Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH 5.4 Released

Posted by timothy on from the but-it's-secret dept.

HipToday writes "As posted on the OpenBSD Journal, OpenSSH 5.4 has been released: 'Some highlights of this release are the disabling of protocol 1 by default, certificate authentication, a new "netcat mode," many changes on the sftp front (both client and server) and a collection of assorted bugfixes. The new release can already be found on a large number of mirrors and of course on www.openssh.com.'"

25 of 127 comments (clear)

  1. SFTP improvements by Ponga · · Score: 3, Informative

    FTFA:

    * Many improvements to the sftp(1) client, many of which were implemented by Carlos Silva through the Google Summer of Code program:...

    ... - Add recursive transfer support for get/put and on the commandline
    (Alas!!)

    Whole host of other improvements and bugfixes; give it read if SSH is pertinent to your environment....

    1. Re:SFTP improvements by ig88b · · Score: 3, Funny

      I'm confused. You're excitedly sad about the sftp improvements?

    2. Re:SFTP improvements by Torrance · · Score: 2, Funny

      - Implement tab-completion of commands, local and remote filenames

      Well thank frak.

    3. Re:SFTP improvements by Sancho · · Score: 2, Interesting

      Doesn't that tab completion only work if your key is either not protected by a passphrase or cached by ssh-agent? Unfortunately, the policy where I work is that you cannot cache credentials like that, and they must be protected by a passphrase. The new features are actually good for me!

  2. Re:New, Problematic Protocol Introduced by Kjella · · Score: 2, Insightful

    Please do tell what are the vital differences from version 1.4 made in 2008, because I think you're trolling. It looks like all RFCs normally look, either you haven't read many and don't have a clue what you're talking about or you are just trying to spread FUD.

    --
    Live today, because you never know what tomorrow brings
  3. Cygwin's package was updated, too by klui · · Score: 4, Interesting

    The read-only feature of sftp makes it almost a replacement for anonymous ftp. Too bad it appears to be a global setting.

    1. Re:Cygwin's package was updated, too by Sancho · · Score: 4, Interesting

      Could you not do this with a combination of Match User and ForceCommand directives? Something like:

      Match User anonymous
              ForceCommand sftp-server -R
              ChrootDirectory /home/anonymous

    2. Re:Cygwin's package was updated, too by Aladrin · · Score: 2, Insightful

      Just because it's public data doesn't mean you want anyone else to know what that particular user is doing.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    3. Re:Cygwin's package was updated, too by roman_mir · · Score: 4, Insightful

      Yes, you are missing the point.

      FTP is a fucking mess, I hate it, I wish I could kill it today everywhere. It is a disaster to manage with a firewall. The horrendous idea of using separate random ports for data connection vs control connections, the active/passive methods, it's is pure evil.

      SFTP is not FTP over SSH if you did not understand, it is a proper FTP that happens to run over a secured link.

      --
      You can't handle the truth.
    4. Re:Cygwin's package was updated, too by Sancho · · Score: 2, Interesting

      Arguably, running one less service would be nice. Also, OpenSSH's chrooting is pretty painless for sftp (though arguably, proper chrooting mostly precludes the need for read-only service--having your server read-only does add another layer of security.)

    5. Re:Cygwin's package was updated, too by klui · · Score: 2, Insightful

      I think I've just seen another incantation of ssh black magic (the other being command= in authorized_keys). Thanks for the insight.

    6. Re:Cygwin's package was updated, too by value_added · · Score: 3, Insightful

      I am running OpenBSD firewall ... I have the pf and ftp-proxy configured correctly (checked by someone who knows this by heart), still can't have the ftp working for the internal network. Gone through all configurations, docs, still don't have it working. Have to waste more time on this later, just because the users 'need' the ftp to download shit from other firm...

      Sorry, but the pf/ftp-proxy combination works as advertised. I'd suggest your configuration is wrong. Asserting that it doesn't work because "someone who knows this by heart" examined it is meaningless.

      Fix your configuration and stop complaining. Both pf and ftp-proxy can do detailed logging. If you understand FTP, and you examine the logged output, you'll quickly find the source of your errors and, by extension, the solution.

      Granted FTP is a creaky protocol, and while it's true that most people don't understand it (even those that claim they do), it's just as true that it ain't going anywhere. Maybe it's time to brush up on the RFCs?

    7. Re:Cygwin's package was updated, too by Sir_Lewk · · Score: 2, Insightful

      SFTP is not FTP over SSH ... it is a proper FTP

      I believe what he is saying is that FTP, in the classical sense, is not a properly done File Transfer Protocol. I'm inclined to agree.

      --
      "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  4. Re:New, Problematic Protocol Introduced by OttoM · · Score: 3, Informative

    No X.509 certificates are used. Please study the changes before you comment based on false assumptions. Also, the agent protocol exists for quite a while now, it is not new.

  5. Thank you Open SSH devs by overlordofmu · · Score: 5, Informative

    I am reading this article and posting to it through a ssh tunnel using OpenSSH on a Gentoo Linux server at home and putty.exe on a work laptop running XP Pro at work.

    Firefox sees it as a SOCKS 5 proxy at localhost. The tricky part was setting the config key in Firefox called "network.proxy.socks_remote_dns" to true. (Navigate to about:config and filter for "proxy" to find this setting quickly). The corporate network admins use bogus DNS resolution as a firewall.

