OpenBSD Journal

[OpenSSH] OpenSSH 3.3 Released

Contributed by Dengue on from the openssh.com dept.

OpenSSH 3.3 has been released. Major changes in this release include Privilege Separation enabled by default, and sshd is no longer setuid root.

From: Markus Friedl

To: openssh-unix-dev@mindrot.org
Subject: OpenSSH 3.3 released
Date: Fri, 21 Jun 2002 21:50:58 +0200

OpenSSH 3.3 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.


Changes since OpenSSH 3.2.3:
============================ 

Security Changes:
=================

- improved support for privilege separation:

        privilege separation is now enabled by default

  See UsePrivilegeSeparation in sshd_config(5)
  and http://www.citi.umich.edu/u/provos/ssh/privsep.html for more
  information.
- ssh no longer needs to be installed setuid root for protocol
  version 2 hostbased authentication, see ssh-keysign(8).
  protocol version 1 rhosts-rsa authentication still requires privileges
  and is not recommended.

Other Changes:
==============

- documentation for the client and server configuration options have
  been moved to ssh_config(5) and sshd_config(5).
- the server now supports the Compression option, see sshd_config(5).
- the client options RhostsRSAAuthentication and RhostsAuthentication now
  default to no, see ssh_config(5).
- the client options FallBackToRsh and UseRsh are deprecated.
- ssh-agent now supports locking and timeouts for keys, see ssh-add(1).
- ssh-agent can now bind to unix-domain sockets given on the command line,
  see ssh-agent(1).
- fixes problems with valid RSA signatures from putty clients.

Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
  and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.
_______________________________________________
openssh-unix-dev@mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

(Comments are closed)


Comments
  1. By Cabal () on

    It's actually that ssh is no longer installed suid root.

  2. By jose nazaario () jose@monkey.org on http://monkey.org/~jose/

    upgrade asap, folks, or at least use privsep: http://lists.debian.org/debian-security-announce/debian-security-announce-2002/msg00045.html
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-134-1                   security@debian.org
    http://www.debian.org/security/                         Wichert Akkerman
    June 24, 2002
    - ------------------------------------------------------------------------
    
    
    Package        : ssh
    Problem type   : remote exploit
    Debian-specific: no
    
    Theo de Raadt announced that the OpenBSD team is working with ISS
    on a remote exploit for OpenSSH (a free implementation of the
    Secure SHell protocol). They are refusing to provide any details on
    the vulnerability but instead are advising everyone to upgrade to
    the latest release, version 3.3.
    
    This version was released 3 days ago and introduced a new feature
    to reduce the effect of exploits in the network handling code
    called privilege separation.  Unfortunately this release has a few
    known problems: compression does not work on all operating systems
    since the code relies on specific mmap features, and the PAM
    support has not been completed. There may be other problems as
    well.
    
    The new privilege separation support from Niels Provos changes ssh
    to use a separate non-privileged process to handle most of the
    work. This means any vulnerability in this part of OpenSSH can
    never lead to a root compromise but only to access to a separate
    account restricted to a chroot.
    
    Theo made it very clear this new version does not fix the
    vulnerability, instead by using the new privilege separation code
    it merely reduces the risk since the attacker can only gain access
    to a special account restricted in a chroot.
    
    [snipped debian stuff]
    
    upgrade asap... note, no fix yet, and maybe the 5 years thing is now over with ...

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]