Contributed by dwc on from the cryptic-conversations dept.
Damien Miller just announced the good news of a great new version of OpenSSH! This version has some really nice new features, like per-user authentication config. Read on for changes, new features, and more fun stuff...
OpenSSH 4.6 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots and purchased T-shirts or posters. T-shirt, poster and CD sales directly support the project. Pictures and more information can be found at: http://www.openbsd.org/tshirts.html and http://www.openbsd.org/orders.html For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu Changes since OpenSSH 4.5: ============================ * sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. * The following bugs have been fixed in this release: - Clear SIGALRM when restarting due to SIGHUP. Prevents stray signal from taking down sshd if a connection was pending at the time SIGHUP was received - sftp returned a zero exit status when upload failed due to write errors (bugzilla #1252) - fixed an inconsistent check for a terminal when displaying scp progress meter (bugzilla #1265) - Parsing of time values in Match blocks was incorrectly applied to the global configuration (bugzilla #1275) - Allow multiple forwarding options to work when specified in a PermitOpen directive (bugzilla #1267) - Interoperate with ssh.com versions that do not support binding remote port forwarding sessions to a hostname (bugzilla #1019) * Portable OpenSSH bugs fixed: - "hang on exit" when background processes are running at the time of exit on a ttyful/login session (bugzilla #52) - Fix typos in the ssh-rand-helper(8) man page (bugzilla #1259) - Check that some SIG records have been returned in getrrsetbyname (bugzilla #1281) - Fix contrib/findssl for platforms that lack "which" (bugzilla #1237) - Work around bug in OpenSSL 0.9.8e that broke aes256-ctr, aes192-ctr, arcfour256 (bugzilla #1291) Checksums: ========== - SHA1 (openssh-4.6.tar.gz) = c1700845be464a769428f34ef727c1f530728afc - SHA1 (openssh-4.6p1.tar.gz) = b2aefeb1861b4688b1777436035239ec32a47da8 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.[Edited to correct OpenSSH 0.9.6e to OpenSSL 0.9.8e -dwc]
(Comments are closed)
By Anonymous Coward (122.49.157.192) on
mod me down, i'm too lazy to email
By Anonymous Coward (83.149.231.208) on
By Cabal (Cabal) Cabal on http://www.enginuity.org/
Comments
By Darren Tucker (dtucker) on
> horizon? 2.1, 3.0, etc?
No. SSH2 was designed to be extensible so major revisions aren't necessary for most things.
> Who decides on the direction of the SSH protocol, a consortium?
The IETF secsh working group (which had representatives from pretty much all of the implementations) did SSH2. The WG has been wrapped up (see http://tools.ietf.org/wg/secsh/), I imagine a new one would have to be formed for a hypothetical SSH3, but I can't imagine it happening either.
I would expect any new protocol features to be implemented mostly as vendor-specific extensions (which the are explicitly defined in the spec) and maybe a few of them becoming new standards built on top of the existing RFCs.
By Anonymous Coward (70.179.123.124) on
SSH is covered by RFCs; if you've got a prospective change, you can write it up and submit it as an Internet Draft.
The most recent RFC I could find was RFC 4252, which is co-authored by T. Ylonen, who is the Finn who is responsible for bringing us SSH in the first place. Who is also the founder of SSH Communications Security Corp; which, if memory serves, is the dreaded SSH.com
By Anonymous Coward (213.118.134.55) on
Comments
By Anonymous Coward (193.63.217.208) on
Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
TIA
Comments
By Anonymous Coward (88.82.33.37) on
>
> Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
bunbun:*:1005:1005:Mailinglists only:/home/bunbun:/usr/libexec/sftp-server
Now... how does one do sftp access only in a chroot jail?
Comments
By Anonymous Coward (82.69.64.101) on
> >
> > Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
>
> bunbun:*:1005:1005:Mailinglists only:/home/bunbun:/usr/libexec/sftp-server
>
> Now... how does one do sftp access only in a chroot jail?
Just an idea...
http://chrootssh.sourceforge.net/ claims to chroot to openssh.
In FreeBSD's ports tree (openssh-portable) chroot'ing users is a compile-time option. I've used it succesfully with 4.5-portable.
user:*:1000:1000::/home/user/./whatever:/usr/libexec/sftp-server
There's no patch for 4.6 yet and I've never tried it with OpenBSD so YMMV.
