OpenBSD Journal

[OpenSSH] OpenSSH 3.1 Released

Contributed by Dengue on from the openssh dept.

OpenSSH 3.1 is available. OpenSSH 3.1 resolves the "March 7, 2002: Off-by-one error in the channel code" bug. This bug can permit privilege escalation locally by authenticated users and can permit a hostile server to exploit an vulnerable OpenSSH client.

Read more for the advisory:

Subject: OpenSSH 3.1 released
   Date: Thu, 7 Mar 2002 12:55:57 +0100
   From: Markus Friedl


OpenSSH 3.1 has just been released. It will be available from the
mirrors listed at shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.

Important Changes:

- /etc/ssh/ now default directory for keys and configuration files
- ssh-keygen no longer defaults to a specific key type (rsa1);
  use ssh-keygen -t {rsa,dsa,rsa1}
- sshd x11 forwarding listens on localhost by default;
  see sshd X11UseLocalhost option to revert to prior behaviour
  if your older X11 clients do not function with this configuration

Other Changes:

- ssh ~& escape char functions now for both protocol versions
- sshd ReverseMappingCheck option changed to VerifyReverseMapping
  to clarify its function; ReverseMappingCheck can still be used
- public key fingerprint is now logged with LogLevel=VERBOSE
- reason logged for disallowed logins (e.g., no shell, etc.)
- more robust error handling for x11 forwarding
- improved packet/window size handling in ssh2
- use of regex(3) has been removed
- fix SIGCHLD races in sshd (seen on Solaris)
- sshd -o option added
- sftp -B -R -P options added
- ssh-add now adds all 3 default keys
- ssh-keyscan bug fixes
- ssh-askpass for hostkey dialog
- fix fd leak in sshd on SIGHUP
- TCP_NODELAY set on X11 and TCP forwarding endpoints

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.

(Comments are closed)

  1. By Anonymous Coward () on

    anyone cares to explain what these off-by-one errors are about?
    ( i'm not a native english speaker nor a coder )

    1. By Masa () on

      For a non-programmer:

      It means that the program has allocated an array with n elements and it tries to reach information beyond the array (ie. n+1:th element).

      For example:

      there is a list of numbers: [10, 25, 42].

      The array contains three elements. Elements are indexed by 0, 1 and 2 (so the first element having valua 10 is pointed with indexd 0, the second with index 1 and so on). The program however tries to reach elements by using indexes 1, 2 and 3. The third index is pointing beyond the list (because with zero-based indexing, the index 3 would point to the fourth element and the fourth element is non-existent and would cause a melfunction in the program).

      So that is off-by-one.

      1. By Anonymous Coward () on

        but how do you exploit that to leverage additional priviliges?

        1. By Anonymous Coward () on

          buffer overflows basically allow an attacker to modify parts of a program's memory contents with whatever data the attacker chooses. the actual data that is written will depend upon the layout of the memory in question and what the attacker is trying to accomplish. please remember, also, that just because a program has a buffer overflow, it may not be exploitable.

          a typical scenario is that return address of a calling routine (which is stored on the program
          's memory stack) is overwritten with the address of the attacker's choosing. when the current sub-routine exits, it will jump back to whatever memory location the attacker chose instead of the actual location of the routine that called it. it may even be possible for the attacker to upload their own machine instructions (i.e. shellcode) and have the program execute those.

          the result of this is some form of access to the system (e.g. a shell) with the same privileges as whatever program was exploited. this, of course, is not a good thing and is why it has been said time and again that daemons that run unprotected should drop their root privileges as soon as possible to minimize what an attacker could do on a system, should he gain access through a bug in the daemon.

    2. By Anonymous Coward () on

      With 3.1 I can no longer su or su - to root and run X11-forwarded applications? Is there any way to do this securely now? I'm not going to allow remote root logins via SSH as I like having the extra level of security by requiring an existing non-root account. This used to work perfectly before.

      1. By Anonymous Coward () on

        Nevermind, got it.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]