OpenSSH 3.5

Contributed by jose on 2002-10-16 from the OpenSSH-3.5 dept.

"OpenSSH 3.5 should be available right now (also at the time of writing this both OpenBSD and portable version weren't available from FTP servers).
http://www.openssh.com "

I know a bunch of changes went into this one, and I think it's also been cut into -stable. However, give it a whirl.
UPDATE : Fixed the link, thanks Jolan, Sam.

(Comments are closed)

Comments

By Anonymous Coward () on 2002-10-16 13:40

Is it in -current already?
Comments
1. By jolan () on 2002-10-16 13:43
  
  Yes, see for yourself:
  
  http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/version.h
2. By Anonymous Coward () on 2002-10-16 19:51
  
  It is even in -stable.
By Shane () on 2002-10-16 13:48

I get this error when I do a make install:

install: unknown group _sshagnt
*** Error code 67

Stop in /usr/src/usr.bin/ssh/ssh-agent (line 134 of /usr/share/mk/bsd.prog.mk).
*** Error code 1

Stop in /usr/src/usr.bin/ssh.

I followed the directions at http://www.openssh.org/openbsd.html. I just took a look at the patch at ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openbsd31_3.5.patch and noticed this:

-BINGRP= _sshagnt
+#BINGRP= _sshagnt

Are the installation instructions missing the part about _sshagnt?
Comments
1. By Shane () on 2002-10-16 13:54
  
  I just looked at the Upgrading Mini-FAQ for 3.1. It lists _sshagnt:*:34: as one of the groups that needs to be added. So, I guess that answers my question.
2. By Anonymous Coward () on 2002-10-16 10:18
  
  http://www.openssh.com/openbsd.html
3. By Anonymous Coward () on 2002-10-16 15:57
  
  Yes, I experienced the same problem. I had a v3.1-stable OS installation, and had upgraded to OpenSSH v3.4 when that was released. At that point, I added the sshd user and group as per the installation instructions--it was not necessary (at least for me) to add the _sshagnt group at that point. Now at least for my installation it appears necessary to add this _sshagnt group as Shaneon has pointed out.
4. By thugwar () on 2002-10-16 16:20
  
  don't you guys realize there's openbsd31_3.5.patch ?
  Comments
  1. By Shane () on 2002-10-16 18:36
    
    Yes, I do realize that. "If you cannot add the new user and group, you also need the following patch." The user and group that sentence refers to are both sshd. _sshagnt isn't mentioned in the instructions. The patch will fix the install problem (I assume, haven't tried) by changing the BINGRP for ssh-agent. I can add the user and group, I just didn't know I had to because it wasn't specified.
By Anonymous Coward () on 2002-10-16 02:09

So what's new in 3.5? Can't find any release notes anywhere.
By James () quel@quel.linux-dude.com on 2002-10-16 02:11 http://quel.linux-dude.com

If you read the change logs you will notice globbing support for ftp was added. While this is a rather useful and a feature I think should have been added long ago, it creates issues. Anyone notice all the globbing ftp servers w/ exploits wuftp,etc. ? I think i'll wait for them to audit it before i upgrade as it's a features not a security upgrade. What does everyone think about the security related to any possible globbing bugs in the new openssh?
Comments
1. By RainBrain () rainbrain@antisocial.com on 2002-10-16 02:48 mailto:rainbrain@antisocial.com
  
  You're going to wait for the OpenBSD team...to audit code they wrote in the first place?
  
  Seems kind of an odd objection.
  Comments
  1. By He who cannnot be bother to get an account () on 2002-10-17 17:56
    
    It's all about having "many eyes" look at the code. Whomever wrote the code should not necessarily immediatedly audit it. I assume that they can mostly trust the code they add, but will add it to their "audit" list for eventual peer-review.
2. By Anonymous Coward () on 2002-10-16 05:08
  
  All of the globbing code is executed as the user, not root. Since there is no anonymous or even chrooted sftp support, this is a non issue.
  Comments
  1. By Anonymous Coward () on 2002-10-16 12:36
    
    Why isn't there anonymous/chrooted sftp support? Both sound like handy features to me.
    
    Comments
    
    By Anonymous Coward () on 2002-10-16 14:21
    
    oximoron - anonymous sftp
    
    Comments
    
    By Anonymous Coward () on 2002-10-16 19:06
    
    Not really. Sure you downloaded base31.tgz from ftp.openbsd.org and not so-4-0-0.mp2.crackedrouter.net ?
    How? :)
    
    Comments
    
    By Anonymous Coward () on 2002-10-17 10:08
    
    http://www.google.nl/search?q=anonymous+sftp&ie=UTF-8&oe=UTF-8&hl=nl&btnG=Google+zoeken&lr=
    
    By Anonymous Coward () on 2002-10-16 17:01
    
    Probably too hard and not enough demand. Such support would be very hard to impliment with all of the privsep/paranoid priv dropping that takes place now.
  2. By anoneimous coward () on 2002-10-16 15:24
    
    so why does the chroot syscall require root priviliges? i know binding to ports less than 1024 requires root because those ports used to be considered 'trusted', but why does chroot require super-user privs to execute?
    
