Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH 4.0 & Portable OpenSSH 4.0p1 Released

Posted by timothy on from the even-quieter-now dept.

UnderScan writes "As seen on openssh-unix-announce: 'OpenSSH 4.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters.' See the changelog or the freshmeat.net changes summary for more details."

24 of 73 comments (clear)

  1. FreeBSD by numbski · · Score: 2, Informative

    Hasn't hit ports. :\

    --

    Karma: Chameleon (mostly due to the fact that you come and go).

    1. Re:FreeBSD by robbkidd · · Score: 3, Funny

      What makes you think that there should be a port available on Freshports.org at the same time as the release of OpenSSH?

      The new hacker/cracker challenge: zero day ports!

    2. Re:FreeBSD by ignorant_newbie · · Score: 2, Insightful

      > The new hacker/cracker challenge: zero day ports!

      well, given where most of the good ports come from these days, the quickest route is to just install OpenBSD

      --
      Sitting Walrus Blog
    3. Re:FreeBSD by setagllib · · Score: 2, Insightful

      That's the point of the portable copies: and they do get tested. If there's one thing we can trust OpenBSD for it's releasing solid software, even if not always in the kernel (at least from what I've heard).

      --
      Sam ty sig.
  2. Donations by Noksagt · · Score: 4, Informative
    We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters.
    You can also do what I plan to do: donate surplus hardware to OpenBSD, which runs the project. OpenBSD accepts other donations too:checks, credit cards, paypal.
  3. Grrr.... by stevew · · Score: 2, Interesting

    I just updated to something like 3.95pl1 last weekend.

    Now I get to do it again....

    There sure is a lot to timing isn't there.

    --
    Have you compiled your kernel today??
    1. Re:Grrr.... by pizza_milkshake · · Score: 3, Funny

      you're right, the developers should slow down to a rate that's comfortable for you... when would you like v5?

  4. MD5 Incorrect by Nimrangul · · Score: 3, Informative
    Damien Miller: I botched the MD5 sum for the portable tarball in the release announcement. The correct one is:

    MD5 (openssh-4.0p1.tar.gz) = 7b36f28fc16e1b7f4ba3c1dca191ac92

    Source: http://www.undeadly.org/cgi?action=article&sid=200 50309172736

    --
    I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
    1. Re:MD5 Incorrect by CableModemSniper · · Score: 5, Funny

      Arrrrg! No! How do I trust this MD5 now? OpenSSH 4 has been compromised! Arrrrg! *Runs around in tin foil hat banging into walls*

      --
      Why not fork?
    2. Re:MD5 Incorrect by Tuck · · Score: 2, Informative
      The online release notes have the corrected md5sums.

      FWIW I verified that the uploaded files are in fact correct.

      --
      $ find /pub -beer "James Squire Amber Ale" -drink
  5. Re:Major/Minor oddity by superpulpsicle · · Score: 2, Insightful

    To my understanding Openssh is still the same 2.0 protocol. Not like a new 4.0 protocol. Correct me if I am mistaken....

  6. Any news on chroot support? by RT+Alec · · Score: 3, Interesting

    One feature I have been waiting for is the ability to chroot my users when they log in, even if just for file transfers. This would ensure that users would not be able to wander the entire directory tree of the server. I have had some success (on FreeBSD) with creating single jail for all client logins, and then applying some clever directory permissions for the higher directories (usualy o-x for directories). There was a commercial version of SSH that had a chroot feature, but I would prefer to stick with openssh. IMHO, this is the one area that FTP outdoes SFTP (but not enough for me to dumb my security down and allow FTP!!).

    Any other ideas?

    1. Re:Any news on chroot support? by agent+dero · · Score: 5, Funny
      my personal policy is not to let anybody on my machines that I don't know personally.

      that way, when somebody messes something up or does something nasty, i'll know about them and promptly punch them in the face

      %cat /etc/motd
      FreeBSD 5.3-STABLE (BRIDGING) #3: Thu Feb 10 11:13:42 UTC 2005

      Welcome to FreeBSD!

      FreeBSD interactive server, do something nasty, and I will punch you in the face.
      --
      Error 407 - No creative sig found
    2. Re:Any news on chroot support? by GoRK · · Score: 4, Informative

      As I'm sure you know, chroot is not necessarily a simple feature due to the fact that if you need a full environment to use commands (which aside from forwarding ports is the only thing ssh actually lets you do -- even sftp has a "server" command that gets run by the sftp client), so you can't just automatically have sshd know what library files and binaries are necessary for a user to have certain access.

      What you ought to do instead is set up your users with ssh using rssh as a shell. rssh can give you a restricted environment without necessarily having to chroot (if you trust rssh, anyway), but if you really want to deal with the setup and maintenance overhead of a real chroot environment for a shell, rssh can do that too -- every user can have their own jail or they can share a jail and you can use permissions to restrict them.

