Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH 3.5 Released

Posted by timothy on from the vavavoom dept.

Dan writes "Markus Friedl announces that OpenSSH 3.5 has just been released with notable updates since 3.4. It will be available from the mirrors listed at http://www.openssh.com/ shortly. Enhancements include bug fixes, improved support for Privilege Separation (Portability, Kerberos, PermitRootLogin handling), RSA blinding in order to avoid timing attacks against the RSA host key and much more. Congratulations are in order for the OpenSSH team's hard work and efforts."

17 of 140 comments (clear)

  1. Check those MD5s! by egg+troll · · Score: 5, Informative

    Remember to check the MD5s of those downloads this time around!

    --

    C - A language that combines the speed of assembly with the ease of use of assembly.
    1. Re:Check those MD5s! by archen · · Score: 5, Funny

      easy, you check the md5 of the md5.

  2. Slow Down by Anonymous Coward · · Score: 4, Insightful

    If you do not have concerns with running the latest 3.4, do yourself a favor and let the 3.5 release wait for a few days. OpenSSH has actually become one of those apps I worry about now, joining the ranks of Sendmail and BIND. What a shame...when software designed solely for the purpose of increasing security cannot be trusted, what is left? Trust nothing I suppose.

    1. Re:Slow Down by erik+umenhofer · · Score: 4, Insightful

      It's not the software that having the security problem, it was a hacked server serving up the software and people not checking thier checksums. Don't blame the software when you didn't check your sum.

    2. Re:Slow Down by oh · · Score: 5, Insightful

      Because Privlidge Seperation is in there, even a serious bug will (now) only result in a compromise of a non-privlidged user account.

      That's enough to negate any concerns.


      I've heard this argument before, and I don't think it holds water.

      Firstly, do you patch all local privilege escalation vulnerabilities as quickly as you patch remote vulnerabilities? I know I don't.

      Even if there are no local vulnerabilities, they can still scan you system for useful information. They can then use you system to attack other systems from behind you firewall. Do you have a local firewall rule that disallows all outbound connections?

      We had a presentation from a (proxy) firewall vendor that used a hardened OS. They were very proud that each proxy ran in its own little sand-box. The mail outside mail daemon could only access port 25 on the outside NIC, and could only pass email to the inside daemon via a shared spool directory. Their OS prevented any other access from that process.

      Whenever we asked about a specific version of a daemon, they would refer to this sand-boxing and tell us that it wouldn't matter if a particular proxy was hacked out, there was no way the hacker could break through the firewall.

      The company I worked for ran one of the largest (top 10, maybe top 5) web sites in our country. There would have been maybe a dozen other websites with similar bandwidth, and maybe the same number of ISPs. We had to sit down an carefully explain to these sales people that even if the hacked proxy could only access one port on the outside NIC of the firewall, it could DOS almost any other site in the country.

      They left that presentation with worried looks on their faces, and promised to get back to us with the version numbers we were asking for.

      Moral of the story: Any malicious use of you systems is a bad thing. "Privilege Separation" may stop them from rooting the box running OpenSSH, but a malicious hacker could still do a lot of damage.

      --
      Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
    3. Re:Slow Down by dmiller · · Score: 5, Informative

      Firstly, do you patch all local privilege escalation vulnerabilities as quickly as you patch remote vulnerabilities? I know I don't.

      Please RTFM: An attacker breaking privsep will find themselves in an empty chroot jail with a unique, non-priviliged UID & GID. Leveraging such an attack to even read local files would be very difficult.

      Your points about a broken privsep being used to stage network-based attacks are valid.

  3. My one bugbear by muzzmac · · Score: 5, Interesting

    Have they put in provisions to separate the SFTP and interactive shell or command execution protocols?

    Last time I tried to play with SFTP I could not get an external company to have SFTP access without a lot of shell level mucking around to stop them having access to log in via shells or rlogin style features.

    And yes I'm lazy, yes I should ask the question in the correct forum and yes I should probably contribute to the project but I am, I couldn't be bothered finding it again and I would be useless to them.

    Anyway congratulations and thinkyou for what is other than my stupid whinge a great product. (Opensource or otherwise)

    1. Re:My one bugbear by Phibz · · Score: 4, Informative
      I've used the scp-wrapper perl script and it works excellently. I add a dsa key for the client and in the key in authorized_keys i add command="/usr/sbin/scp-wrapper" ......

      Basically what the script does is clean the environment. The requested command is stored in SSH_ORIGINAL_COMMAND environmental variable. Its checked to make sure it is in fact the command you intend. The options are then checked. Finally the script exec()'s the hardcoded path to the command with arguments supplied.

      Although it comes written for scp i've used it for securing an account so they can't log in, and they can only execute one or two commands of my choosing.

      from what i understand sftp just exec's /usr/libexec/sftp-server. i don't see why you couldn't alter the script to only allow that command.

      also you'll want to make sure the client's ~/.bash_profile, ~/.profile, etc.--all its login scripts--are empty and owned by root so that they don't upload their own "special" login script and undo all your work.

      scp-wrapper can be found here

      Phibz

  4. Re:Stupid question.. by Kwikymart · · Score: 5, Informative

    The same people that make OpenBSD make OpenSSH?

