New snapshot

Damien Miller djm at mindrot.org
Tue Nov 14 12:15:04 EST 2000 

I have just uploaded a new snapshot to:

http://www.mindrot.org/misc/openssh/openssh-SNAP-20001114.tar.gz

This snapshot includes Markus Friedl's new SSH2 RSA authentication work
and -R portforwarding for SSH2. Please give these a good test.

The new RSA authentications works similar to the current SSH2 DSA keys,
but requires a little modification to config files. Currently RSA 
key cannot be shared between SSH1 and SSH2.

To generate keys, ssh-keygen now has a type '-t' parameter. Valid types
are 'rsa1' (for SSH1 RSA keys), 'rsa' (SSH2 RSA) and 'dsa' (SSH2 DSA).

eg. "ssh-keygen -t rsa -f ~/.ssh/id_rsa" will generate a new SSH2 RSA key.

For public key authentication, just copy the public portion of the RSA
key into your ~/.ssh/authorized_keys2 file. It is normal for the public
RSA keys to be shorter than DSA keys.

SSH2 RSA keys are fully supported by ssh-agent. Keys are tried in the order
in which they are added to the agent, so 'ssh-add' your RSA key first if
you want to try it out.

For the server, all hostkeys are now unified and sshd will automatically
detect the type of a host key. The 'HostDSAKey' option is therefore 
deprecated in favor of 'HostKey'. To specify RSA and DSA keys for SSH2 use,
just use more 'HostKey' options. The 'DSAAuthentication' option is 
deprecated in favour of the general 'PubkeyAuthentication' option.

The host key section of my sshd_config looks like this:

HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

For the client, the 'IdentityFile2' option is deprecated in favor of an
autodetecting 'IdentityFile' option. You can specity rsa1, dsa and rsa keys
using this option.

RSA pubkey auth seems a little quicker than DSA and it is not vulnerable to
the problems described in the WARNING.RNG file.

Full changelog:

20001113
 - (djm) Add pointer to http://www.imasy.or.jp/~gotoh/connect.c to 
   contrib/README
 - (djm) Merge OpenBSD changes:
   - markus at cvs.openbsd.org  2000/11/06 16:04:56
     [channels.c channels.h clientloop.c nchan.c serverloop.c]
     [session.c ssh.c]
     agent forwarding and -R for ssh2, based on work from
     jhuuskon at messi.uku.fi
   - markus at cvs.openbsd.org  2000/11/06 16:13:27
     [ssh.c sshconnect.c sshd.c]
     do not disabled rhosts(rsa) if server port > 1024; from
     pekkas at netcore.fi
   - markus at cvs.openbsd.org  2000/11/06 16:16:35
     [sshconnect.c]
     downgrade client to 1.3 if server is 1.4; help from mdb at juniper.net
   - markus at cvs.openbsd.org  2000/11/09 18:04:40
     [auth1.c]
     typo; from mouring at pconline.com
   - markus at cvs.openbsd.org  2000/11/12 12:03:28
     [ssh-agent.c]
     off-by-one when removing a key from the agent
   - markus at cvs.openbsd.org  2000/11/12 12:50:39
     [auth-rh-rsa.c auth2.c authfd.c authfd.h]
     [authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h]
     [readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c]
     [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config]
     [sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c]
     [ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h]                   
     add support for RSA to SSH2.  please test.
     there are now 3 types of keys: RSA1 is used by ssh-1 only,
     RSA and DSA are used by SSH2.
     you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
     keys for SSH2 and use the RSA keys for hostkeys or for user keys.
     SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
 - (djm) Fix up Makefile and Redhat init script to create RSA host keys
 - (djm) Change to interim version
 - (djm) Fix RPM spec file stupidity
 - (djm) fixpaths to DSA and RSA keys too

20001112
 - (bal) SCO Patch to add needed libraries for configure.in.  Patch by
   Phillips Porch <root at theporch.com>
 - (bal) IRIX patch to adding Job Limits.  Patch by Denis Parker
   <dcp at sgi.com>
 - (stevesk) pty.c: HP-UX 10 and 11 don't define TIOCSCTTY.  Add error() to
   failed ioctl(TIOCSCTTY) call.

20001111
 - (djm) Added /etc/primes for kex DH group neg, fixup Makefile.in and
   packaging files
 - (djm) Fix new Makefile.in warnings
 - (djm) Fix vsprintf("%h") in bsd-snprintf.c, short int va_args are 
   promoted to type int. Report and fix from Dan Astoorian 
   <djast at cs.toronto.edu>
 - (djm) Hardwire sysconfdir in RPM spec files as some RPM versions get 
   it wrong. Report from Bennett Todd <bet at rahul.net>

20001110
 - (bal) Fixed dropped answer from skey_keyinfo() in auth1.c
 - (bal) Changed from --with-skey to --with-skey=PATH in configure.in
 - (bal) Added in check to verify S/Key library is being detected in
   configure.in
 - (bal) next-posix.h - added another prototype wrapped in POSIX ifdef/endif. 
   Patch by Mark Miller <markm at swoon.net>
 - (bal) Added 'util.h' header to loginrec.c only if HAVE_UTIL_H is defined
   to remove warnings under MacOS X.  Patch by Mark Miller <markm at swoon.net> 
 - (bal) Fixed LDFLAG mispelling in configure.in for --with-afs

20001107
 - (bal) acconfig.in - removed the double "USE_PIPES" entry. Patch by
   Mark Miller <markm at swoon.net>
 - (bal) sshd.init files corrected to assign $? to RETVAL.  Patch by
   Jarno Huuskonen <jhuuskon at messi.uku.fi>
 - (bal) fixpaths fixed to stop it from quitely failing. Patch by
   Mark D. Roth <roth at feep.net>

20001106
 - (bal) typo in configure.in in regards to --with-ldflags from Marko
   Asplund <aspa at kronodoc.fi>
 - (bal) fixed next-posix.h.  Forgot prototype of getppid().



-- 
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <djm at mindrot.org>
| works of Shakespeare. Now, thanks to the Internet, / 
| we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org

More information about the openssh-unix-dev mailing list