Call for testing: OpenSSH-5.6
Rainer Laatsch
Laatsch at uni-koeln.de
Tue Aug 10 09:21:24 EST 2010
The snapshots until current unvariably unpack to
openssh
Why not add e.g. a timestamp/version-id to the name to inhibit overwriting
the directory of (say) yesterday? Some extra precautions could then be
avoided.
Regards,
R.
=====================================================================
On Tue, 10 Aug 2010, Damien Miller wrote:
> Hi,
>
> OpenSSH 5.6 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a moderately large
> release, with a number of new features and bug fixes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> -------------------------------
>
> Features:
>
> * Added a ControlPersist option to ssh_config(5) that automatically
> starts a background ssh(1) multiplex master when connecting. This
> connection can stay alive indefinitely, or can be set to
> automatically close after a user-specified duration of inactivity.
>
> * Hostbased authentication may now use certificate host keys. CA keys
> must be specified in a known_hosts file using the @cert-authority
> marker.
>
> * ssh-keygen(1) now supports signing certificates using a CA key that
> has been stored in a PKCS#11 token.
>
> * ssh(1) will now log the hostname and address that we connected to at
> LogLevel=verbose after authentication is successful to mitigate
> "phishing" attacks by servers with trusted keys that accept
> authentication silently and automatically before presenting fake
> password/passphrase prompts.
>
> Note that, for such an attack to be successful, the user must have
> disabled StrictHostKeyChecking (enabled by default) or an attacker
> must have access to a trusted host key for the destination server.
>
> * Expand %h to the hostname in ssh_config Hostname options. While this
> sounds useless, it is actually handy for working with unqualified
> hostnames:
>
> Host *.*
> Hostname %h
> Host *
> Hostname %h.example.org
>
> * Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8
> keys in addition to RFC4716 (SSH.COM) encodings via a new -m option
> (bz#1749)
>
> * sshd(8) will now queue debug messages for bad ownership or
> permissions on the user's keyfiles encountered during authentication.
> These messages will be sent after the user has successfully
> authenticated. These messages may be viewed in ssh(1) at
> LogLevel=debug or higher.
>
> * ssh(1) connection multiplexing now supports remote forwarding with
> dynamic port allocation and can report the allocated port back to
> the user:
>
> LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
>
> * sshd(8) now supports indirection in matching of principal names
> listed in certificates. By default, if a certificate has an
> embedded principals list then the destination username must match
> one of the names in the list for it to be accepted for
> authentication.
>
> sshd(8) now supports an optional AuthorizedPrincipalsFile to specify
> a list of names that may be accepted in place of the username when
> authorizing a certificate trusted via the sshd_config(5)
> TrustedCAKeys option. Similarly, authentication using a CA trusted
> in ~/.ssh/authorized_keys now accepts a principals="name1[,name2,...]"
> to specify a list of permitted names.
>
> If either option is absent, the current behaviour of requiring the
> username to appear in principals continues to apply. These options
> are useful for role accounts, disjoint account namespaces and
> "user at realm"-style naming policies in certificates.
>
> * Expose some more sshd_config(5) options inside Match blocks:
>
> AuthorizedKeysFile
> AuthorizedPrincipalsFile
> HostbasedUsesNameFromPacketOnly
> PermitTunnel
>
> * Revised the format of certificate keys. The new format, identified as
> ssh-{dss,rsa}-cert-v01 at openssh.com includes the following changes:
>
> - Addition of a serial number field. This may be specified by the CA
> at the time of certificate signing.
>
> - Moving the nonce field to the beginning of the certificate where
> it can better protect against chosen-prefix attacks on the
> signature hash (currently infeasible against the SHA1 hash used)
>
> - Renaming of the "constraints" field to "critical options"
>
> - Addng of a new non-critical "extensions" field. The "permit-*"
> options are now extensions, rather than critical options to
> permit non-OpenSSH implementation of this key format to degrade
> gracefully when encountering keys with options they do not
> recognize.
>
> The older format is still support for authentication and cert generation
> (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate).
> The older format, introduced in OpenSSH 5.4, will be supported for at
> least one year from this release, after which it will be deprecated and
> removed.
>
> BugFixes:
>
> * The PKCS#11 code now retries a lookup for a private key if there's
> no matching key with CKA_SIGN attribute enabled; this fixes fixes
> MuscleCard support (bz#1736)
>
> * Unbreak strdelim() skipping past quoted strings, e.g.
>
> AllowUsers "blah blah" blah
>
> was broken (bz#1757)
>
> * sftp(1): fix swapped args in upload_dir_internal(), breaking
> recursive upload depth checks and causing verbose printing of
> transfers to always be turned on (bz#1797)
>
> * Fix a longstanding problem where if you suspend scp(1) at the
> password/passphrase prompt the terminal mode is not restored.
>
> * Fix PKCS#11 crash on some smartcards by checking the length
> returned for C_GetAttributValue for != 0 (bz#1773)
>
> * sftp(1): unbreak ls in working directories that contain globbing
> characters in their pathnames (bz#1655)
>
> * Print warning for missing home directory when ChrootDirectory=none
> (bz#1564)
>
> * sftp(1): fix memory leak in do_realpath() error path (bz#1771)
>
> * ssk-keygen(1): Standardise error messages when attempting to open
> private key files to include "progname: filename: error reason"
> (bz#1783)
>
> * Replace verbose and overflow-prone Linebuf code with
> read_keyfile_line() (bz#1565)
>
> * Include the user name on "subsystem request for ..." log messages
>
> * ssh(1) and sshd(8): remove hardcoded limit of 100 permitopen clauses
> and port forwards per direction (bz#1327)
>
> * sshd(8): ignore stderr output from subsystems to avoid hangs if a
> subsystem or shell initialisation writes to stderr (bz#1750)
>
> * Skip the initial check for access with an empty password when
> PermitEmptyPasswords=no (bz#1638)
>
> * sshd(8): fix logspam when key options (from="..." especially) deny
> non-matching keys (bz#1765)
>
> * ssh-keygen(1): display a more helpful error message when $HOME is
> inaccessible while trying to create .ssh directory (bz#1740)
>
> * ssh(1): fix hang when terminating a mux slave using ~. (bz#1758)
>
> * ssh-keygen(1): refuse to generate keys longer than
> OPENSSL_[RD]SA_MAX_MODULUS_BITS, since we would refuse to use
> them anyway (bz#1516)
>
> * Suppress spurious tty warning when using -O and stdin is not a tty
> (bz#1746)
>
> * Kill channel when pty allocation requests fail. Fixed stuck client
> if the server refuses pty allocation (bz#1698)
>
> Portable OpenSSH Bugfixes:
>
> - sshd(8): increase the maximum username length for login recording
> to 512 characters (bz#1579)
>
> * Initialize the values to be returned from PAM to sane values in case
> the PAM method doesn't write to them. (bz#1795)
>
> - Let configure find OpenSSL libraries in a lib64 subdirectory. (bz#1756)
>
> Checksums:
> ==========
>
> - SHA1 (openssh-5.5.tar.gz) = XXX
> - SHA1 (openssh-5.5p1.tar.gz) = XXX
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
> Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list