    Comments
    
    By zil0g () on 2002-10-16 17:15
    
    BECAUSE - that was the way it was done :P
    I'm far from being an 'authoritay' on this, but if say user 'foo' chrooted itself and got exploited in the chroot, couldn't 'foo' just do a chroot("/"); ?
    
    that would be silly...
    
    Comments
    
    By Anonymous Coward () on 2002-10-16 19:30
    
    but if say user 'foo' chrooted itself and got exploited in the chroot, couldn't 'foo' just do a chroot("/")
    how about chroot() and then exec systrace program where the systrace rules disallow chroot()
    
    By Anonymous Coward () on 2002-10-17 18:12
    
    Yes, but chroot("/"); wouldn't do anything. /, for the chrooted process, means something else (like /var/empty or /var/named).
3. By djm () on 2002-10-17 01:36
  
  The globbing is done in the client using the standard libc glob() code. There is no risk to servers.
By jose () on 2002-10-16 02:24 http://www.monkey.org/~jose/
From: Markus Friedl
Subject: OpenSSH 3.5 released
Date: Tue, 15 Oct 2002 20:58:03 +0200
OpenSSH 3.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.
We would like to thank the OpenSSH community for their continued support and encouragement.
Changes since OpenSSH 3.4:
============================
- Improved support for Privilege Separation (Portability, Kerberos, PermitRootLogin handling).
- ssh(1) prints out all known host keys for a host if it receives an unknown host key of a different type.
- Fixed AES/Rijndael EVP integration for OpenSSL <0.9.7 (caused problems with bounds checking patches for gcc).
- ssh-keysign(8) is disabled by default and only enabled if the HostbasedAuthentication option is enabled in the global ssh_config(5) file.
- ssh-keysign(8) uses RSA blinding in order to avoid timing attacks against the RSA host key.
- A use-after-free bug was fixed in ssh-keysign(8). This bug broke hostbased authentication on several platforms.
- ssh-agent(1) is now installed setgid in order to avoid ptrace(2) attacks.
- ssh-agent(1) now restricts the access with getpeereid(2) (or equivalent, where available).
- sshd(8) no longer uses the ASN.1 parsing code from libcrypto when verifying RSA signatures.
- sshd(8) now sets the SSH_CONNECTION environment variable.
- Enhanced "ls" support for the sftp(1) client, including globbing and detailed listings.
- ssh(1) now always falls back to uncompressed sessions, if the server does not support compression.
- The default behavior of sshd(8) with regard to user settable environ variables has changed: the new option PermitUserEnvironment is disabled by default, see sshd_config(5).
- The default value for LoginGraceTime has been changed from 600 to 120 seconds, see sshd_config(5).
- Removed erroneous SO_LINGER handling.
Checksums:
==========
- MD5 (openssh-3.5p1.tar.gz) = 42bd78508d208b55843c84dd54dea848
- MD5 (openssh-3.5.tgz) = 79fc225dbe0fe71ebb6910f449101d23
Reporting Bugs:
===============
- please read [29]http://www.openssh.com/report.html and [30]http://bugzilla.mindrot.org/
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom.
By Anonymous Coward () on 2002-10-16 15:31

Will this be included in obsd v3.2 ?
Comments
1. By Anonymous Coward () on 2002-10-16 16:36
  
  OpenBSD 3.2 Release
  OpenSSH (supporting both the SSH1 and SSH2 protocols) is now at version 3.5. Privilege separation is now enabled by default for greater robustness.
  Comments
  1. By Anonymous Coward () on 2002-10-16 18:09
    
    So everyone saying that the code freeze means the snapshot will be the same as the release aren't completely accurate up to this point. Of course snapshots from here on out aren't going to be quite the same as release either since other things have changed since the freeze.
    
    Comments
    
    By Ben "Mouring" Lindstrom () mouring@eviladmin.org on 2002-10-16 18:56 mailto:mouring@eviladmin.org
    
    OpenSSH in the OpenBSD tree was locked and tagged pretty much at the same time as OpenBSD 3.2. We were delaying to allow testing other platforms.
    
    - Ben
    
    By Indigo () diaboliko@operamail.com on 2002-10-17 08:30 mailto:diaboliko@operamail.com
    
    Is there a place where I can see these "intermediate" changes? The "daily changelog" stops at the patch branch release...
    
    Comments
    
    By Anonymous Coward () on 2002-10-17 12:00
    
    the cvs commit list source-changes@ iirc

Latest Articles

Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (12)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)
Fri, Mar 08
- 06:46 OpenBGPD 8.4 released (0)
Mon, Mar 04
- 06:32 rpki-client 9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]