OpenBSD Journal

OpenSSH 4.6 Released

Contributed by dwc on from the cryptic-conversations dept.

Damien Miller just announced the good news of a great new version of OpenSSH! This version has some really nice new features, like per-user authentication config. Read on for changes, new features, and more fun stuff...

OpenSSH 4.6 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots and purchased
T-shirts or posters.

T-shirt, poster and CD sales directly support the project. Pictures
and more information can be found at:
        http://www.openbsd.org/tshirts.html and
        http://www.openbsd.org/orders.html

For international orders use http://https.openbsd.org/cgi-bin/order
and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Changes since OpenSSH 4.5:
============================

 * sshd now allows the enabling and disabling of authentication
   methods on a per user, group, host and network basis via the
   Match directive in sshd_config.

 * The following bugs have been fixed in this release:

   - Clear SIGALRM when restarting due to SIGHUP. Prevents stray
     signal from taking down sshd if a connection was pending at
     the time SIGHUP was received
   - sftp returned a zero exit status when upload failed due to write
     errors (bugzilla #1252)
   - fixed an inconsistent check for a terminal when displaying scp
     progress meter (bugzilla #1265)
   - Parsing of time values in Match blocks was incorrectly applied
     to the global configuration (bugzilla #1275)
   - Allow multiple forwarding options to work when specified in a
     PermitOpen directive (bugzilla #1267)
   - Interoperate with ssh.com versions that do not support binding
     remote port forwarding sessions to a hostname (bugzilla #1019)

 * Portable OpenSSH bugs fixed:

   - "hang on exit" when background processes are running at the time
     of exit on a ttyful/login session (bugzilla #52)
   - Fix typos in the ssh-rand-helper(8) man page (bugzilla #1259)
   - Check that some SIG records have been returned in getrrsetbyname
     (bugzilla #1281)
   - Fix contrib/findssl for platforms that lack "which" (bugzilla
     #1237)
   - Work around bug in OpenSSL 0.9.8e that broke aes256-ctr,
     aes192-ctr, arcfour256 (bugzilla #1291)

Checksums:
==========

- SHA1 (openssh-4.6.tar.gz) = c1700845be464a769428f34ef727c1f530728afc
- SHA1 (openssh-4.6p1.tar.gz) = b2aefeb1861b4688b1777436035239ec32a47da8

Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
  and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
[Edited to correct OpenSSH 0.9.6e to OpenSSL 0.9.8e -dwc]

(Comments are closed)


Comments
  1. By Anonymous Coward (122.49.157.192) on

    s/OpenSSH 0.9.6e/OpenSSL 0.9.6e/

    mod me down, i'm too lazy to email

  2. By Anonymous Coward (83.149.231.208) on

    In the past new SSH versions where tagged for the current OpenBSD release but during reading the CVS-Code via CVSWEB I noticed the new SSH release is not tagged for OpenBSD 4.0 yet.

  3. By Cabal (Cabal) Cabal on http://www.enginuity.org/

    Some broader questions: Are there any new protocol versions on the horizon? 2.1, 3.0, etc? Who decides on the direction of the SSH protocol, a consortium? SSH.com (ugh)?

    Comments
    1. By Darren Tucker (dtucker) on

      > Some broader questions: Are there any new protocol versions on the
      > horizon? 2.1, 3.0, etc?

      No. SSH2 was designed to be extensible so major revisions aren't necessary for most things.

      > Who decides on the direction of the SSH protocol, a consortium?

      The IETF secsh working group (which had representatives from pretty much all of the implementations) did SSH2. The WG has been wrapped up (see http://tools.ietf.org/wg/secsh/), I imagine a new one would have to be formed for a hypothetical SSH3, but I can't imagine it happening either.

      I would expect any new protocol features to be implemented mostly as vendor-specific extensions (which the are explicitly defined in the spec) and maybe a few of them becoming new standards built on top of the existing RFCs.

    2. By Anonymous Coward (70.179.123.124) on

      > Some broader questions: Are there any new protocol versions on the horizon? 2.1, 3.0, etc? Who decides on the direction of the SSH protocol, a consortium? SSH.com (ugh)?


      SSH is covered by RFCs; if you've got a prospective change, you can write it up and submit it as an Internet Draft.

      The most recent RFC I could find was RFC 4252, which is co-authored by T. Ylonen, who is the Finn who is responsible for bringing us SSH in the first place. Who is also the founder of SSH Communications Security Corp; which, if memory serves, is the dreaded SSH.com

  4. By Anonymous Coward (213.118.134.55) on

    Would the Match directive allow me to give certain users sftp permission without full shell access?