      I can't understand if this is your intent or you'd like sshd to run in a jail -- if that is the case, it's definately not a simple 'switch it on' feature either. The same rules apply except that your user accounts will be futher restricted to the root that sshd is running in. For the ultra paranoid you could jail sshd in /home, say, and then jail each user account in /home/user/ with only access to sash, busybox or some similar staticlly compiled multi-command utility.

      Remember, use hardlinks on all your bins and libs in your chroot jails otherwise you'll forget to update the files!

    3. Re:Any news on chroot support? by archen · · Score: 3, Informative

      I use rssh on all of my servers, and it works quite well. Now days with rsync support I am one happy camper. BUT:

      No support for FreeBSD 4x (no wordexp() function)
      FreeBSD 5.2.x Functional, but due to a typo in wordexp.h you have to correct a line in the system header file to get it to compile - works fine after that.

      Also the guy who came up with rssh has pretty much abandoned the project for his own reasons. One of the gentoo people discovered a vulerability which was fixed and eventually made its way back to the ports tree, but I'm not sure how well maintained such a port will be concerning security - although it's supposed to be pretty good code and considered feature complete.

    4. Re:Any news on chroot support? by llin · · Score: 2, Informative

      An application I've used which does what you want is called scponly.

      Features include chrooting to home directory, and full sftp, unison, and optional rsync compatibility.

  7. I think I speak for everyone when I request: by mscnln · · Score: 4, Insightful

    Tab completion in sftp!

    I don't use sftp nearly as much as I would if I could actually navigate and download files with any efficiency instead of copying and pasting...

    This is 2005, come on.

  8. Re:Major/Minor oddity by ArbitraryConstant · · Score: 2, Insightful

    "Does anyone else find it a bit odd that 4.0p1 is listed as Minor Feature Enhancements, yet it gets a whole-digit version bump?"

    The last release was 3.9. They simply rolled over to a new major number. Also, I think it's justified. Connection multiplexing was introduced in 3.9, but now it's had the major bugs fixed and so might be considered "stable". It's a big feature.

    --
    I rarely criticize things I don't care about.
  9. Not front page material? by MetalliQaZ · · Score: 5, Insightful

    A new release of Gnome got the front page, but a new release of OpenSSH doesn't? Someone's priorities are out of wack.

    -d

    --
    "Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
    1. Re:Not front page material? by Anonymous Coward · · Score: 3, Insightful

      I was thinking the same thing. OpenSSH is one of the most widely used open source applications but on Slashdot its a minor footnote when a major release is annouced. Hmm...could it be because its a BSD related project and not Linux? It wouldnt be the first and im sure it wont be the last time.

  10. Re:Major/Minor oddity by Tuck · · Score: 5, Informative

    It got a whole-digit bump because we ran out of minor digits and don't want double-digit minor version numbers (or hex :-).

    --
    $ find /pub -beer "James Squire Amber Ale" -drink
  11. Re:Fixed sized buffers? by Tuck · · Score: 2, Informative

    That would be hpn-ssh. No, it's not in 4.0. Will it be included in future releases? Maybe, it needs to be looked at more closely.

    --
    $ find /pub -beer "James Squire Amber Ale" -drink
  12. Any idea on these login pauses? by bconway · · Score: 2

    I have OpenSSH 4.0p1 running on a variety of OSes, all built against OpenSSL 0.9.7e. They're all built with a standard ./configure and no other options, and just X11 forwarding in the ssh_config file. Whenever I connect to a system followed by another system, regardless of the SSH server version running, after I put in a password, it pauses for a full 5 seconds every time with the following (from ssh -vv):

    debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-PZhTm22307/xauthfile generate unix:10.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null
    (pause 5+ seconds here)
    debug2: x11_get_proto: /usr/X11R6/bin/xauth list unix:10.0 . 2>/dev/null

    This doesn't happen on any system that I'm logged in to locally and initiate a connection, but if I jump from one machine to another with X11 forwarding turned on, the second machine is always doing this 5-second pause. This is most easily reproducible if I SSH to localhost twice in a row (one connection within another).

    --
    Interested in open source engine management for your Subaru?
  13. configure and cross-compile by statemachine · · Score: 3, Informative

    Does ./configure handle cross-compile situations correctly yet?

    For example, I want to build OpenSSH on an i386 Linux for an embedded MIPS Linux. Configure will detect that it is cross-compiling, but will still insist on performing its compile-and-run tests, either by erroring when it tries to run the MIPS binary on i386, or by saying it won't proceed any further because I'm cross-compiling which means it can't do its ... test.

    I had to tediously hand-edit the configure script to shut off those errors (I lost count of how many instances) -- after which everything worked fine. But with each new release, I will need to edit that script again, which I don't enjoy.