OpenBSD Journal

[OpenSSH] OpenSSH 2.9.9 Released

Contributed by Dengue on from the openssh.com dept.

OpenSSH 2.9.9 has been released. This fixes the "source ip based access control" bug, and many other changes. See below for Markus@ message to misc@

Update 2001-09-27

OpenSSH 2.9.9 has been pulled into the 2.8 -stable and 2.9 -stable trees. For information on -stable releases see: http://www.openbsd.org/stable.html .


Subject: OpenSSH 2.9.9
   Date: Wed, 26 Sep 2001 23:05:19 +0200
   From: Markus Friedl

     To: openssh-unix-announce@mindrot.org,
	 openssh-unix-dev@mindrot.org
     CC: lwn@lwn.net, announce@openbsd.org,
	 misc@openbsd.org, dengue@deadly.org




OpenSSH 2.9.9 has just been uploaded. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH 2.9.9 fixes a weakness in the key file option handling,
including source IP based access control.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

This release contains many portability bug-fixes (listed in the
ChangeLog) as well as several new features (listed below).

We would like to thank the OpenSSH community for their continued
support and encouragement.

Security Notes:
===============

This release fixes weakness in the source IP based access control
for SSH protocol v2 public key authentication:

        Versions of OpenSSH between 2.5 and 2.9.9 are
        affected if they use the 'from=' key file option in
        combination with both RSA and DSA keys in
        ~/.ssh/authorized_keys2.

        Depending on the order of the user keys in
        ~/.ssh/authorized_keys2 sshd might fail to apply the
        source IP based access control restriction (e.g.
        from="10.0.0.1") to the correct key:

        If a source IP restricted key (e.g. DSA key) is
        immediately followed by a key of a different type
        (e.g. RSA key), then key options for the second key
        are applied to both keys, which includes 'from='.

        This means that users can circumvent the system policy
        and login from disallowed source IP addresses.
        

Important Changes:
==================

OpenSSH 2.9.9 might have upgrade issues introduced by the long time
between releases, which may affect people in unforseen ways:

1) The files
        /etc/ssh_known_hosts2
        ~/.ssh/known_hosts2
        ~/.ssh/authorized_keys2
   are now obsolete, you can use
        /etc/ssh_known_hosts
        ~/.ssh/known_hosts
        ~/.ssh/authorized_keys
   For backward compatibility ~/.ssh/authorized_keys2 is still used for
   authentication and hostkeys are still read from the known_hosts2.
   However, old files are considered 'readonly'.  Future releases are
   likely to not read these files.

2) The CheckMail option in sshd_config is deprecated, sshd no longer
   checks for new mail.

3) X11 cookies are stored in $HOME

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]