Portable OpenSSH 2.5.2p2 is now available from the mirror sites listed at http://www.openssh.com/portable.html Security related changes: Improved countermeasure against "Passive Analysis of SSH (Secure Shell) Traffic" http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt The countermeasures introduced in earlier OpenSSH-2.5.x versions caused interoperability problems with some other implementations. Improved countermeasure against "SSH protocol 1.5 session key recovery vulnerability" http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm New options: permitopen authorized_keys option to restrict portforwarding. PreferredAuthentications allows client to specify the order in which authentication methods are tried. Sftp: sftp client supports globbing (get *, put *). Support for sftp protocol v3 (draft-ietf-secsh-filexfer-01.txt). Batch file (-b) support for automated transfers Performance: Speedup DH exchange. OpenSSH should now be significantly faster when connecting use SSH protocol 2. Preferred SSH protocol 2 cipher is AES with hmac-md5. AES offers much faster throughput in a well scrutinised cipher. Bugfixes: stderr handling fixes in SSH protocol 2. Improved interoperability. Client: The client no longer asks for the the passphrase if the key will not be accepted by the server (SSH2_MSG_USERAUTH_PK_OK) Miscellaneous: scp should now work for files > 2GB ssh-keygen can now generate fingerprints in the "bubble babble" format for exchanging fingerprints with SSH.COM's SSH protocol 2 implementation. Portable version: Better support for the PRNGd[1] entropy collection daemon. The --with-egd-pool configure option has been deprecated in favour of --with-prngd-socket and the new --with-prngd-port options. The latter allows collection of entropy from a localhost socket. configure ensures that scp is in the $PATH set by the server (unless a custom path is specified). -d [1] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer
Hi, On Thu 2001-03-22 (21:43), Damien Miller wrote:> Portable OpenSSH 2.5.2p2 is now available from the mirror sites > listed at http://www.openssh.com/portable.htmlHave you considered signing the RPMs or add a signed file with the md5 checksums of the RPMs in the distribution directory as well? Thanks, great work, -- MfG/best regards, helmut springer Das Weisse im Auge des Feindes zu sehn heisst nichts als geduldig vorm Spiegel zu stehn.
On Thu, Mar 22, 2001 at 09:43:56PM +1100, Damien Miller wrote:> > Sftp: > sftp client supports globbing (get *, put *). >It globs put, but not get for me: sftp> put *.res Uploading bouen100.res to /tmp/bouen100.res Uploading cdelapp.res to /tmp/cdelapp.res sftp> get *.res File "/tmp/*.res" not found. sftp> get cdelapp.res Fetching /tmp/cdelapp.res to cdelapp.res sftp> OpenSSH configured has been configured with the following options. User binaries: /usr/openssh/bin System binaries: /usr/openssh/sbin Configuration files: /usr/openssh/etc Askpass program: /usr/openssh/libexec/ssh-askpass Manual pages: /usr/openssh/man/manX PID file: /usr/openssh/etc sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/openssh/bin Random number collection: Builtin (timeout 200) Manpage format: cat PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: mips-sgi-irix6.5 Compiler: cc Compiler flags: -g Preprocessor flags: -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib Libraries: -lwrap -lz -lgen -lcrypto -jf
Hmm... I've just noticed that rh6.2 rpms become VERY big with this release... 2.5.2p1 rpms for 6.2 was all near 100 - 150 kb and 2.5.2p2 are near 400 - 700 kb !!! Rh70 rpms are still near the size as all previous releases... (100 - 150) Why this happened and is it normal???> Portable OpenSSH 2.5.2p2 is now available from the mirror sites > listed at http://www.openssh.com/portable.html
i've just rebuild the source rpm (openssh-2.5.2p2-1.src.rpm) on my RH6.2 system and all rpm sizes are normal : 139765 Mar 22 16:55 openssh-2.5.2p2-1.i386.rpm 24788 Mar 22 16:55 openssh-askpass-2.5.2p2-1.i386.rpm 7740 Mar 22 16:55 openssh-askpass-gnome-2.5.2p2-1.i386.rpm 191718 Mar 22 16:55 openssh-clients-2.5.2p2-1.i386.rpm 133307 Mar 22 16:55 openssh-server-2.5.2p2-1.i386.rpm Looks like that RH62 rpms on distro site were compiled with some strange routines...> Portable OpenSSH 2.5.2p2 is now available from the mirror sites > listed at http://www.openssh.com/portable.html
dusha at dnttm.ru said:> Looks like that RH62 rpms on distro site were compiled with some > strange routines...I would guess they are built with the static openssl support - several people have had problems with openssh/openssl version slew, and since there is not a widely distributed openssl with RH doing things this way is probably better in terms of support. Nigel. -- [ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ]
This is wrong.> Security related changes: > Improved countermeasure against "Passive Analysis of SSH > (Secure Shell) Traffic" > http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt > > The countermeasures introduced in earlier OpenSSH-2.5.x versions > caused interoperability problems with some other implementations. > > Improved countermeasure against "SSH protocol 1.5 session > key recovery vulnerability" > http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm2.5.2 does not really fix security issues in his area; 2.5.1 already had them fixed. However, it improves the interoperability problems introduced in fixing them. Which were found because 2.5.1 was released with fixes... they would not have been found otherwise..