By Anonymous Coward (213.118.134.55) on
I can't believe I didn't think of that.. Thanks a lot :)
By Venture37 (venture37) on www.geeklan.co.uk
>
> Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
>
> TIA
>
check out rssh
http://www.pizzashack.org/rssh/
By Anonymous Coward (84.186.19.51) on
>
> Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
>
> TIA
>
The following patch chroots the user to the folder you specify provided that his homedir has a trailing "/./". Users without this are not affected.
Comments
By Darren Tucker (dtucker) on
Local users could also chroot sftp-server to arbritary locations although I'm not sure what that might buy them.
It's safer to look up the user's passwd entry yourself, since this can't be easily faked out, eg:
By jirib (195.212.29.163) on
>
> Apply patch to OpenSSH-4.6 with
>
> tar xfz openssh-4.6.tar.gz
> cd ssh
> patch -p0 < sftp-server-46-chroot.diff
> make obj
> make cleandir
> make depend
> make
> make install
> chmod 4555 /usr/libexec/sftp-server
>
> Chroot a user to its homedir with setting by homedir to /path/to/home/./
> and setting his shell to sftp-server (add binary to /etc/shells before)
> User will be sftp-only and can't login to shell
>
>
> --- sftp-server.c.old Thu Mar 8 20:11:45 2007
> +++ sftp-server.c Thu Mar 8 20:18:43 2007
> @@ -40,6 +40,8 @@
> #include "sftp.h"
> #include "sftp-common.h"
>
> +#define CHROOT
> +
> /* helper */
> #define get_int64() buffer_get_int64(
> #define get_int() buffer_get_int(
> @@ -1183,6 +1185,37 @@
> exit(1);
> }
>
> +#ifdef CHROOT
> +void
> +chroot_init(void)
> +{
> + char *user_dir, *new_root;
> +
> + user_dir = getenv("HOME");
> +
> + if (!user_dir)
> + fatal("HOME isn't in environment");
> +
> + new_root = user_dir + 1;
> +
> + while ((new_root = strchr(new_root, '.')) != NULL) {
> + new_root--;
> + if (strncmp(new_root, "/./", 3) == 0) {
> + *new_root = '\0';
> + new_root += 2;
> +
> + if (chroot(user_dir) != 0)
> + fatal("Couldn't chroot to user directory %s: %s",user_dir, strerror(errno));
> +
> + setenv("HOME", new_root, 1);
> + break;
> + }
> + new_root += 2;
> + }
> +}
> +#endif /* CHROOT */
> +
> +
> int
> main(int argc, char **argv)
> {
> @@ -1247,6 +1280,15 @@
> pw->pw_name, client_addr);
>
> handle_init();
> +
> +#ifdef CHROOT
> + chroot_init();
> +#endif /* CHROOT */
> +
> + setuid(getuid());
> +
> + if (setuid(getuid()) != 0)
> + fatal("Couldn't drop privileges: %s", strerror(errno));
>
> in = dup(STDIN_FILENO);
> out = dup(STDOUT_FILENO);
>
I don't know, why not just use ForceCommand with sftp-server which would be executed via systrace wrapper? That would restrict user without changing OpenSSH code. ???
By jirib (195.212.29.163) on
Sure, just use ForceCommand in Match section - the command should be /usr/lib/sftp-server
It works :) but not for scp 'coz scp is just a cat in pipe. Maybe you could make a systrace wrapper which would jail sftp user just in his/her home dir. I haven't tried this.
Comments
By Anonymous Coward (195.212.29.163) on
>
"a cat" - lol. I thought `cat` command :)
By Anonymous Coward (85.178.104.188) on
The OpenSSH website doesn`t mention ANY new release nor is ANY announcement in the archives (misc@) nor is the Code in the CVS tagged for OpenBSD 4.0.
This looks suspicious, realy.
Comments
By phessler (69.12.168.115) on
>
> The OpenSSH website doesn`t mention ANY new release nor is ANY announcement in the archives (misc@) nor is the Code in the CVS tagged for OpenBSD 4.0.
>
>
> This looks suspicious, realy.
go away troll