Contributed by
Dengue
on
from the openssh.com dept.
OpenSSH
2.9.9 has been released. This fixes the "source ip based access control" bug, and many other changes. See below for
Markus@
message to
misc@
Update 2001-09-27
OpenSSH 2.9.9 has been pulled into the 2.8
-stable
and 2.9
-stable
trees. For information on
-stable
releases see:
http://www.openbsd.org/stable.html
.
Subject: OpenSSH 2.9.9
Date: Wed, 26 Sep 2001 23:05:19 +0200
From: Markus Friedl
To: openssh-unix-announce@mindrot.org,
openssh-unix-dev@mindrot.org
CC: lwn@lwn.net, announce@openbsd.org,
misc@openbsd.org, dengue@deadly.org
OpenSSH 2.9.9 has just been uploaded. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH 2.9.9 fixes a weakness in the key file option handling,
including source IP based access control.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
This release contains many portability bug-fixes (listed in the
ChangeLog) as well as several new features (listed below).
We would like to thank the OpenSSH community for their continued
support and encouragement.
Security Notes:
===============
This release fixes weakness in the source IP based access control
for SSH protocol v2 public key authentication:
Versions of OpenSSH between 2.5 and 2.9.9 are
affected if they use the 'from=' key file option in
combination with both RSA and DSA keys in
~/.ssh/authorized_keys2.
Depending on the order of the user keys in
~/.ssh/authorized_keys2 sshd might fail to apply the
source IP based access control restriction (e.g.
from="10.0.0.1") to the correct key:
If a source IP restricted key (e.g. DSA key) is
immediately followed by a key of a different type
(e.g. RSA key), then key options for the second key
are applied to both keys, which includes 'from='.
This means that users can circumvent the system policy
and login from disallowed source IP addresses.
Important Changes:
==================
OpenSSH 2.9.9 might have upgrade issues introduced by the long time
between releases, which may affect people in unforseen ways:
1) The files
/etc/ssh_known_hosts2
~/.ssh/known_hosts2
~/.ssh/authorized_keys2
are now obsolete, you can use
/etc/ssh_known_hosts
~/.ssh/known_hosts
~/.ssh/authorized_keys
For backward compatibility ~/.ssh/authorized_keys2 is still used for
authentication and hostkeys are still read from the known_hosts2.
However, old files are considered 'readonly'. Future releases are
likely to not read these files.
2) The CheckMail option in sshd_config is deprecated, sshd no longer
checks for new mail.
3) X11 cookies are stored in $HOME
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.