    Whenever some story about, say KDE, pops up everyone is like "this is the best thing for Linux since sliced bread". Reality check: not all people run KDE run it on Linux. I think the BSD people should be entitled to the same "This is what we do for everyone!" type of recognition as everyone else.

    --

    Buying a Dell computer is equivalent to dropping the soap in a prison shower.
  5. Why I Switched to OpenSSH by Anonymous Coward · · Score: 5, Funny

    OpenSSH gives me the flexibilty and versatility that I demand in mobile computing. As a professional freelance writer, I rely on OpenSSH to customize itself to the way I work to get my job done.

    Before I was using F-Secure SSH, and I always had problems with technical things my poor brain can't comprehend. Now I just tar zxvf openssh.tgz; ./configure; make; sudo make install and generate my public and private keys. It's so easy! OpenSSH gives me more power for less dough -- Girl Scout's honor!

    OpenSSH. It's about more and better.

  6. Re:MD5 is just a hash... by wirelessbuzzers · · Score: 5, Informative

    They do have a GPG detached sig. The portable version is signed by Damien Miller (and verified, and it matches the MD5), for example. But, on the other hand, Damien miller's key has no sigs on it, so there's no reason for us to believe that it really belongs to him...

    So, in the end, you're just going to have to trust that *somebody* isn't out to get you, unless you want to run through the source code line-by-line... ...Or, you can download it now, wait a few days (faster than examining the source), and see if they post "OpenSSL trojaned!!" to the front page of Slashdot, then install it. Take your pick.

    --
    I hereby place the above post in the public domain.
  7. Re:Debian by crimsun · · Score: 4, Informative

    There's a fair amount of testing that takes place before the packages are updated. I wouldn't count on 3.5pX going into Sid for a while yet. The more critical fixes might be backported against 1:3.4p1-4, etc.

  8. Re:Wish list item by joe_bruin · · Score: 4, Funny

    your wish is granted. say you got the first half of pr0n.tar.bz2:

    $ ssh remotehost -c "tail --bytes=\`ls -l | awk '/pr0n.tar.bz2/ { print $5; }' - `ls -l | awk '/pr0n.tar.bz2/ { print $5; }'` | bc\`" > pr0n.tar.bz2

    now, you're smart enough to turn this into a shell script, right? there's a reason openbsd doesn't ship with a "watch" script.

    note that there is probably an error in that commandline since i never tested it. go ahead, post it.

  9. Sigh by starseeker · · Score: 5, Insightful

    I see some highly moderated comments that are saying that ssh is no longer to be trusted, and what's left now?

    My contention is that there NEVER WAS any software as secure as these people seem to have though ssh was, and there never will be. It's just too complex a game, and there are people who seem to live on nothing but attacking systems. Given that combination, there will be weaknesses found, as long as humans are a part of the development equation.

    The situation has been improperly defined by the assumptions we've apparently made. Don't expect UNCRACKABLE software - that's just silly. What we have seen with openssh/openssl is exactly what we should be seeing - inevitable problems being openly discussed and fixed quickly. What if someone were to put a trojaned MS update onto one of Microsoft's servers? Would we even know for months? This kind of crap happens. It's part of the cost and reality of using computers.

    Take the rash of reports of vulnerability as a GOOD thing - it's better to know and fix, than wait for a black hat to find it. Of course we try to code and design to avoid weeknesses, but the reality is that life doesn't work like that, and we need to be ready to handle the problems that crop up. Whether or not this is an indication of a design flaw in ssh doesn't really matter either - that can also be fixed. That's what ongoing development is all about.

    So don't diss SSH too much. Constructive discussion only, please. Remember, it's free, it helps, and it's only getting better. If you don't think it's good enough, help them! You can, you know - open source at it's best.

    --
    "I object to doing things that computers can do." -- Olin Shivers, lispers.org
  10. Re:RSA by Permission+Denied · · Score: 5, Informative
    print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",
    )]}\EsMsK sN0[lN*1lK[d2%Sa2/d0

    NO CARRIER

    You again. Excellent troll, but you need to choose a different motif for your nicks.

    For the uninitiated: that is not perl. It is line noise with some perl operators, bundled into a cleverly-masked troll. This guy is an old sport at this, previously using the name "PhysicsGenius". Check his (short) user history, and this guy's posting history. I simply cannot believe that moderators would be so idiotic as to mod this stuff up, so my conjecture is that he has two accounts: one to troll, and another serious account with mod points. It may be interesting to correlate average time between mod points to his posting history.

    Relevant anecdote: the original OpenSSH sources had an "RSA in six lines of perl" in a comment of one of the source files. Theo removed that in some version. A little too much angst there, if you ask me - this stuff is supposed to be fun.

  11. Re:Wait a while... by evilviper · · Score: 4, Insightful

    That is the most ridiculous philosophy...

    The S/Key exploit wasn't discovered until about 4 releases later. If a piece of software is exploitable, there's no magic formula that will result in you getting it after all the bugs have been fixed.

    It makes some sense for Windows, since everything is secret until a release, and is thrown upon the world in an instant, getting spread far and wide to different enwironments. So, bugs are found, but still doesn't help in the security department.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  12. Re:Where is the public key to check the sig? by mmca · · Score: 4, Informative

    I agree. Look for djm@mindrot.org on your favorite keyserver. (I like the one below)

    http://pgp.mit.edu:11371/pks/lookup?op=get&searc h= 0x86FF9C48

    M