OpenBSD Journal

Announce: OpenSSH 4.3 released

Contributed by marco on from the OpenSSH-goes-4.3 dept.

OpenSSH 4.3 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We have also recently completed another Internet SSH usage scan, the
results of which may be found at http://www.openssh.com/usage.html

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots and purchased
T-shirts or posters.

T-shirt, poster and CD sales directly support the project. Pictures
and more information can be found at:
http://www.openbsd.org/tshirts.html and
http://www.openbsd.org/orders.html

For international orders use http://https.openbsd.org/cgi-bin/order
and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Changes since OpenSSH 4.2:
============================

Security bugs resolved in this release:

* CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
subshell to perform local to local, and remote to remote copy
operations. This subshell exposed filenames to shell expansion
twice; allowing a local attacker to create filenames containing
shell metacharacters that, if matched by a wildcard, could lead
to execution of attacker-specified commands with the privilege of
the user running scp (Bugzilla #1094)

This is primarily a bug-fix release, only one new feature has been
added:

* Add support for tunneling arbitrary network packets over a
connection between an OpenSSH client and server via tun(4) virtual
network interfaces. This allows the use of OpenSSH (4.3+) to create
a true VPN between the client and server providing real network
connectivity at layer 2 or 3. This feature is experimental and is
currently supported on OpenBSD, Linux, NetBSD (IPv4 only) and
FreeBSD. Other operating systems with tun/tap interface capability
may be added in future portable OpenSSH releases. Please refer to
the README.tun file in the source distribution for further details
and usage examples.

Some of the other bugs resolved and internal improvements are:

* Reduce default key length for new DSA keys generated by ssh-keygen
back to 1024 bits. DSA is not specified for longer lengths and does
not fully benefit from simply making keys longer. As per FIPS 186-2
Change Notice 1, ssh-keygen will refuse to generate a new DSA key
smaller or larger than 1024 bits

* Fixed X forwarding failing to start when a the X11 client is executed
in background at the time of session exit (Bugzilla #1086)

* Change ssh-keygen to generate a protocol 2 RSA key when invoked
without arguments (Bugzilla #1064)

* Fix timing variance for valid vs. invalid accounts when attempting
Kerberos authentication (Bugzilla #975)

* Ensure that ssh always returns code 255 on internal error (Bugzilla
#1137)

* Cleanup wtmp files on SIGTERM when not using privsep (Bugzilla #1029)

* Set SO_REUSEADDR on X11 listeners to avoid problems caused by
lingering sockets from previous session (X11 applications can
sometimes not connect to 127.0.0.1:60xx) (Bugzilla #1076)

* Ensure that fds 0, 1 and 2 are always attached in all programs, by
duping /dev/null to them if necessary.

* Xauth list invocation had bogus "." argument (Bugzilla #1082)

* Remove internal assumptions on key exchange hash algorithm and output
length, preparing OpenSSH for KEX methods with alternate hashes.

* Ignore junk sent by a server before it sends the "SSH-" banner
(Bugzilla #1067)

* The manpages has been significantly improves and rearranged, in
addition to other specific manpage fixes:
#1037 - Man page entries for -L and -R should mention -g.
#1077 - Descriptions for "ssh -D" and DynamicForward should mention
they can specify "bind_address" optionally.
#1088 - Incorrect descriptions in ssh_config man page for
ControlMaster=no.
#1121 - Several corrections for ssh_agent manpages

* Lots of cleanups, including fixes to memory leaks on error paths
(Bugzilla #1109, #1110, #1111 and more) and possible crashes (#1092)

* Portable OpenSSH-specific fixes:

- Pass random seed during re-exec for each connection: speeds up
processing of new connections on platforms using the OpenSSH's
builtin entropy collector (ssh-rand-helper)

- PAM fixes and improvements:
#1045 - Missing option for ignoring the /etc/nologin file
#1087 - Show PAM password expiry message from LDAP on login
#1028 - Forward final non-query conversations to client
#1126 - Prevent user from being forced to change an expired
password repeatedly on AIX in some PAM configurations.
#1045 - Do not check /etc/nologin when PAM is enabled, instead
allow PAM to handle it. Note that on platforms using
PAM, the pam_nologin module should be used in sshd's
session stack in order to maintain past behaviour

