Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH 3.5 Released

Posted by timothy on from the vavavoom dept.

Dan writes "Markus Friedl announces that OpenSSH 3.5 has just been released with notable updates since 3.4. It will be available from the mirrors listed at http://www.openssh.com/ shortly. Enhancements include bug fixes, improved support for Privilege Separation (Portability, Kerberos, PermitRootLogin handling), RSA blinding in order to avoid timing attacks against the RSA host key and much more. Congratulations are in order for the OpenSSH team's hard work and efforts."

17 of 140 comments (clear)

  1. sweet by Anonymous Coward · · Score: 1, Informative

    so when will apple roll it into os x?

    1. Re:sweet by Anonymous Coward · · Score: 2, Informative

      why wait for apple? just compile it yourself....thats the beauty...

  2. Check those MD5s! by egg+troll · · Score: 5, Informative

    Remember to check the MD5s of those downloads this time around!

    --

    C - A language that combines the speed of assembly with the ease of use of assembly.
    1. Re:Check those MD5s! by Chuuk+Noris · · Score: 3, Informative

      MD5 doesn't use public/private keys. It actually doesn't use any keys at all. It just produces a short checkum (a short string such as "aa44cfb..."), that you can compare with another checksum later, in order to tell if anything has changed.

      That said, it can still be useful-- for example if you get the MD5 checksums from the "main distribution site" or whatever, and then download the actual files from a mirror. That said, a (PGP|GPG) signature is still better.

      --
      -- "--," ?
  3. carefull...Quote from site by L0gAn · · Score: 2, Informative

    ....trojan was discovered in the OpenSSH ftp distribution on August 1st. Anyone who upgraded between July 30 and then is encouraged to read the following advisory to learn how their system may have been compromised.

    At least one major security vulnerability exists in many deployed OpenSSH versions (2.3.1 to 3.3). Please see the ISS advisory, or our own OpenSSH advisory on this topic where simple patches are provided for the pre-authentication problem.

  4. Re:Stupid question.. by Kwikymart · · Score: 5, Informative

    The same people that make OpenBSD make OpenSSH?

    Whenever some story about, say KDE, pops up everyone is like "this is the best thing for Linux since sliced bread". Reality check: not all people run KDE run it on Linux. I think the BSD people should be entitled to the same "This is what we do for everyone!" type of recognition as everyone else.

    --

    Buying a Dell computer is equivalent to dropping the soap in a prison shower.
  5. Re:Stupid question.. by Clover_Kicker · · Score: 3, Informative

    >What does this have to do with BSD, as opposed to
    >other Unixen?

    OpenSSH was written by folks who also work on OpenBSD.

    Of course, OpenSSH runs on many different *nix flavours.

  6. MD5 is just a hash... by Goonie · · Score: 3, Informative
    It's not (in itself) cryptographically signed.

    You could either GPG sign the MD5 hash of the tarball, or GPG sign the tarball itself to guarantee that the tarball was signed off by the appropriate person.

    --

    Any sufficiently advanced technology is indistinguishable from a rigged demo
    --Andy Finkel (J. Klass?)
    1. Re:MD5 is just a hash... by wirelessbuzzers · · Score: 5, Informative

      They do have a GPG detached sig. The portable version is signed by Damien Miller (and verified, and it matches the MD5), for example. But, on the other hand, Damien miller's key has no sigs on it, so there's no reason for us to believe that it really belongs to him...

      So, in the end, you're just going to have to trust that *somebody* isn't out to get you, unless you want to run through the source code line-by-line... ...Or, you can download it now, wait a few days (faster than examining the source), and see if they post "OpenSSL trojaned!!" to the front page of Slashdot, then install it. Take your pick.

      --
      I hereby place the above post in the public domain.
  7. No holes this time.. just minor fixes and upgrades by StupidKatz · · Score: 3, Informative

    There are numerous "fixes" which strengthen openssh in general, but there's no security hole mentioned. Looks like this is just something to do during the next weekend! That is, after everyone ELSE puts it on their production servers, heh heh.

  8. Re:My one bugbear by Big+Jason · · Score: 3, Informative

    You might want to check out scponly.

    Be aware of the colour scheme on that site though, it's hard on the eyes.

  9. Re:Where is the public key to check the sig? by wirelessbuzzers · · Score: 2, Informative

    If you are referring to Damien Miller's public key, you can get it off the keyservers. Or, you can get it right here:

