OpenBSD Journal

OpenSSH 3.8 release

Contributed by jose on from the more-cyprto-stuff dept.

Ben Lindstrom writes: "OpenSSH team has released 3.8. A copy of the announcement can be found here The software is always at your favorate mirrors (or should soon be). Enjoy! "

The official announcement mail follows.

Date: Tue, 24 Feb 2004 17:29:34 +0100
From: Markus Friedl

Subject: OpenSSH 3.8 released

OpenSSH 3.8 has just been released. It will be available from the mirrors listed at

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support to the project, especially those who contributed source and
bought T-shirts or posters.

We have a new design of T-shirt available, more info on

For international orders use
and for European orders, use

Changes since OpenSSH 3.7.1:

* sshd(8) now supports forced changes of expired passwords via
  /usr/bin/passwd or keyboard-interactive authentication.

  Note for AIX: sshd will now deny password access to accounts with
  passwords expired longer than their maxexpired attribute.  For
  details, see the AIX section in README.platform.

* ssh(1) now uses untrusted cookies for X11-Forwarding.
  Some X11 applications might need full access to the X11 server,
  see ForwardX11Trusted in ssh(1) and xauth(1) for more information.

* ssh(1) now supports sending application layer
  keep-alive messages to the server.  See ServerAliveInterval
  in ssh(1) for more information.

* Improved sftp(1) batch file support.

* New KerberosGetAFSToken option for sshd(8).

* Updated /etc/moduli file and improved performance for
  protocol version 2.

* Support for host keys in DNS (draft-ietf-secsh-dns-xx.txt).
  Please see README.dns in the source distribution for details.

* Fix a number of memory leaks.

* The experimental "gssapi" support has been replaced with
  the "gssapi-with-mic" to fix possible MITM attacks.
  The two versions are not compatible.


- MD5 (openssh-3.8.tgz) = 7d5590a333d8f8aa1fa6f19e24938700
- MD5 (openssh-3.8p1.tar.gz) = 7861a4c0841ab69a6eec5c747daff6fb

Reporting Bugs:

- please read

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.

(Comments are closed)

  1. By Anthony () on

    Now I don't have to edit version.h to keep script kiddies from thinking I'm an unpatched Linux box.

    1. By Ray () on

      Why did you have to do that in the first place?

      1. By Anthony () on

        I was getting connection attempts every few minutes attempting, I believe, to exploit bugs in non-OpenBSD 3.7.1 versions of OpenSSH. They were eating non-trivial amounts of bandwidth and they appear to give up now instead of dumping hundreds of k's of stuff on me.

    2. By djm () on

      The version.h banner is used to determine backwards/bug compatibility options. Adjusting it will break stuff.

      If the exploits don't work, then what do you care?

      BTW, why did you need to adjust it anyway? 3.7.1p2 has no known problems.

      1. By Anthony () on

        I'm running OpenBSD, so there is no official 3.7.1p2 for me, as there are no known problems in 3.7.1 on OpenBSD.

    3. By Anonymous Coward () on

      Just change the port sshd is listening to to a different port number.

      1. By marklar () on

        Yeah, goodonya-yagoose ever heard of nmap or nessus? Just how long do you think it would take someone to find an SSHD on a port other than 22?

        1. By Anonymous Coward () on


          1. By Anonymous Coward () on

            Only if you're using ancient hardware. I can do it in 3.057s !!! ;)

        2. By Anonymous Coward () on

          > Just how long do you think it would take someone to find an SSHD on a port other than 22?

          Quite a while. I've not seen any knocking on the port I use for sshd.

          1. By Anonymous Coward () on

            Sshd is still vulnerable even after it is started after port knocking authentication. What's to stop someone from port scanning the SSH port then? How would you hide SSH from a telnet connection?

            1. By Anonymous Coward () on

              OpenBSD or OpenSSH does portknock stock?? portknocking as in If so, please fill me in.

              1. By Anthony () on

                I think you could do a little state machine with the tables.

        3. By gizz () on

          You miss the point ..
          Kiddies are attacking his box _because_ port 22 is open, they are not going to scan his machine to find other open ports .. and even nmap uses some time to scan the whole range of tcp ports over a normal connection, you dont wanna be too agressive, that can seem suspicious.

