Hi,
We are preparing to make the release of OpenSSH 4.8 soon, so we would
greatly appreciate testing of snapshot releases in as many environments
and on as many operating systems as possible.
The highlights of this release are:
* Added chroot(2) support for sshd(8), controlled by a new option
"ChrootDirectory". Please refer to sshd_config(5) for details, and
please use this feature carefully. (bz#177 bz#1352)
* Linked sftp-server(8) into sshd(8). The internal sftp server is
used when the command "internal-sftp" is specified in a Subsystem
or ForceCommand declaration. When used with ChrootDirectory, the
internal sftp server requires no special configuration of files
inside the chroot environment. Please refer to sshd_config(5) for
more information.
* Added a protocol extension method "posix-rename at openssh.com" for
sftp-server(8) to perform POSIX atomic rename() operations.
(bz#1400)
* Removed the fixed limit of 100 file handles in sftp-server(8). The
server will now dynamically allocate handles up to the number of
available file descriptors. (bz#1397)
* ssh(8) will now skip generation of SSH protocol 1 ephemeral server
keys when in inetd mode and protocol 2 connections are negotiated.
This speeds up protocol 2 connections to inetd-mode servers that
also allow Protocol 1 (bz#440)
* Accept the PermitRootLogin directive in a sshd_config(5) Match
block. Allows for, e.g. permitting root only from the local
network.
* Reworked sftp(1) argument splitting and escaping to be more
internally consistent (i.e. between sftp commands) and more
consistent with sh(1). Please note that this will change the
interpretation of some quoted strings, especially those with
embedded backslash escape sequences. (bz#778)
* Support "Banner=none" in sshd_config(5) to disable sending of a
pre-login banner (e.g. in a Match block).
* ssh(1) ProxyCommands are now executed with $SHELL rather than
/bin/sh.
* ssh(1)'s ConnectTimeout option is now applied to both the TCP
connection and the SSH banner exchange (previously it just covered
the TCP connection). This allows callers of ssh(1) to better detect
and deal with stuck servers that accept a TCP connection but don't
progress the protocol, and also makes ConnectTimeout useful for
connections via a ProxyCommand.
* Many new regression tests, including interop tests against PuTTY's
plink.
* Support BSM auditing on Mac OS X
This release also contains many bugfixes. Please refer to the tracking bug
https://bugzilla.mindrot.org/show_bug.cgi?id=1353 for a partial list.
The ChangeLog file in the portable OpenSSH tarballs contains a full list.
Please fetch and test the release that is appropriate for your platform:
If you are running OpenBSD the latest version is available in CVS HEAD,
as described at http://www.openbsd.org/anoncvs.html
Otherwise, portable snapshots are available from
http://www.mindrot.org/openssh_snap/ and also by anonymous CVS. CVS
instructions are here: http://www.openssh.com/portable.html#cvs
Running the regression tests supplied with Portable does not require
installation and is a simply:
$ ./configure && make tests
This release includes some interoperability tests against PuTTY's
plink(1). These tests may be run using "make interop-tests" if you
have plink(1) installed.
Testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev at mindrot.org.