Slashdot Mirror
OpenSSH 3.5 Released
Dan writes "Markus Friedl announces that OpenSSH 3.5 has just been released with notable updates since 3.4. It will be available from the mirrors listed at http://www.openssh.com/ shortly. Enhancements include bug fixes, improved support for Privilege Separation (Portability, Kerberos, PermitRootLogin handling), RSA blinding in order to avoid timing attacks against the RSA host key and much more. Congratulations are in order for the OpenSSH team's hard work and efforts."
Go eat pie.
Pie's good.
I'm wasting time.
Must submit!
so when will apple roll it into os x?
now with 3.5 times MORE security holes!
...that folks won't find a buffer-overflow expoloit tomorrow!
FP!
Remember to check the MD5s of those downloads this time around!
C - A language that combines the speed of assembly with the ease of use of assembly.
At least one major security vulnerability exists in many deployed OpenSSH versions (2.3.1 to 3.3). Please see the ISS advisory, or our own OpenSSH advisory on this topic where simple patches are provided for the pre-authentication problem.
I'm a dedicated Debian user; does anyone know the usual lag in getting a new version of OpenSSH into the mirrors (I'm guessing it would go into testing or unstable)?
there is more information regarding the release (such as special comments from the author) here
I'm sorry for all the caps in the title, but don't click that link! That's the worst thing I've ever seen.
Wait a while to see if any errors/security holes pop-up. THEN go out and download it. Chances are you've already patched the version you have. Don't replace it with the new one until you're sure that's a good thing. It'll just save you a lot of extra work.
Find a job you like and you will never work a day in your life.
If you do not have concerns with running the latest 3.4, do yourself a favor and let the 3.5 release wait for a few days. OpenSSH has actually become one of those apps I worry about now, joining the ranks of Sendmail and BIND. What a shame...when software designed solely for the purpose of increasing security cannot be trusted, what is left? Trust nothing I suppose.
With modern computers and government spy networks like Echelon, there is no reason that we shouldn't use OpenSSH as our default shell, as it is free as in speech and as in beer, yet provides excellent security.
OpenBSD leads the way once again.
"Congratulations are in order for the OpenSSH team's hard work and efforts."
Yeah, We congratulate them by slashdotting their main server before for all the mirrors are updated. great work slashdot, its not like this was a vuln fix, its just a new release..it can wait a few hours.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
Has anyone worked on an embedded port of OpenSSH, specifically the AMD / Alchemy au1500 MIPS core or ARM9?
Here's a blast from the past that I found in the Wayback Machine's archive of Slashdot. I'm not the original author but I thought it was wacky enough to be amusing.
Mods: please put this at -1 so it is easier to find. Thanks for your support!
Reading this article, I wonder about the usefulness of this. I personally think that "improved support for Privilege Separation" is pretty pointless. I think that "improved support to petrify Natalie Portman" would be a more productive use of taxpayer dollars.
I'm completely Libertarian.
As a Libertarian, I'm opposed to using taxpayer money to fund scientific research. But as a sensible human being, logic demands that ANY PRICE neccessary to turn Natalie Portman to stone MUST BE PAID. The taxpayers will understand that their money is being taken for a good cause.
Other than that, I'm completely Libertarian.
All taxation is evil and must be abolish, except for taxation used to fund research into transforming actress Natalie Portman into a nude marble statue. People should be required to pay 40% of their income towards this goal.
Other than that, I'm completely Libertarian.
Well, I *DO* think everyone in the world is also entitled to receive, from society if they are unable to afford one, exactly one (1) nude petrified teenage girl. Not neccessarily Ms. Portman, because there's only one of her, but SOME teenage girl.
Other than that, I'm completely Libertarian.
Of course, we don't have enough cute teenage girls in the world for everyone to have one. Therefore, I support the genetic engineering of teenage girls, and I support the citizenry being required to parent and raise these girls who, upon reaching the age of 17, will be turned over to the government for petrification.
Other than that, I'm completely Libertarian.