Hello, I have just noticed one nice feature of OpenSSH known_hosts implementation. When ssh connects to new host it add both ip and name of this host to known_hosts file in the same line. Unfortunetly when I execute ssh once again with onother name for taht host (for example fqdn) it creates another entry for that host. Is it possible to add this name in the same line in case of ip match? Best regards, Krzysztof Oledzki
this release has fixed one of the problems that I wrote about yesterday (subject = two bugs with aix ... help please!!!) : non-interactive sessions via protocol 1 no longer hang after the completion of the remote command. Thank you!!! However, the other problem that I wrote about, the zero-length write, still exists in all its glory; the patch that I came up with doesn't fix the problem with this relase, and it actually causes the other problem to reappear. The zero-length write bug hits us pretty hard, as we have several applications that cause the problem to manifest on a frequent basis. Can someone at least explain to me what is going on there, and if possible, suggest a fix? Thanks, --Sandy At 9:43 PM +1100 3/22/01, Damien Miller wrote:>Portable OpenSSH 2.5.2p2 is now available from the mirror sites >listed at http://www.openssh.com/portable.html >-- sandor w. sklar unix systems administrator stanford university itss-css
The same problem exists under Solaris.
What I found out is that on Solaris struct dirent is defined as :
typedef struct dirent {
ino_t d_ino; /* "inode number" of entry */
off_t d_off; /* offset of disk directory entry */
unsigned short d_reclen; /* length of this record */
char d_name[1]; /* name of file */
} dirent_t;
In that case, fudge_readdir() in sftp-glob.c will reserve 1 byte
for ret.d_name : just enough to store the NULL character but
nothing else.
It looks like, short of redefining struct dirent on Solaris, one
possibility would be to allocate an oversized buffer to hold the
structure and the real string. Something like :
static char buffer[sizeof(struct dirent)+DNAME_SIZE];
static struct dirent *ret = (struct dirent *)buffer;
...
memset(buffer, 0, sizeof(buffer));
strlcpy(ret->d_name, od->dir[od->offset++]->filename,
sizeof(ret->d_name)+DNAME_SIZE);
...
return ret;
where DNAME_SIZE would be an appropriate buffer size.
Philippe.
---
Philippe Levan | Systems Engineering
levan at epix.net | epix Internet Services
On Thu, 22 Mar 2001, Jan-Frode Myklebust wrote:
> On Thu, Mar 22, 2001 at 09:43:56PM +1100, Damien Miller wrote:
> >
> > Sftp:
> > sftp client supports globbing (get *, put *).
> >
>
> It globs put, but not get for me:
>
> sftp> put *.res
> Uploading bouen100.res to /tmp/bouen100.res
> Uploading cdelapp.res to /tmp/cdelapp.res
> sftp> get *.res
> File "/tmp/*.res" not found.
> sftp> get cdelapp.res
> Fetching /tmp/cdelapp.res to cdelapp.res
> sftp>
>
>
> OpenSSH configured has been configured with the following options.
> User binaries: /usr/openssh/bin
> System binaries: /usr/openssh/sbin
> Configuration files: /usr/openssh/etc
> Askpass program: /usr/openssh/libexec/ssh-askpass
> Manual pages: /usr/openssh/man/manX
> PID file: /usr/openssh/etc
> sshd default user PATH:
/usr/bin:/bin:/usr/sbin:/sbin:/usr/openssh/bin
> Random number collection: Builtin (timeout 200)
> Manpage format: cat
> PAM support: no
> KerberosIV support: no
> AFS support: no
> S/KEY support: no
> TCP Wrappers support: yes
> MD5 password support: no
> IP address in $DISPLAY hack: no
> Use IPv4 by default hack: no
> Translate v4 in v6 hack: no
>
> Host: mips-sgi-irix6.5
> Compiler: cc
> Compiler flags: -g
> Preprocessor flags: -I/usr/local/include -I/usr/local/ssl/include
> Linker flags: -L/usr/local/ssl/lib
> Libraries: -lwrap -lz -lgen -lcrypto
>
>
>
> -jf
>
>