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: PGP 8.0 (Build 288) Beta

    mQGiBDqa5pwRBADJSEyXXsgXiyytN93prDPTPmrueRP9lQQf ga QvCvqK0bN0AF1Z
    Vxxk9wlSXQp3+Qw5+qqsN5ovzsn39r9pqG slfCqQn9ACTmsn42 +VCyW4hdwUGSBS
    5myh65ZJTK1ufWCZFssxQ0EiALagu4DlH6 Z2O7tFDnJNagF55v lnK0uMQwCg/8RU
    QYDmisEHjkarAapPaupxjhkD/j9riCVasW PYJwAuhiQWAKxGRw p/ZyTaWCSERUBR
    4Dg9QxpuwHKIT8BeDA3hJa/9Yxu5jec2NV KbtVSZvRkgUfRNOk rcH2eiY8Iz6est
    J64dGWuGMKQW0GEqW+OXpRTTPJZ0mgPmU1 6qDzLPdx6F3BAk2L G+TTwlKUPuGqOt
    6u2EA/4+1CBYZ8mXq9GJnLRBPAoYwSJJzb QnMm9Jat/yg9N6ni gSIiFyG8ixh167
    gGGKfzvpjY7DeJzDI0Cub+tRova8gFg+T1 5AcPMST5v7v6O/ug 9aYWERZ0zjUhRH
    ybtYLYhUUbdYM29PwGBNfZhGIOYwfFE9Up PS5LeXHs28oVLlH7 QuRGFtaWVuIE1p
    bGxlciAoUGVyc29uYWwgS2V5KSA8ZGptQG 1pbmRyb3Qub3JnPo hXBBMRAgAXBQI6
    muacBQsHCgMEAxUDAgMWAgECF4AACgkQzo 7LA4b/nEiDMgCZAU zKq241h5GTJxC0
    guS6ht9i9ZsAoL/oXCmFsofARehZF6AakI dasvS9uQINBDqa5t QQCADz/XnCcyle
    9hmxgyntr35ZQJKx9g6ftBw178JSwM3O7J NOGp398Eh4Q9rkEp 5NH1qVecG953Fu
    edT9IAXqr8pjp5tdqMYCcaKy+aJ0Sw1zVD 2VOY3h7SyfU25pcY iHEa1grfKPVoWm
    53IwWGVVtquF5dimAe75+D0aXyVCOv0Ez9 wgJR6H69lp4/cD2G yNaGarwY9HLvHF
    vXONY2qm/GV5OjyOUO41gmQ4pyXQh+gocF FHrM0AzveIswgNpJ 0xNWXX8iXGsr3Y
    Cvqm7JoIU9JKxDV+96bxDLfTdKpoLYKb68 WdtmAylsio5+iZfW tdOb/Xpk2Yx5Ld
    ady9/+n3m6cvAAURCACrvoVSbd0MR0FWX+ bBZ0NjScNBo3kPSS CnQ6jRHokkz55r
    +MHe7dqxCJ3pmu7aROl2fgug6wob+7+qXf Kke/TdT6wuCb4CdF S6tPgPrfYV+iwq
    2NB/BatePGg7Z6UALaULQ0m83DCEVLJNnj emEdIouShelikAAO 7QDKMr7vAjH8n0
    zwMpwRMXnvCM6zYlS9i1kOm8LVATk0Wyih pQGSaTukdPjKlG7s KwMu20ssK9DGVp
    PgulTZ7rHqXl4juY8LQ2j4dPNaPoKWG8Ju BVCsyf2D6GNW97Pf KQSkzFeZsbVB4S
    RQrVTchgBSYoxRVW3fLk/yc3TC5Abh6Gpj 4izawUiEYEGBECAA YFAjqa5tQACgkQ
    zo7LA4b/nEgftgCdHIZUDVAWDRa5siSi8A os+IiyAgAAn02wGO l1Wo/YJ+RY+c6K
    N58TmAPE
    =rCFY
    -----END PGP PUBLIC KEY BLOCK-----

    --
    I hereby place the above post in the public domain.
  10. Re:Debian by crimsun · · Score: 4, Informative

    There's a fair amount of testing that takes place before the packages are updated. I wouldn't count on 3.5pX going into Sid for a while yet. The more critical fixes might be backported against 1:3.4p1-4, etc.

  11. Re:RSA by Permission+Denied · · Score: 5, Informative
    print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",
    )]}\EsMsK sN0[lN*1lK[d2%Sa2/d0

    NO CARRIER

    You again. Excellent troll, but you need to choose a different motif for your nicks.

    For the uninitiated: that is not perl. It is line noise with some perl operators, bundled into a cleverly-masked troll. This guy is an old sport at this, previously using the name "PhysicsGenius". Check his (short) user history, and this guy's posting history. I simply cannot believe that moderators would be so idiotic as to mod this stuff up, so my conjecture is that he has two accounts: one to troll, and another serious account with mod points. It may be interesting to correlate average time between mod points to his posting history.

    Relevant anecdote: the original OpenSSH sources had an "RSA in six lines of perl" in a comment of one of the source files. Theo removed that in some version. A little too much angst there, if you ask me - this stuff is supposed to be fun.

  12. Re:Where is the public key to check the sig? by mmca · · Score: 4, Informative

    I agree. Look for djm@mindrot.org on your favorite keyserver. (I like the one below)

    http://pgp.mit.edu:11371/pks/lookup?op=get&searc h= 0x86FF9C48

    M

  13. Re:My one bugbear by Phibz · · Score: 4, Informative
    I've used the scp-wrapper perl script and it works excellently. I add a dsa key for the client and in the key in authorized_keys i add command="/usr/sbin/scp-wrapper" ......

    Basically what the script does is clean the environment. The requested command is stored in SSH_ORIGINAL_COMMAND environmental variable. Its checked to make sure it is in fact the command you intend. The options are then checked. Finally the script exec()'s the hardcoded path to the command with arguments supplied.

    Although it comes written for scp i've used it for securing an account so they can't log in, and they can only execute one or two commands of my choosing.

    from what i understand sftp just exec's /usr/libexec/sftp-server. i don't see why you couldn't alter the script to only allow that command.

    also you'll want to make sure the client's ~/.bash_profile, ~/.profile, etc.--all its login scripts--are empty and owned by root so that they don't upload their own "special" login script and undo all your work.

    scp-wrapper can be found here

    Phibz

  14. Re:Slow Down by dmiller · · Score: 5, Informative

    Firstly, do you patch all local privilege escalation vulnerabilities as quickly as you patch remote vulnerabilities? I know I don't.

    Please RTFM: An attacker breaking privsep will find themselves in an empty chroot jail with a unique, non-priviliged UID & GID. Leveraging such an attack to even read local files would be very difficult.

    Your points about a broken privsep being used to stage network-based attacks are valid.