Those who are required to parent and raise these future statues will be given a 5% tax deduction. Those who are not required but volunteer will receive a 10% tax deduction.
Other than that, I'm completely Libertarian.
Some may say that cute teenage girls like Natalie Portman have the right not to be turned to stone. But I believe it's okay, because it's FOR THE GOOD OF SOCIETY.
Other than that, I'm completely Libertarian.
I also think European people have very bad attitudes and should be banned by law from society.
Other than that, I'm COMPLETELY Libertarian!
I hope you all eat feces and die. Every last one of you. When you've completed this task, you can try out the new OpenSSH 3.5 release and find out whether or not it is feces.
If it is, proceed to eat it and die. Thanks.
Have they put in provisions to separate the SFTP and interactive shell or command execution protocols?
Last time I tried to play with SFTP I could not get an external company to have SFTP access without a lot of shell level mucking around to stop them having access to log in via shells or rlogin style features.
And yes I'm lazy, yes I should ask the question in the correct forum and yes I should probably contribute to the project but I am, I couldn't be bothered finding it again and I would be useless to them.
Anyway congratulations and thinkyou for what is other than my stupid whinge a great product. (Opensource or otherwise)
That Linux trojan/virus writers have learned to aim at Linux sysadmins by taking control of very recent patches and adding trojan horses. Seems the best way to attack a Linux system is to try to interrupt the many vigilant admins as they faithfully download patches on the same day they're released... Windows trojans survive on the dearth of upgrades, not their spread...
Congratulations are in order for the OpenSSH team's hard work and efforts.
Do we really need this typical self-congratulating back-patting BSD attitude here ? (rhetorical question)
kthx
What does this have to do with BSD, as opposed to other Unixen?
--
If you moderate this, then your children will be next.
They told me BSD was dead!!!
You could either GPG sign the MD5 hash of the tarball, or GPG sign the tarball itself to guarantee that the tarball was signed off by the appropriate person.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
That OS is the biggest trojan horse if I ever saw one.
It's faster, has less bugs, better support ( trust me on this one ).
The OpenSSH group has screwed up to many times to be trusted. Not to mention they take most of the code and ideas from the commercial version anyway. I hope the get sued. )
As you probably know, OpenSSH is largely relient upon the mathematical superiority of RSA encryption techniques. The ability to work with secure shell environments on remote computers has been an absolute god-send since all of the holes in telnet implementations surfaced.
K sN0[lN*1lK[d2%Sa2/d0
To make a long story short, a few fellow grad students and I spent a rainy Saturday morning working on the most simple implementaiton of RSA possible, and our end result is quite interesting to any budding math or computer science students. The best part is that it's written in Perl (hey, we needed the most powerful language!) and only requires a simple, widely-available arithmetic library.
The code:
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",
)]}\EsMs
The beauty of expressing something that's so utterly complex through such a wonderfully simple and sexy solution (via Perl, even!) is what truly makes OpenSSH's use of RSA great.
Of course, be sure to stay on top of updates as the occasional security hole is unearthed -- no matter what system you're responsible, any administrator is a bad administrator if he or she doesn't read bug reports and security advisories and take the necessary precautions via standard upgrade cycles.
Happy shelling!
Department of Physics and Atmospheric Science, Dalhousie University, Halifax, N.S., Canada, B3H 3J5
I can't seem to find a link to openssh.com's public key. I'd like tp putz about with this new version tonight, but I'm not putting it on any server until I can get its contents verified...
So... any ideas where it might be found?
There are numerous "fixes" which strengthen openssh in general, but there's no security hole mentioned. Looks like this is just something to do during the next weekend! That is, after everyone ELSE puts it on their production servers, heh heh.
OpenSSH gives me the flexibilty and versatility that I demand in mobile computing. As a professional freelance writer, I rely on OpenSSH to customize itself to the way I work to get my job done.
./configure; make; sudo make install and generate my public and private keys. It's so easy! OpenSSH gives me more power for less dough -- Girl Scout's honor!