    Comments
    1. By Anonymous Coward (193.63.217.208) on

      > Would the Match directive allow me to give certain users sftp permission without full shell access?

      Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?

      TIA

      Comments
      1. By Anonymous Coward (88.82.33.37) on

        > > Would the Match directive allow me to give certain users sftp permission without full shell access?
        >
        > Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?

        bunbun:*:1005:1005:Mailinglists only:/home/bunbun:/usr/libexec/sftp-server

        Now... how does one do sftp access only in a chroot jail?

        Comments
        1. By Anonymous Coward (82.69.64.101) on

          > > > Would the Match directive allow me to give certain users sftp permission without full shell access?
          > >
          > > Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
          >
          > bunbun:*:1005:1005:Mailinglists only:/home/bunbun:/usr/libexec/sftp-server
          >
          > Now... how does one do sftp access only in a chroot jail?

          Just an idea...
          http://chrootssh.sourceforge.net/ claims to chroot to openssh.
          In FreeBSD's ports tree (openssh-portable) chroot'ing users is a compile-time option. I've used it succesfully with 4.5-portable.

          user:*:1000:1000::/home/user/./whatever:/usr/libexec/sftp-server

          There's no patch for 4.6 yet and I've never tried it with OpenBSD so YMMV.

        2. By Anonymous Coward (213.118.134.55) on

          > bunbun:*:1005:1005:Mailinglists only:/home/bunbun:/usr/libexec/sftp-server

          I can't believe I didn't think of that.. Thanks a lot :)

      2. By Venture37 (venture37) on www.geeklan.co.uk

        > > Would the Match directive allow me to give certain users sftp permission without full shell access?
        >
        > Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
        >
        > TIA
        >

        check out rssh
        http://www.pizzashack.org/rssh/

      3. By Anonymous Coward (84.186.19.51) on

        > > Would the Match directive allow me to give certain users sftp permission without full shell access?
        >
        > Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
        >
        > TIA
        >

        The following patch chroots the user to the folder you specify provided that his homedir has a trailing "/./". Users without this are not affected.

        Apply patch to OpenSSH-4.6 with
          
          tar xfz openssh-4.6.tar.gz
          cd ssh
          patch -p0 < sftp-server-46-chroot.diff
          make obj
          make cleandir
          make depend
          make
          make install
          chmod 4555 /usr/libexec/sftp-server
        
        Chroot a user to its homedir with setting by homedir to /path/to/home/./
        and setting his shell to sftp-server (add binary to /etc/shells before)
        User will be sftp-only and can't login to shell
        
        
        --- sftp-server.c.old	Thu Mar  8 20:11:45 2007
        +++ sftp-server.c	Thu Mar  8 20:18:43 2007
        @@ -40,6 +40,8 @@
         #include "sftp.h"
         #include "sftp-common.h"
         
        +#define CHROOT
        +
         /* helper */
         #define get_int64()			buffer_get_int64(&iqueue);
         #define get_int()			buffer_get_int(&iqueue);
        @@ -1183,6 +1185,37 @@
         	exit(1);
         }
         
        +#ifdef CHROOT
        +void
        +chroot_init(void)
        +{
        +	char *user_dir, *new_root;
        +
        +	user_dir = getenv("HOME");
        +
        +	if (!user_dir)
        +		fatal("HOME isn't in environment");
        +
        +	new_root = user_dir + 1;
        +
        +	while ((new_root = strchr(new_root, '.')) != NULL) {
        +		new_root--;
        +		if (strncmp(new_root, "/./", 3) == 0) {
        +			*new_root = '\0';
        +			new_root += 2;
        +
        +			if (chroot(user_dir) != 0)
        +				fatal("Couldn't chroot to user directory %s: %s",user_dir, strerror(errno));
        +
        +			setenv("HOME", new_root, 1);
        +			break;
        +		}
        +		new_root += 2;
        +	}
        +}
        +#endif /* CHROOT */
        +
        +
         int
         main(int argc, char **argv)
         {
        @@ -1247,6 +1280,15 @@
         	    pw->pw_name, client_addr);
         
         	handle_init();
        +
        +#ifdef CHROOT
        +	chroot_init();
        +#endif /* CHROOT */
        +
        +	setuid(getuid());
        +
        +	if (setuid(getuid()) != 0)
        +		fatal("Couldn't drop privileges: %s", strerror(errno));
         
         	in = dup(STDIN_FILENO);
         	out = dup(STDOUT_FILENO);
        

        Comments
        1. By Darren Tucker (dtucker) on

          > +	user_dir = getenv("HOME");
          > [...]
          > +			if (chroot(user_dir) != 0)
          
          It's not a good idea to trust an environment variable for that. In general they are under the control of the user. In this case there are a couple of ways for users to potentially change them: SendEnv in ssh_config (if sshd is configured to allow it) or via a shell startup script (eg if you're using ForceCommand rather than changing the user's shell).

