OpenBSD Journal

[OpenSSH] OpenSSH 3.2.2 released

Contributed by Dengue on from the openssh dept.

OpenSSH 3.2.2 has just been released please use the mirrors listed at . OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

The release announcement follows

Subject: OpenSSH 3.2.2 released
   Date: Fri, 17 May 2002 00:35:38 +0200
   From: Markus Friedl


OpenSSH 3.2.2 has just been released. It will be available from the
mirrors listed at

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.

Security Changes:

- fixed buffer overflow in Kerberos/AFS token passing
- fixed overflow in Kerberos client code
- sshd no longer auto-enables Kerberos/AFS
- experimental support for privilege separation,
  see UsePrivilegeSeparation in sshd(8) and

  for more information.
- only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger

Other Changes:

- improved smartcard support (including support for OpenSC, see
- improved Kerberos support (including support for MIT-Kerberos V)
- fixed stderr handling in protocol v2
- client reports failure if -R style TCP forwarding fails in protocol v2
- support configuration of TCP forwarding during interactive sessions (~C)
- improved support for older sftp servers
- improved support for importing old DSA keys (from software).
- client side suport for PASSWD_CHANGEREQ in protocol v2
- fixed waitpid race conditions
- record correct lastlogin time

Reporting Bugs:

- please read

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.

(Comments are closed)

  1. By Anonymous Coward () on

    will this be merged into 3.1-STABLE?

    1. By mirabile () on

      Of course it will be merged into the last
      two releases, that are, 2.9 and 3.0
      3.1 isn't released yet, but it will be merged
      therein, too - and as soon as 3.1 is released,
      2.9 will be deprecated, i.e. the OpenSSH 3.2.2
      merge will be one of - if not The - last commits
      into 2.9

      1. By Brad () on

        It will be merged into 2.9, 3.0 and 3.1. Just because 3.1 hasn't been released on the FTP site doesn't mean work isn't being done on the 3.1-stable branch.

  2. By Niall O'Higgins () on

    I think this is really cool and should prevent many potential exploits. I hope other sub-port 1024 daemons learn from OpenSSH and start to employ this design.

    Great stuff, OpenSSH team!

    1. By Anonymous Coward () on

      OpenSSH was the last service I had running as root, in fact the rest I run stopped using it years ago. What's left?

  3. By RC () on

    OpenSSH has just about everything I could want in a secure communications package... All but one feature that is.

    I'm sick of NFS, ASF only works well in a Kerberos setting, and SFTP functionality is on just about every SSH server out there...

    So. Why not create a 'mount_sftp' ???
    Public-key encryption, with several algorythms. Built-in compression (although I've never understood why libbzip2 is left out in the cold), compatability with PGP, etc.. So if we could just mount ssh servers as local volumes, I'd be happy, and I think we'd finally be rid of NFS.

    1. By Sacha () on

      Wasn't sftp a hacked ftp client?
      Then mount_sftp would be consist out of hacking the existing mount_ftp tool..

      1. By Hmm () on

        mount_ftp tool? What? Where? Thank you! :-)

      2. By Hmm () on

        mount_ftp tool? What? Where? Thank you! :-)

    2. By mra () on

      There was work done to use SSH tunneling to encrypt NFS traffic. It was all on Linux, and required NFS to use TCP vs UDP, but it has been done, and probably could be ported without too much trouble. SysAdmin had a great article about it back in March.

      1. By RC () on

        It's easy to tunnel NFS traffic... However, I wish tunneling NFS was unnecessary. SFTP can transfer files, why require the use of NFS as well?

        1. By Anonymous Coward () on

          file locking, buffering and caching come to mind...

          1. By Sacha () on

            So some SNFS should be invented soon? Not hacked NFS versions.

            1. By RC () on

              Why not? I'm merely suggesting it not be some entirely new protocol. Why not just allow people to make servers using SFTP look like part of the local filesystem.

    3. By Chris () on

      Not sure if this is like what you are looking for:

  4. By Your Mama () on

    Let me start by saying that i know ssh is doing the right thing here and waiting for open file descriptors to be closed before it exits but this doesn't change the fact that it is still a major pain in the ass. The 1.2.27 (i think) never had this issue under Solaris and running openssh has been a major improvement except for this one amazingly annoying problem. I was hoping the openssh development team would come up with a command line option to ignore the open file descriptors (again i know it is doing what it supposed to do). Fixing all the software that i run that is "broke" is just not an option in my current situation. Does anyone have a workaround for this that works? I have tried the "shopt -s huponexit" in bash but that doesn't work and i can't redirect to /dev/null because the daemons/utilites that i am having trouble with require me to enter passwords/keys when they start up (Netscape Web server, sudo, etc.). Anybody have anything that will work for me?

    1. By Anonymous Coward () on

      ~. is always an option

  5. By Anonymous Coward () on

    -install openbsd 3.0 from cd
    -install openssh 3.2.2
    -apply openssh patch for 3.0
    -apply openBSD 3.0 patches except for those dealing
    with openssh ??
    From the source code it looks like openssh 3.2.2
    deprecates ALL prior patches relating to the openssh
    on the 3.0 CD.

    1. By Anonymous Coward () on

      yes, correct

      1. By Anonymous Coward () on

        I feel like I am getting a hint of a CS degree. As
        a windows refugee, let me say that after one year
        of working with openBSD I just have really learned
        to appreciate the structure of this OS.
        Windows*, os2-4, linux*, freebsd 4.2, OpenBSD 2.9.
        When I say windows refugee, I really mean 100% GUI
        centric, if its not intuitive stop wasting my time,
        kind of windows user.
        -- Only in the past 2 years have I been able to free
        myself from the windows universe. And it has not been
        an easy road to hoe. Definitely there have been
        some headbanging moments, but it has all been worth
        it. I have learned that if someone says an OS is
        intuitive that almost always means that a developer
        has put a layer of complexity between myself and
        the guts of the OS. Sometimes it is easier, but ofter
        times that layer of complexity hinders my progress
        once I know what I need to do and how I need to do it.
        Never again. I have the source code.
        I am king of my little universe.
        --oh yea, thanks for the confirmation. Sometimes I
        still need help connecting the dots.
        Thank you openbsd team!!!

        1. By Roo () on

          That warms the cockles of my black heart. I didn't think that people ever bothered to leave what was comfy and try something new...

          I think you are discovering the payoffs of "Occam's Razor"... Basically it amounts to Keep It Simple Stupid. Windows is too bloody complicated to work properly in the first place...

          The history of Computer Science is littered with the bloated corpses of "sophisticated" dinosaurs. :)



Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]