Before I was using F-Secure SSH, and I always had problems with technical things my poor brain can't comprehend. Now I just tar zxvf openssh.tgz;
OpenSSH. It's about more and better.
One stumbling block to major acceptance of ssh outside the admin community is the ability to resume downloads. I wish they would add this.
-- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
IMHO , ain't broke don't fix it. If it's broke, test test test some more then test the upgrade (and back-out) process, then roll it out. Wee!!! change control.
It is official; Netcraft now confirms: *BSD is dying
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
No solution is perfect, but some additional peace of mind could be provided with not a lot of extra effort.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
I see some highly moderated comments that are saying that ssh is no longer to be trusted, and what's left now?
My contention is that there NEVER WAS any software as secure as these people seem to have though ssh was, and there never will be. It's just too complex a game, and there are people who seem to live on nothing but attacking systems. Given that combination, there will be weaknesses found, as long as humans are a part of the development equation.
The situation has been improperly defined by the assumptions we've apparently made. Don't expect UNCRACKABLE software - that's just silly. What we have seen with openssh/openssl is exactly what we should be seeing - inevitable problems being openly discussed and fixed quickly. What if someone were to put a trojaned MS update onto one of Microsoft's servers? Would we even know for months? This kind of crap happens. It's part of the cost and reality of using computers.
Take the rash of reports of vulnerability as a GOOD thing - it's better to know and fix, than wait for a black hat to find it. Of course we try to code and design to avoid weeknesses, but the reality is that life doesn't work like that, and we need to be ready to handle the problems that crop up. Whether or not this is an indication of a design flaw in ssh doesn't really matter either - that can also be fixed. That's what ongoing development is all about.
So don't diss SSH too much. Constructive discussion only, please. Remember, it's free, it helps, and it's only getting better. If you don't think it's good enough, help them! You can, you know - open source at it's best.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
Anyways, I think they scanned for OpenSSH because of the recent problems. It seems they release a new version every couple of weeks. There are bound to be bugs. Now, I tend to think that closed-source software probably has more latent bugs and there's just no way to know, but the perception is that constant change means instability and insecurity.
While it's possible they'll roll it in to 10.2.2, which is due in a few weeks, I find it unlikely. 10.2.3 would seem to be the earliest time reasonable if OpenSSH 3.5 turns out fine; but it's possible that Apple won't move at all from 3.4 unless there's a security flaw in 3.5, as feature wise, there doesn't seem to be a major incentive to upgrade like there was 3.1 to 3.4.
j00 sux0r t3h manham. cos it's cox0r-lix0ring good
Reading about teh OpenSshhhhit made me cum my pants and treh manham.
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
I'm running OpenSSH 3.4p1, any security fixes in 3.5p1?
"With Microsoft, you get Windows. With Linux, you get the full house" - unknown
I would like to see a version that create key files that are compatible with putty and securenetterm. Right now, if I want to use SecNetTerm, I've got to create the key on the Linux box with ssh-keygen, copy it to my pc, load it into putty to convert it, save it out, then move it over to SecNetTerm. Not only that, I couldn't find an easy HowTo that told me how to do this. It took several hours to figure this out.
I shouldn't have to be a guru just to use SSH.
I swear to God I'm not a newbie... I've been working with linux for a few years, and still learn something new every day. I tried to be a good boy and verify the gpg signature, but I couldn't figure out how to do it. Got a link for a how-to? Google doesn't turn up much of anything useful at openssh.com or gnupg.org.
I've got GPG installed, a private/public keypair created for myself, now what?
I only post comments when someone on the internet is wrong.
I`m sure i will be modded down for daring to flame the openbsd team, but anyway..
For an os and other tools (openssl, openssh) which is supposedly thoroughly security audited, there have been a lot of vulnerabilities found, some even present in NEW code (as opposed to the original code that openssh for instance was based upon)
It sure says a lot about the auditing skills of these people if blackhats have been able to find and exploit so many holes, which their supposed auditing missed.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!