Portable OpenSSH-2.5.2p2
Damien Miller
djm at mindrot.org
Thu Mar 22 21:43:56 EST 2001
Portable OpenSSH 2.5.2p2 is now available from the mirror sites
listed at http://www.openssh.com/portable.html
Security related changes:
Improved countermeasure against "Passive Analysis of SSH
(Secure Shell) Traffic"
http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt
The countermeasures introduced in earlier OpenSSH-2.5.x versions
caused interoperability problems with some other implementations.
Improved countermeasure against "SSH protocol 1.5 session
key recovery vulnerability"
http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm
New options:
permitopen authorized_keys option to restrict portforwarding.
PreferredAuthentications allows client to specify the order in which
authentication methods are tried.
Sftp:
sftp client supports globbing (get *, put *).
Support for sftp protocol v3 (draft-ietf-secsh-filexfer-01.txt).
Batch file (-b) support for automated transfers
Performance:
Speedup DH exchange. OpenSSH should now be significantly faster when
connecting use SSH protocol 2.
Preferred SSH protocol 2 cipher is AES with hmac-md5. AES offers
much faster throughput in a well scrutinised cipher.
Bugfixes:
stderr handling fixes in SSH protocol 2.
Improved interoperability.
Client:
The client no longer asks for the the passphrase if the key
will not be accepted by the server (SSH2_MSG_USERAUTH_PK_OK)
Miscellaneous:
scp should now work for files > 2GB
ssh-keygen can now generate fingerprints in the "bubble babble"
format for exchanging fingerprints with SSH.COM's SSH protocol 2
implementation.
Portable version:
Better support for the PRNGd[1] entropy collection daemon. The
--with-egd-pool configure option has been deprecated in favour
of --with-prngd-socket and the new --with-prngd-port options.
The latter allows collection of entropy from a localhost
socket.
configure ensures that scp is in the $PATH set by the server
(unless a custom path is specified).
-d
[1] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
--
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org / distributed filesystem'' - Dan Geer
More information about the openssh-unix-dev
mailing list