          Local users could also chroot sftp-server to arbritary locations although I'm not sure what that might buy them.

          It's safer to look up the user's passwd entry yourself, since this can't be easily faked out, eg:

              if ((pw = getpwuid(getuid()) == NULL)
                  error... 
              user_dir = pw->pw_dir;
          

        2. By jirib (195.212.29.163) on

          > The following patch chroots the user to the folder you specify provided that his homedir has a trailing "/./". Users without this are not affected.
          >
          > Apply patch to OpenSSH-4.6 with
          >
          > tar xfz openssh-4.6.tar.gz
          > cd ssh
          > patch -p0 < sftp-server-46-chroot.diff
          > make obj
          > make cleandir
          > make depend
          > make
          > make install
          > chmod 4555 /usr/libexec/sftp-server
          >
          > Chroot a user to its homedir with setting by homedir to /path/to/home/./
          > and setting his shell to sftp-server (add binary to /etc/shells before)
          > User will be sftp-only and can't login to shell
          >
          >
          > --- sftp-server.c.old Thu Mar 8 20:11:45 2007
          > +++ sftp-server.c Thu Mar 8 20:18:43 2007
          > @@ -40,6 +40,8 @@
          > #include "sftp.h"
          > #include "sftp-common.h"
          >
          > +#define CHROOT
          > +
          > /* helper */
          > #define get_int64() buffer_get_int64(
          > #define get_int() buffer_get_int(
          > @@ -1183,6 +1185,37 @@
          > exit(1);
          > }
          >
          > +#ifdef CHROOT
          > +void
          > +chroot_init(void)
          > +{
          > + char *user_dir, *new_root;
          > +
          > + user_dir = getenv("HOME");
          > +
          > + if (!user_dir)
          > + fatal("HOME isn't in environment");
          > +
          > + new_root = user_dir + 1;
          > +
          > + while ((new_root = strchr(new_root, '.')) != NULL) {
          > + new_root--;
          > + if (strncmp(new_root, "/./", 3) == 0) {
          > + *new_root = '\0';
          > + new_root += 2;
          > +
          > + if (chroot(user_dir) != 0)
          > + fatal("Couldn't chroot to user directory %s: %s",user_dir, strerror(errno));
          > +
          > + setenv("HOME", new_root, 1);
          > + break;
          > + }
          > + new_root += 2;
          > + }
          > +}
          > +#endif /* CHROOT */
          > +
          > +
          > int
          > main(int argc, char **argv)
          > {
          > @@ -1247,6 +1280,15 @@
          > pw->pw_name, client_addr);
          >
          > handle_init();
          > +
          > +#ifdef CHROOT
          > + chroot_init();
          > +#endif /* CHROOT */
          > +
          > + setuid(getuid());
          > +
          > + if (setuid(getuid()) != 0)
          > + fatal("Couldn't drop privileges: %s", strerror(errno));
          >
          > in = dup(STDIN_FILENO);
          > out = dup(STDOUT_FILENO);
          >

          I don't know, why not just use ForceCommand with sftp-server which would be executed via systrace wrapper? That would restrict user without changing OpenSSH code. ???

    2. By jirib (195.212.29.163) on

      > Would the Match directive allow me to give certain users sftp permission without full shell access?

      Sure, just use ForceCommand in Match section - the command should be /usr/lib/sftp-server

      It works :) but not for scp 'coz scp is just a cat in pipe. Maybe you could make a systrace wrapper which would jail sftp user just in his/her home dir. I haven't tried this.

      Comments
      1. By Anonymous Coward (195.212.29.163) on

        > It works :) but not for scp 'coz scp is just a cat in pipe. Maybe you could make a systrace wrapper which would jail sftp user just in his/her home dir. I haven't tried this.
        >

        "a cat" - lol. I thought `cat` command :)

  5. By Anonymous Coward (85.178.104.188) on

    Is this a april fool?!

    The OpenSSH website doesn`t mention ANY new release nor is ANY announcement in the archives (misc@) nor is the Code in the CVS tagged for OpenBSD 4.0.


    This looks suspicious, realy.

    Comments
    1. By phessler (69.12.168.115) on

      > Is this a april fool?!
      >
      > The OpenSSH website doesn`t mention ANY new release nor is ANY announcement in the archives (misc@) nor is the Code in the CVS tagged for OpenBSD 4.0.
      >
      >
      > This looks suspicious, realy.

      go away troll

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]