OpenSSH 3.3 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.2.3: ============================ Security Changes: ================ - improved support for privilege separation: privilege separation is now enabled by default See UsePrivilegeSeparation in sshd_config(5) and http://www.citi.umich.edu/u/provos/ssh/privsep.html for more information. - ssh no longer needs to be installed setuid root for protocol version 2 hostbased authentication, see ssh-keysign(8). protocol version 1 rhosts-rsa authentication still requires privileges and is not recommended. Other Changes: ============= - documentation for the client and server configuration options have been moved to ssh_config(5) and sshd_config(5). - the server now supports the Compression option, see sshd_config(5). - the client options RhostsRSAAuthentication and RhostsAuthentication now default to no, see ssh_config(5). - the client options FallBackToRsh and UseRsh are deprecated. - ssh-agent now supports locking and timeouts for keys, see ssh-add(1). - ssh-agent can now bind to unix-domain sockets given on the command line, see ssh-agent(1). - fixes problems with valid RSA signatures from putty clients. Reporting Bugs: ============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom.
On Fri, Jun 21, 2002 at 09:50:58PM +0200, Markus Friedl wrote:> OpenSSH 3.3 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly.Markus, why is the test frame that short? I didn't even have a chance to try the today's cvs version since I'm (still) getting connection timeouts when trying to access the repository. Can't we have at least two or three days for testing before a new release? Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com
Once upon a time, Markus Friedl <markus at openbsd.org> said:> Security Changes: > ================> > - improved support for privilege separation: > > privilege separation is now enabled by defaultI'm (finally!) looking at privsep and Tru64 Unix (with HAVE_OSF_SIA enabled), and I'm not sure I can see how it will work. The problem is in auth-sia.c session_setup_sia(). The sia_ses_estab() call has to run as root because in enhanced security mode it checks the protected password database to make sure the account is not expired, locked, etc., and updates the database with last successful login. However, it also also sets things like resource limits for the child process. The sia_ses_launch() call has to run as root as well because it generates audit records and has to run in the child because it sets the effective user and group IDs. Is this possible to do with privilege separation? -- Chris Adams <cmadams at hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Damien Mascord
2002-Jun-24 16:11 UTC
OpenSSH 3.3 released [be careful of not having sshd user or /var/empty]
Heya, Probably something to note in the release notes for 3.3: 1) A user sshd needs to exist before you do a /etc/init.d/sshd restart, ssh will not restart 2) A directory /var/empty needs to exists before you restart sshd, otherwise sshd will not restart. Probably even a good idea to put it in the make install section, something like echo ********************************************************** echo * WARNING, sshd user does not exist * echo * WARNING, /var/empty directory does not exist * echo * sshd will not restart * echo ********************************************************* Just an idea :) Glad I enabled telnet temporarily to restart sshd this time :) Damien At 09:50 PM 21/06/2002 +0200, you wrote:>OpenSSH 3.3 has just been released. It will be available from the >mirrors listed at http://www.openssh.com/ shortly. > >OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 >implementation and includes sftp client and server support. > >We would like to thank the OpenSSH community for their continued >support and encouragement. > > >Changes since OpenSSH 3.2.3: >===========================> >Security Changes: >================> >- improved support for privilege separation: > > privilege separation is now enabled by default > > See UsePrivilegeSeparation in sshd_config(5) > and http://www.citi.umich.edu/u/provos/ssh/privsep.html for more > information. >- ssh no longer needs to be installed setuid root for protocol > version 2 hostbased authentication, see ssh-keysign(8). > protocol version 1 rhosts-rsa authentication still requires privileges > and is not recommended. > >Other Changes: >=============> >- documentation for the client and server configuration options have > been moved to ssh_config(5) and sshd_config(5). >- the server now supports the Compression option, see sshd_config(5). >- the client options RhostsRSAAuthentication and RhostsAuthentication now > default to no, see ssh_config(5). >- the client options FallBackToRsh and UseRsh are deprecated. >- ssh-agent now supports locking and timeouts for keys, see ssh-add(1). >- ssh-agent can now bind to unix-domain sockets given on the command line, > see ssh-agent(1). >- fixes problems with valid RSA signatures from putty clients. > >Reporting Bugs: >==============> >- please read http://www.openssh.com/report.html > and http://bugzilla.mindrot.org/ > >OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, >Kevin Steves, Damien Miller and Ben Lindstrom. >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
Markus Friedl
2002-Jun-24 16:15 UTC
OpenSSH 3.3 released [be careful of not having sshd user or /var/empty]
if you try sshd -t sshd will check your current configuration and complain.
Wendy Palm
2002-Jun-25 14:37 UTC
OpenSSH 3.3 released [be careful of not having sshd useror /var/empty]
is the user "sshd" and /var/empty still needed even without privsep? Damien Mascord wrote:> > Heya, > > Probably something to note in the release notes for 3.3: > > 1) A user sshd needs to exist before you do a /etc/init.d/sshd restart, ssh > will not restart > 2) A directory /var/empty needs to exists before you restart sshd, > otherwise sshd will not restart. > > Probably even a good idea to put it in the make install section, something like > echo ********************************************************** > echo * WARNING, sshd user does not exist * > echo * WARNING, /var/empty directory does not exist * > echo * sshd will not restart * > echo ********************************************************* > > Just an idea :) Glad I enabled telnet temporarily to restart sshd this time :) > > Damien > > At 09:50 PM 21/06/2002 +0200, you wrote: > >OpenSSH 3.3 has just been released. It will be available from the > >mirrors listed at http://www.openssh.com/ shortly. > > > >OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 > >implementation and includes sftp client and server support. > > > >We would like to thank the OpenSSH community for their continued > >support and encouragement. > > > > > >Changes since OpenSSH 3.2.3: > >===========================> > > >Security Changes: > >================> > > >- improved support for privilege separation: > > > > privilege separation is now enabled by default > > > > See UsePrivilegeSeparation in sshd_config(5) > > and http://www.citi.umich.edu/u/provos/ssh/privsep.html for more > > information. > >- ssh no longer needs to be installed setuid root for protocol > > version 2 hostbased authentication, see ssh-keysign(8). > > protocol version 1 rhosts-rsa authentication still requires privileges > > and is not recommended. > > > >Other Changes: > >=============> > > >- documentation for the client and server configuration options have > > been moved to ssh_config(5) and sshd_config(5). > >- the server now supports the Compression option, see sshd_config(5). > >- the client options RhostsRSAAuthentication and RhostsAuthentication now > > default to no, see ssh_config(5). > >- the client options FallBackToRsh and UseRsh are deprecated. > >- ssh-agent now supports locking and timeouts for keys, see ssh-add(1). > >- ssh-agent can now bind to unix-domain sockets given on the command line, > > see ssh-agent(1). > >- fixes problems with valid RSA signatures from putty clients. > > > >Reporting Bugs: > >==============> > > >- please read http://www.openssh.com/report.html > > and http://bugzilla.mindrot.org/ > > > >OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > >Kevin Steves, Damien Miller and Ben Lindstrom. > >_______________________________________________ > >openssh-unix-dev at mindrot.org mailing list > >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev-- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154