    4. By Alejandro Belluscio () on

      Please read this thread on pf (at) about port knocking.

  2. By Anonymous Coward () on

    Why must the X11-forwarding configuration change with every release? It's quite a pain to have to figure out why my applications are no longer forwarding EVERY time I upgrade. Back to 3.7.1 for now, I guess.

    1. By Anonymous Coward () on

      After further testing, it looks like everything works like it should with the same config as long as everyone is using 3.8p1. Fair enough.

    2. By djm () on

      X forwarding doesn't change "every release". It *has* changed in this release, and the change is clerly documented in the release notes.

      1. By Anonymous Coward () on

        a.) I wouldn't describe that note as being clearly documented, and more importantly, b.) look at the past releases, it has changed _regularly_ and has changed default behavior MANY times.

        1. By djm () on

          Not clearly documented? Bullshit - it is the 2nd item in the release notes.

          When has it changed? The default (since 1.x) has been to default X11Forwarding to off at both client and server. This has not changed in several years.

    3. By clvrmnky () on

      Don't use "Ugh". Use "diff".

      Seriously, don't you move your existing *_config out of the way, first? I never overwrite any of my precious, precious config files in /etc.

      Truth be told, I have most of my /etc files under RCS. I just made sure to lock these two files before overwriting them, and then did a quick rcsdiff and edit before checking it in again.

      Using RCS to manage config files is a good habit to get into

  3. By someone () on

    I'm still forced to use 2.6.1p2 on Linux, because my users have too much problems with 3.7 and 3.8: We have had very little luck in getting SSH1 working with any other client than openssh, and ssh2 only works for some clients (putty works, winscp works with quirks, and an "SSH gateway" at a certain company doesn't work at all and the users depending on that have no chance of getting THAT part of the problem fixed.)

    1. By Leon Yendor () on

      Well the non-portable (OBSD) version works fine at 3.7.1 with PuTTY and WinSCP (without quirks - like what?) so maybe the distro makers need to do some work on their own behalf.

      As an IBM Linux instructor I am amazed by the sloppy versioning of some distros where they do their own patches, when bugs are known and patches issued, and don't rev the version numbers to match the OSSH tree.

      The patches don't always match the OSSH ones either because there are some smartarses who always know better. Hhmpf! I bring my Linux versions up to date from the source, thankyou. I don't seem to have too much trouble with that method.

      OTOH all the remote systems I maintain are accessed via OpenBSD firewalls so I can ssh into the FW and hop to any Linux boxes from there without a direct exposure to the 'net for them.

      I am happier with that than worrying about just how well their sshd is working.

    2. By djm () on

      What clients are you having problems with? I use OpenSSH sshd w/ PuTTY, WinSCP frequently, and the OpenSSH ssh against Cisco and NetScreen all the time and have never had any trouble.

      Some older version of PuTTY had issues against sshd, but nothing recently. 2.6.1 is very old.

      1. By someone () on

        Well the added trouble might be that we have LDAP authentication with PAM but I am not really sure anymore what is causing all the trouble. Only thing I know for sure is that if I compile 2.7.1p (or 2.8) from source, is that some people are going to complain their weird clients (the nameless SSH gateway at the nameless company) won't work anymore. I am quite sure this is about bug compability instead of compability, but anyway, the situation remains that we have to keep on using 2.6.x.

        1. By strgout () on

          sshd -d
          If that doesn't help maybe try
          disabling privsep (just to test)

          btw you did make sure pam support was enabled when you compiled from src right?

          1. By someone () on

            Yes, it was configured with PAM support and I tried disabling privsep.
            Oh well, I'll try again sometime in near future, I am very well aware how outdated 2.6.1 is.

    3. By maniac () on

      are you using PAM_LDAP ? we have same problem, but only when using pam_ldap..

  4. By Anonymous Coward () on

    How come ssh was updated to 3.8 in 3.4-stable? Unless there's some security problem, it doesn't seem right for a version change to take effect in a -stable release. Is this a mistake?

    1. By Brad () brad at comstyle dot com on mailto:brad at comstyle dot com

      From stable.html... "As an exception to the above rules, OpenSSH release versions will be merged into the patch branch.". This means whether there are security issues or not.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]