OpenBSD Journal

OpenSSH 3.6.1 released

Contributed by jose on from the oops,-that-bug-DID-matter dept.

OpenSSH 3.6.1 writes:
"1 april joke? Hmm. Anyways, it's released! Check changelog for fixes

http://www.openssh.com "

There's one change between 3.6.0 and 3.6.1, according to the announcement from Markus :
The 'kex guesses' bugfix from OpenSSH 3.6 triggers a bug in a few other SSH v2 implementations and causes connections to stall. OpenSSH 3.6.1 disables this bugfix when interoperating with these implementations.
Looks like some wider release saw this interopability issue appear and get isolated, handled correctly now in OpenSSH 3.6.1. For non-BSD users, 3.6.1p1 is up, as well.

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    So I assume OpenBSD 3.3 CD's will require this patch, unless they haven't been burned yet?

  2. By RC () on

    ssh-agent(1) optionally requires user confirmation if a key gets used

    If that is what it sounds like, I'm extremely excited about it! Perhaps the one problem with the agent is the problem that the admin of a system you've connected to (using the ssh-agent) could potentially use the open ssh-agent socket to authenticate a connection to another machine you have access to (scary), or that the admin could possibly use the open socket to break into your own machine (not very likely).

    If this is in fact what it sounds like, it could mean the end of password authentication for the most part. No more need to use passwords, or disable agent forwarding on an untrusted system...

    Comments
    1. By djm () on

      Yes. After you add a key with the "ssh-add -c" option, ssh-agent will pop up a SSH_ASKPASS dialog to confirm the use of the key.

      Comments
      1. By RC () on

        Sweet.

  3. By coward () on mailto:sorry at susan.com

    just wanted to point out that OpenSSH´s official homepage is at http://www.openssh.com, not http://www.openssh.org

    Comments
    1. By Michael Anuzis () on

      from the looks of it they point to the exact same IP. who cares if one is "official" if it's the exact same thing?

      $ nslookup www.openssh.org
      Server: try11-dns1.try.wideopenwest.com
      Address: 64.233.217.2

      Non-authoritative answer:
      Name: www.openssh.org
      Address: 129.128.5.196

      $ nslookup www.openssh.com
      Server: try11-dns1.try.wideopenwest.com
      Address: 64.233.217.2

      Non-authoritative answer:
      Name: www.openssh.com
      Address: 129.128.5.196

      Comments
      1. By me_again () on

        The guy who owns openssh.org isnt from the openssh team, (checkout the whois info), and he could, for example, point that domain somewhere else anytime he wants to, and copy the website, except for using links to a trojaned version, and no, i dont care what you use, but those that want to use the official site should be able to do so.

      2. By Anonymous Coward () on

        > who cares if one is "official" if it's the exact same thing? Well, I DO care!

        The openssh.org domain is registered to a dutch guy named Alex DeJoode. Right now it points to the openssh.com server, but he may change that any time he likes. Who guarantees it won't point to some fake openssh.com server one day? Exactly, nobody! I for one, will continue not to trust the openssh.org domain unless it gets handed over to the project.

        It's a matter of trust, dead simple.

      3. By Anonymous Coward () on

        domain servers for OPENSSH.COM:
        Domain servers in listed order:
        ZEUS.THEOS.COM 199.185.137.1
        CS.COLORADO.EDU
        CVS.OPENBSD.ORG

        domain servers for OPENSSH.ORG
        Name Server:DNS0.ZEDZ.NET
        Name Server:DNS1.ZEDZ.NET
        Name Server:DNS2.ZEDZ.NET

        all the offical openbsd domains use pretty much the same set of dns servers.
        ........................

        .org isnt offical :P

        the .org was used at one point (and could still possibly be) to datamine


      4. By Anonymous Coward () on


        Hoping to not start a flame war or anything:
        Some history for the newbies, once upon a time when openssh was very new, Alex Dejoode registered the domain openssh.org, and it remains to be seen if he is hoping to profit from it one day. Theo asked him to transfer it, Alex didn't and there was plenty of bad blood going around. Even made slashdot. At some point slashdot was going to publish a recap of the story (which I think never happened).

        Eventually Alex did play ball with the openssh.org domain and pointed it to the official openssh web site, to everyone's benefit. You still see posts on misc@ from Alex every while, and you can make your own judgement on what they mean.

        For me, it is not a big issue, since I almost always take the link from www.openbsd.org that points to the openssh page.

        I have not checked, but I be the OpenSSH web pages are copyrighted, which means a lawsuit if you try to spoof them on your website. As if Theo had any interest in lawyers.....

        nothing of interest here, move along, or keep coding.

    2. By grey () on

      I sometimes forget that people haven't been reading deadly (or even using OpenBSD) that long. You folks who are interested should also check out, it helps to know your history so that mistakes don't get repeated. Maybe newer people were wondering why secsh domains were registered immediately by OpenBSD folks when ssh.com started being lame-brained. Here's some history:

      http://www.deadly.org/article.php3?sid=20000308154503 (the link this story points to is now gone :( )

      http://www.deadly.org/article.php3?sid=20000306151402

      http://www.deadly.org/article.php3?sid=20000306030924

      http://www.deadly.org/article.php3?sid=20000306023532

      Archive.org clarifications of the old debate (you can also see the old site). :)

      http://web.archive.org/web/20000817222425/www.openssh.org/org-vs-com/

      Comments
      1. By Anonymous Coward () on

        Look at the old Alex interview in the archive link.

        'Why didn't you give away openssh.org to openbsd ? '

        "Actually I tried. I mailed Theo de Raadt and told him I was willing to give control of the opensh.org to them provided they added links to other open/free ssh projects on 'their openssh.org' page."

        Now look at the openssh.com site - look, links not only to other projects, but even openssh-portable (duh). The only other thing he mentioned would be that it would be -nice- to have a public apology from Theo.

        Looks to me as though Alex has ulterior motives, or at the least his actions contradict his own claims for how an openssh.org domain ownership transferral would be handled.

  4. By Anonymous Coward () on

    Released one day and bug found the next day.
    What is the next thing to happen?
    Will the same thing happen for OpenBSD?

    More testing is needed!

    Comments
    1. By Sam () on


      So how come you missed the bug while testing?

      Comments
      1. By Anonymous Coward () on

        This is what I love about you guys. Because not everyone who uses the software is a developer, being free makes it okay to suck!

        Comments
        1. By Anonymous Coward () on

          Yes, just look at Linux.

    2. By Anonymous Coward () on

      nice.

      but the bug was not in openssh, but
      in some other implementations.

      openssh 3.6.1 detects these implementations
      and adds a workaround.

      Comments
      1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

        OpenSSH-portable works on a lot of architectures.

        So why use another implementation anyway?

        Comments
        1. By markus () on

          that's why the problem was not discovered earlier. but people still use ssh.com <3.0.0

    3. By W () on

      Say that to yourself. If you didn't find the mistake, don't whine about others not finding it.

      Comments
      1. By Anonymous Coward () on

        I love the hypocrisy of open source. It cracks me up so much.

        Comments
        1. By W () on

          Is this the point where i say, 'bla bla bla'?

          Comments
          1. By bob () on

            Yes.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]