Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH 5.4 Released

Posted by timothy on from the but-it's-secret dept.

HipToday writes "As posted on the OpenBSD Journal, OpenSSH 5.4 has been released: 'Some highlights of this release are the disabling of protocol 1 by default, certificate authentication, a new "netcat mode," many changes on the sftp front (both client and server) and a collection of assorted bugfixes. The new release can already be found on a large number of mirrors and of course on www.openssh.com.'"

14 of 127 comments (clear)

  1. SFTP improvements by Ponga · · Score: 3, Informative

    FTFA:

    * Many improvements to the sftp(1) client, many of which were implemented by Carlos Silva through the Google Summer of Code program:...

    ... - Add recursive transfer support for get/put and on the commandline
    (Alas!!)

    Whole host of other improvements and bugfixes; give it read if SSH is pertinent to your environment....

    1. Re:SFTP improvements by ig88b · · Score: 3, Funny

      I'm confused. You're excitedly sad about the sftp improvements?

  2. Cygwin's package was updated, too by klui · · Score: 4, Interesting

    The read-only feature of sftp makes it almost a replacement for anonymous ftp. Too bad it appears to be a global setting.

    1. Re:Cygwin's package was updated, too by Sancho · · Score: 4, Interesting

      Could you not do this with a combination of Match User and ForceCommand directives? Something like:

      Match User anonymous
              ForceCommand sftp-server -R
              ChrootDirectory /home/anonymous

    2. Re:Cygwin's package was updated, too by roman_mir · · Score: 4, Insightful

      Yes, you are missing the point.

      FTP is a fucking mess, I hate it, I wish I could kill it today everywhere. It is a disaster to manage with a firewall. The horrendous idea of using separate random ports for data connection vs control connections, the active/passive methods, it's is pure evil.

      SFTP is not FTP over SSH if you did not understand, it is a proper FTP that happens to run over a secured link.

      --
      You can't handle the truth.
    3. Re:Cygwin's package was updated, too by value_added · · Score: 3, Insightful

      I am running OpenBSD firewall ... I have the pf and ftp-proxy configured correctly (checked by someone who knows this by heart), still can't have the ftp working for the internal network. Gone through all configurations, docs, still don't have it working. Have to waste more time on this later, just because the users 'need' the ftp to download shit from other firm...

      Sorry, but the pf/ftp-proxy combination works as advertised. I'd suggest your configuration is wrong. Asserting that it doesn't work because "someone who knows this by heart" examined it is meaningless.

      Fix your configuration and stop complaining. Both pf and ftp-proxy can do detailed logging. If you understand FTP, and you examine the logged output, you'll quickly find the source of your errors and, by extension, the solution.

      Granted FTP is a creaky protocol, and while it's true that most people don't understand it (even those that claim they do), it's just as true that it ain't going anywhere. Maybe it's time to brush up on the RFCs?

  3. Re:New, Problematic Protocol Introduced by OttoM · · Score: 3, Informative

    No X.509 certificates are used. Please study the changes before you comment based on false assumptions. Also, the agent protocol exists for quite a while now, it is not new.

  4. Thank you Open SSH devs by overlordofmu · · Score: 5, Informative

    I am reading this article and posting to it through a ssh tunnel using OpenSSH on a Gentoo Linux server at home and putty.exe on a work laptop running XP Pro at work.

    Firefox sees it as a SOCKS 5 proxy at localhost. The tricky part was setting the config key in Firefox called "network.proxy.socks_remote_dns" to true. (Navigate to about:config and filter for "proxy" to find this setting quickly). The corporate network admins use bogus DNS resolution as a firewall.

    I love you, OpenSSH devs. I sincerely thank you.

    1. Re:Thank you Open SSH devs by overlordofmu · · Score: 3, Interesting

      In my case, they block YouTube with a bogus DNS resolution. Internal DNS gives a intranet IP address (which gives a default intranet page) and my home server DNS gives the correct IP address(es). I tested this again, just now, and YouTube only works for me with that setting ("network.proxy.socks_remote_dns" as true) and is blocked if it is changed to false (which I believe is the default).

      I am using Firefox version 3.5.8, 32-bit, for x86.

      It seems, within Firefox itself, that your DNS queries with SOCKS 5 proxies still use the system default DNS and not the proxy DNS, but I could not say for sure without testing your machine. In my case, I am certain that Firefox is using the system DNS unless I change this setting from its default in Firefox. (I am certain because I just tested it 5 minutes ago.) Also, YouTube works without a proxy if I use the OpenDNS.org DNS servers in my Windows TCP/IP settings. (But then no intranet DNS queries work because OpenDNS knows nothing of our 10.*.*.* intranet.)

      Again, I am only speculating, but please consider than your DNS queries are not being proxied and are evidence of where you surf even if your traffic is SSHed.

      A final note, when I am really feeling paranoid about my surfing there is the AES 256-bit loopback block device that hold a Linux install on the work laptop. That way, there is no browser history to be searched by corporate. Hell, there is no Linux to be found; it looks like a whole partition of garbage without the decryption keys. It won't boot without them. However, I am developing for Windows on Windows, so the Linux boots are a rarity these days.

  5. Please note: by Anonymous Coward · · Score: 5, Interesting

    A brief quote from the project's home page:
    Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products -- as a critically important security / access feature -- instead of writing their own SSH implementation or purchasing one from another vendor. This list specifically includes companies like Cisco, Juniper, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).

    So go and DONATE, as i've just done.

  6. Thanks OpenSSH | Debian Devs DO NOT TOUCH. by 0100010001010011 · · Score: 4, Funny

    OpenSSH is nothing short of magic. I too use it to tunnel out of work's firewall.

    Now, Debian Dev. DON'T TOUCH. :)

  7. Re:Please note: by Anonymous Coward · · Score: 3, Funny

    A brief quote from the project's home page:
    Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products -- as a critically important security / access feature -- instead of writing their own SSH implementation or purchasing one from another vendor. This list specifically includes companies like Cisco, Juniper, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).

    So go and DONATE, as i've just done.

    Okay, we get it Theo.

  8. Re:Please note: by Abcd1234 · · Score: 3, Insightful

    In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).

    And they don't have to, either morally or legally.

    OpenSSH is released under the BSD license, and the devs know full well that they may not be financially rewarded for their work. To suddenly expect those users to donate cash just because they use the very code you freed is, to say, the least, hypocritical. After all, if you wanted to be paid for the work you do, why are you releasing it for free to the world under one of the most liberal software licenses possible? Why not a dual license that requires payment for commercial use? Naturally because the BSDs are all about freedom, of course.

    Well, unless they think they're getting screwed financially.

  9. Re:Please note: by Gaygirlie · · Score: 3, Insightful

    "And they don't have to, either morally or legally."

    Legally, no. But morally? Well, I beg to differ: those companies generate millions of dollars a year and would be in a completely different situation right now if they didn't have OpenSSH to benefit from. As such I see it as rather greedy and selfish not to donate anything at all.

    But alas, this only proves that people have different views of what is morally or ethically acceptable: what I find morally questionable you find completely acceptable, and the same thing would probably work also vice versa on some other topic.