10/60, overload <scanners>)
      block in on $ext_if proto tcp from <scanners> to $ext_if port ssh

      changing your rate as need be.
      was added in 3.7.


      Comments
      1. By m0rf (68.104.17.51) on

        and if their packet filter doesn't support rate limiting/isn't pf, perhaps its time to advise an upgrade.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]