OpenBSD Journal

OpenSSH 3.6.1 released

Contributed by jose on from the oops,-that-bug-DID-matter dept.

OpenSSH 3.6.1 writes:
"1 april joke? Hmm. Anyways, it's released! Check changelog for fixes "

There's one change between 3.6.0 and 3.6.1, according to the announcement from Markus :
The 'kex guesses' bugfix from OpenSSH 3.6 triggers a bug in a few other SSH v2 implementations and causes connections to stall. OpenSSH 3.6.1 disables this bugfix when interoperating with these implementations.
Looks like some wider release saw this interopability issue appear and get isolated, handled correctly now in OpenSSH 3.6.1. For non-BSD users, 3.6.1p1 is up, as well.

(Comments are closed)

  1. By Anonymous Coward () on

    So I assume OpenBSD 3.3 CD's will require this patch, unless they haven't been burned yet?

  2. By RC () on

    ssh-agent(1) optionally requires user confirmation if a key gets used

    If that is what it sounds like, I'm extremely excited about it! Perhaps the one problem with the agent is the problem that the admin of a system you've connected to (using the ssh-agent) could potentially use the open ssh-agent socket to authenticate a connection to another machine you have access to (scary), or that the admin could possibly use the open socket to break into your own machine (not very likely).

    If this is in fact what it sounds like, it could mean the end of password authentication for the most part. No more need to use passwords, or disable agent forwarding on an untrusted system...

    1. By djm () on

      Yes. After you add a key with the "ssh-add -c" option, ssh-agent will pop up a SSH_ASKPASS dialog to confirm the use of the key.

      1. By RC () on


  3. By coward () on mailto:sorry at

    just wanted to point out that OpenSSH´s official homepage is at, not

    1. By Michael Anuzis () on

      from the looks of it they point to the exact same IP. who cares if one is "official" if it's the exact same thing?

      $ nslookup

      Non-authoritative answer:

      $ nslookup

      Non-authoritative answer:

      1. By me_again () on

        The guy who owns isnt from the openssh team, (checkout the whois info), and he could, for example, point that domain somewhere else anytime he wants to, and copy the website, except for using links to a trojaned version, and no, i dont care what you use, but those that want to use the official site should be able to do so.

      2. By Anonymous Coward () on

        > who cares if one is "official" if it's the exact same thing? Well, I DO care!

        The domain is registered to a dutch guy named Alex DeJoode. Right now it points to the server, but he may change that any time he likes. Who guarantees it won't point to some fake server one day? Exactly, nobody! I for one, will continue not to trust the domain unless it gets handed over to the project.

        It's a matter of trust, dead simple.

      3. By Anonymous Coward () on

        domain servers for OPENSSH.COM:
        Domain servers in listed order:

        domain servers for OPENSSH.ORG
        Name Server:DNS0.ZEDZ.NET
        Name Server:DNS1.ZEDZ.NET
        Name Server:DNS2.ZEDZ.NET

        all the offical openbsd domains use pretty much the same set of dns servers.

        .org isnt offical :P

        the .org was used at one point (and could still possibly be) to datamine

      4. By Anonymous Coward () on

        Hoping to not start a flame war or anything:
        Some history for the newbies, once upon a time when openssh was very new, Alex Dejoode registered the domain, and it remains to be seen if he is hoping to profit from it one day. Theo asked him to transfer it, Alex didn't and there was plenty of bad blood going around. Even made slashdot. At some point slashdot was going to publish a recap of the story (which I think never happened).

        Eventually Alex did play ball with the domain and pointed it to the official openssh web site, to everyone's benefit. You still see posts on misc@ from Alex every while, and you can make your own judgement on what they mean.

        For me, it is not a big issue, since I almost always take the link from that points to the openssh page.

        I have not checked, but I be the OpenSSH web pages are copyrighted, which means a lawsuit if you try to spoof them on your website. As if Theo had any interest in lawyers.....

        nothing of interest here, move along, or keep coding.

    2. By grey () on

      I sometimes forget that people haven't been reading deadly (or even using OpenBSD) that long. You folks who are interested should also check out, it helps to know your history so that mistakes don't get repeated. Maybe newer people were wondering why secsh domains were registered immediately by OpenBSD folks when started being lame-brained. Here's some history: (the link this story points to is now gone :( ) clarifications of the old debate (you can also see the old site). :)

      1. By Anonymous Coward () on

        Look at the old Alex interview in the archive link.

        'Why didn't you give away to openbsd ? '

        "Actually I tried. I mailed Theo de Raadt and told him I was willing to give control of the to them provided they added links to other open/free ssh projects on 'their' page."

        Now look at the site - look, links not only to other projects, but even openssh-portable (duh). The only other thing he mentioned would be that it would be -nice- to have a public apology from Theo.

        Looks to me as though Alex has ulterior motives, or at the least his actions contradict his own claims for how an domain ownership transferral would be handled.

  4. By Anonymous Coward () on

    Released one day and bug found the next day.
    What is the next thing to happen?
    Will the same thing happen for OpenBSD?

    More testing is needed!

    1. By Sam () on

      So how come you missed the bug while testing?

      1. By Anonymous Coward () on

        This is what I love about you guys. Because not everyone who uses the software is a developer, being free makes it okay to suck!

        1. By Anonymous Coward () on

          Yes, just look at Linux.

    2. By Anonymous Coward () on


      but the bug was not in openssh, but
      in some other implementations.

      openssh 3.6.1 detects these implementations
      and adds a workaround.

      1. By Jedi/Sector One () on

        OpenSSH-portable works on a lot of architectures.

        So why use another implementation anyway?

        1. By markus () on

          that's why the problem was not discovered earlier. but people still use <3.0.0

    3. By W () on

      Say that to yourself. If you didn't find the mistake, don't whine about others not finding it.

      1. By Anonymous Coward () on

        I love the hypocrisy of open source. It cracks me up so much.

        1. By W () on

          Is this the point where i say, 'bla bla bla'?

          1. By bob () on


Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]