    I love you, OpenSSH devs. I sincerely thank you.

    1. Re:Thank you Open SSH devs by Sancho · · Score: 2, Informative

      Are you sure they're going through the proxy out of the box? My Firefox had that configuration knob set to "false" by default, and DNS queries are definitely hitting my company's DNS server.

      If I tune the knob to true, they go through the proxy.

      Both cases verified with tcpdump.

    2. Re:Thank you Open SSH devs by overlordofmu · · Score: 3, Interesting

      In my case, they block YouTube with a bogus DNS resolution. Internal DNS gives a intranet IP address (which gives a default intranet page) and my home server DNS gives the correct IP address(es). I tested this again, just now, and YouTube only works for me with that setting ("network.proxy.socks_remote_dns" as true) and is blocked if it is changed to false (which I believe is the default).

      I am using Firefox version 3.5.8, 32-bit, for x86.

      It seems, within Firefox itself, that your DNS queries with SOCKS 5 proxies still use the system default DNS and not the proxy DNS, but I could not say for sure without testing your machine. In my case, I am certain that Firefox is using the system DNS unless I change this setting from its default in Firefox. (I am certain because I just tested it 5 minutes ago.) Also, YouTube works without a proxy if I use the OpenDNS.org DNS servers in my Windows TCP/IP settings. (But then no intranet DNS queries work because OpenDNS knows nothing of our 10.*.*.* intranet.)

      Again, I am only speculating, but please consider than your DNS queries are not being proxied and are evidence of where you surf even if your traffic is SSHed.

      A final note, when I am really feeling paranoid about my surfing there is the AES 256-bit loopback block device that hold a Linux install on the work laptop. That way, there is no browser history to be searched by corporate. Hell, there is no Linux to be found; it looks like a whole partition of garbage without the decryption keys. It won't boot without them. However, I am developing for Windows on Windows, so the Linux boots are a rarity these days.

  6. Please note: by Anonymous Coward · · Score: 5, Interesting

    A brief quote from the project's home page:
    Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products -- as a critically important security / access feature -- instead of writing their own SSH implementation or purchasing one from another vendor. This list specifically includes companies like Cisco, Juniper, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).

    So go and DONATE, as i've just done.

  7. Thanks OpenSSH | Debian Devs DO NOT TOUCH. by 0100010001010011 · · Score: 4, Funny

    OpenSSH is nothing short of magic. I too use it to tunnel out of work's firewall.

    Now, Debian Dev. DON'T TOUCH. :)

  8. Re:PLEASE NOTE: by Anonymous Coward · · Score: 2, Funny

    that is brief!

  9. history of FTP by Anonymous Coward · · Score: 2, Informative

    FTP is a fucking mess, I hate it, I wish I could kill it today everywhere. It is a disaster to manage with a firewall. The horrendous idea of using separate random ports for data connection vs control connections, the active/passive methods, it's is pure evil.

    At the time of its invention FTP's design made sense.

    TCP allows bi-directional traffic on a port, but TCP was not invented when FTP was first created (1971). The protocol that was around only allowed one-way transmission of data on any connection. So when you FTPed into a machine, and server had to open a connection back to the client to return any data.

    Also remember that firewalls were also not invented until the late '80s (earlier '90s?), so the blocking of connections back to the client weren't an issue. It was only later on (mid-'90s) where the combination of active/passive modes and security lock downs became a headache.

    By that time there was a large amount of inertial behind FTP--and remember that HTTP was mostly still young in the '90s as well, and the read/write web wasn't that all that popular (and even things like WebDAV isn't used a lot even now).

    So while I fell your pain (I'm a sys admin), there aren't / weren't that many alternatives.

  10. Re:Please note: by Anonymous Coward · · Score: 3, Funny

    A brief quote from the project's home page:
    Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products -- as a critically important security / access feature -- instead of writing their own SSH implementation or purchasing one from another vendor. This list specifically includes companies like Cisco, Juniper, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).

    So go and DONATE, as i've just done.

    Okay, we get it Theo.

  11. Re:Please note: by Abcd1234 · · Score: 3, Insightful

    In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).

    And they don't have to, either morally or legally.

    OpenSSH is released under the BSD license, and the devs know full well that they may not be financially rewarded for their work. To suddenly expect those users to donate cash just because they use the very code you freed is, to say, the least, hypocritical. After all, if you wanted to be paid for the work you do, why are you releasing it for free to the world under one of the most liberal software licenses possible? Why not a dual license that requires payment for commercial use? Naturally because the BSDs are all about freedom, of course.

    Well, unless they think they're getting screwed financially.

  12. Re:Please note: by Gaygirlie · · Score: 3, Insightful

    "And they don't have to, either morally or legally."

    Legally, no. But morally? Well, I beg to differ: those companies generate millions of dollars a year and would be in a completely different situation right now if they didn't have OpenSSH to benefit from. As such I see it as rather greedy and selfish not to donate anything at all.

    But alas, this only proves that people have different views of what is morally or ethically acceptable: what I find morally questionable you find completely acceptable, and the same thing would probably work also vice versa on some other topic.

  13. Re:New, Problematic Protocol Introduced by OttoM · · Score: 2, Interesting

    The OpenSSH developers do not trust any X.509 code. The actual X.509 validation and trust decision mechanisms are pretty horiffic, and I'm glad they stayed away from that. You don't have to throw away your X.509 certs, you can keep using them for other purposes.