- Portability-related fixes:
#989 - Fix multiplexing regress test on Solaris
#1097 - Cross-compile fixes.
#1096 - ssh-keygen broken on HPUX.
#1098 - $MAIL being set incorrectly for HPUX server login.
#1104 - Compile error on Tru64 Unix 4.0f
#1106 - Updated .spec file and startup for SuSE.
#1122 - Use _GNU_SOURCE define in favor of __USE_GNU, fixing
compilation problems on glibc 2.4

Thanks to everyone who has contributed patches, reported bugs or test
releases.

Checksums:
==========

- SHA1 (openssh-4.3.tar.gz) = 0cb66e56805d66b51511455423bab88aa58a1455
- SHA1 (openssh-4.3p1.tar.gz) = b1f379127829e7e820955b2825130edd1601ba59

Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.


(Comments are closed)


  1. By David (87.1.214.42) david@bsdgeek.it on

    Uhm... Bye bye OpenVPN?

    1. By Anonymous Coward (67.140.140.75) on

      I hope so. :)

      1. By Amir Mesry (66.23.227.241) on

        Nah, be a while, if at all. OpenVPN easy to implement for windows people. Plus it runs well.

    2. By dan (192.118.11.112) on

      UDP

      1. By Fábio Olivé Leite (15.227.249.72) on

        ... tunneling arbitrary network packets ...

        It creates an actual tunnel interface connected to the other side. You can route anything you want over that.

        1. By Anonymous Coward (68.106.232.57) on

          He's probably suggesting that OpenVPN can tunnel over UDP vs. TCP. Tunneling TCP over lossy networks reputedly experiences far worse performance.

          http://sites.inka.de/~W1011/devel/tcp-tcp.html

  2. By Anonymous Coward (84.57.75.200) on

    But still OpenSSH.org says 4.2 ...

    1. By Anonymous Coward (222.126.7.222) on

      its maybe in your cache, its been 4.3 since feb 2 here.

    2. By jolan (67.184.170.250) on

      openssh.org is owned by someone else, always use openssh.com

      1. By Anonymous Coward (84.57.75.200) on

        Cleared cache & changed URL, now it announces the correct release.
        Thank you!

    3. By nathan (67.77.88.11) natex84@gmail.com on

      hmm.. i think the poster may be right about the 4.2 being displayed... on www.openssh.{org,com} it shows 4.3 ... without the www, 4.2 for me on both...

  3. By Anonymous Coward (62.252.32.11) on

    From what I understand, that SCP-bug is only exploitable if a user actually has an account on the server, right?

    Hmm .. that reminds me .. is there an easy way of setting up SCP-only (no SSH) accounts for users?

    1. By Anonymous Coward (69.70.207.240) on

      Not sure, but wouldn't /bin/true, /bin/false, nologin, etc. work?

      1. By Anonymous Coward (65.96.221.40) on

        no

      2. By Bryan Inderhees (65.43.174.61) bpi+ud@case.edu on

        To provide a bit more clarification, SCP does require a login shell, since it is (in a weak description, at least) FTP being run over an SSH connection. In fact, it gets a bit picky about that shell---you'll find you can't use screen as your login shell if you want to connect via SCP.

    2. By Frank Brodbeck (129.143.2.195) on

      At work we use scponly as 'shell'.

      http://www.sublimation.org/scponly/

      Regards,
      Frank.

      1. By Anonymous Coward (62.252.32.11) on

        Thanks a bunch! :)

    3. By cellx (216.201.130.149) on

      It would be nice if this was built into openssh though. I would really love to see that. Is there a wishlist place?

      1. By Ben (208.27.203.127) mouring@nospam.eviladmin.org on http://eviladmin.org

        Umm.. SFTP could be integrated into SSHD (that is what SSH Corp did). However SFTP relies on the underlying shell to handle wildcards. So doing that would be much more complex.

        And I'd rather see *NEITHER* embedded.

        - Ben

    4. By cellulax (68.12.154.246) on

      anybody play with this:

      http://chrootssh.sourceforge.net/

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]