Announce: OpenSSH 7.2 released

Andreas M. Kirchwitz amk at spamfence.net
Sat Mar 5 00:41:37 AEDT 2016


Corinna Vinschen <vinschen at redhat.com> wrote:

> There's a backward incompatible change in this release which is not
> mentioned in the release notes.  The slogin symlink as well as the
> slogin.1 man page are not created anymore by the Makefile.
>
> This change potentially breaks lots and lots of aliases, shell scripts,
> and GUI keyboard shortcuts.

This may also be a serious security issue!

On most systems I know of the brandnew versions of OpenSSH are
installed in parallel to the SSH that ships with the operating
system. So users put (for example) /usr/local/bin in front of
/usr/bin to get the new OpenSSH binaries instead of the old
ones from the system. The shell automatically uses the new
binaries because they come first in the shell command path.

Now, when users run "slogin" they will no longer start the one
from the new OpenSSH but instead the shell finds the old one
from the operating system and starts that one. Although the old
SSH from the operating system might be secure because it gets
patches from the vendor, but usually it's an old version and
lacks a lot of new features (functionaly + security). So users
running "slogin" will not get the best protection possible.

For people who used rlogin/rsh/rcp back in the old days, it's
quite common to use slogin/ssh/scp in the same way (and the
developers supported that behaviour by linking slogin to ssh).

Now silently removing that historic link is a big issue.
Yes, sure, it's mentioned in the "ChangeLog", but honestly, 
that should to be included in the main release notes.
(IMHO, there should be a dummy script for "slogin" that
warns users that they no longer get what they expect;
it's better to break things instead of silently compromising
security.)

	Greetings, Andreas


More information about the openssh-unix-dev mailing list