OpenSSH 4.2 released

BSDForums writes "OpenSSH 4.2 has been released. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Changes since OpenSSH 4.1 include security bug fixes relating to GatewayPorts, and GSSAPI, which eliminates the risk of credentials being inadvertently exposed to an untrusted user/host. A new compression method, proactive changes for signed vs. unsigned integer bugs, and many additional bugfixes and improvements highlight this release."

Increased default key size.

[CyricZ]

From the changelog:
"- Increase the default size of new RSA/DSA keys generated by ssh-keygen from 1024 to 2048 bits."

It's good to see that the default size of the keys had been increased. It's only a matter of time before modern systems (or clusters of modern systems) are capable of defeating even 1024 bit keys routinely. This proactive doubling of the default keysize is sure to increase the overall security for OpenSSH users for some time.

Longer passwords on UnixWare?

[CyricZ]

From the changelog:
- Portable OpenSSH: Added support for long passwords (> 8-char) on UnixWare 7.

I'm surprised that it has taken them this long to add support for long passwords to UnixWare 7. UnixWare 7 is a modern UNIX by all means, considering it is still being updated frequently. Can anybody shed some light as to why it took so long for this fairly rudimentary support to be added to the portable version of OpenSSH?

Simple hack: sleep(10)

[HermanAB]

I simply added a sleep(10); to the file auth-passwd.c and recompiled.

int
auth_password(Authctxt *authctxt, const char *password)
{
        struct passwd * pw = authctxt->pw;
        int result, ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
        static int expire_checked = 0;
#endif /* Password authentication delay */
                sleep(10);

That slows all password authentication attempts down enormously. ./configure --prefix=/usr --sysconfdir=/etc/ssh
make
make install
service sshd restart

La Voila!

Re:Why you shouldn't use OpenSSH

[muonzoo]

Honestly, I've known Theo for over 15 years. That's longer that almost everyone else who has an opinon here.

That said, Theo is outspoken, loud, somewhat obnoxious and sometimes very hard to deal with. None of that affects the quality of his work. It certainly affects the quality of interaction you might have with Theo, or the perception you might have around his projects.

I certainly would not conduct my personal affairs with the same aplomb as Theo, nor would I piss in my own Corn Flakes quite like Theo can. This aside, Theo is an intelligent, smart individual and those who choose to draw from him that which is valuable will recognize that his different viewpoints, although sometimes objectionable, are just that : different viewpoints.

Sometimes, in the realm of the übergeek, it is difficult to remember that the goal is to produce the best software possible for the consuption and use of others.

I would never, (I repeat: NEVER), conduct my social affairs in the same fashion as Theo, however, I would be a happy man to be able to hang my hat on the solid line of quality software that he and his cadre of loosely joined pieces have brought us all.

I have partied with de Raadt, I have climbed, caved and even swooned over the same ladies. None of this matters. In the end, love Theo or hate him, he has contributed much to the OSS world and much to the security realm.

I may not choose to give him a grant allocation or hire him for my firm, however, Theo is Theo and at least he holds a consistent standard for himself and those who contribute to the projects he administrates. For this we can all be thankful. Interity is an essential element of honor; if you do not agree with how Theo condicts his affaris; so be it, but I think Theo makes the effort to conduct his own affairs within his own code of honor. Even if this code is incompatible with my own (and it appears to be) I have to respect that.