OpenSSH 5.4

Posted by Phil Smith on 8 March, 2010

No comments yet

This item was filled under [ Releases ]

OpenSSH 5.4 has just been released.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

This is a major feature and bugfix release.

Changes since OpenSSH 5.3

=========================

Features:

* After a transition period of about 10 years, this release disables

SSH protocol 1 by default. Clients and servers that need to use the

legacy protocol must explicitly enable it in ssh_config / sshd_config

or on the command-line.

* Remove the libsectok/OpenSC-based smartcard code and add support for

PKCS#11 tokens. This support is automatically enabled on all

platforms that support dlopen(3) and was inspired by patches written

by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages.

* Add support for certificate authentication of users and hosts using a

new, minimal OpenSSH certificate format (not X.509). Certificates

contain a public key, identity information and some validity

constraints and are signed with a standard SSH public key using

ssh-keygen(1). CA keys may be marked as trusted in authorized_keys

or via a TrustedUserCAKeys option in sshd_config(5) (for user

authentication), or in known_hosts (for host authentication).

Documentation for certificate support may be found in ssh-keygen(1),

sshd(8) and ssh(1) and a description of the protocol extensions in

PROTOCOL.certkeys.

* Added a ‘netcat mode’ to ssh(1): “ssh -W host:port …” This connects

stdio on the client to a single port forward on the server. This

allows, for example, using ssh as a ProxyCommand to route connections

via intermediate servers. bz#1618

* Add the ability to revoke keys in sshd(8) and ssh(1). User keys may

be revoked using a new sshd_config(5) option “RevokedKeys”. Host keys

are revoked through known_hosts (details in the sshd(8) man page).

Revoked keys cannot be used for user or host authentication and will

trigger a warning if used.

* Rewrite the ssh(1) multiplexing support to support non-blocking

operation of the mux master, improve the resilience of the master to

malformed messages sent to it by the slave and add support for

requesting port- forwardings via the multiplex protocol. The new

stdio-to-local forward mode (“ssh -W host:port …”) is also

supported. The revised multiplexing protocol is documented in the

file PROTOCOL.mux in the source distribution.

* Add a ‘read-only’ mode to sftp-server(8) that disables open in write

mode and all other fs-modifying protocol methods. bz#430

* Allow setting an explicit umask on the sftp-server(8) commandline to

override whatever default the user has. bz#1229

* Many improvements to the sftp(1) client, many of which were

implemented by Carlos Silva through the Google Summer of Code

program:

- Support the “-h” (human-readable units) flag for ls

- Implement tab-completion of commands, local and remote filenames

- Support most of scp(1)’s commandline arguments in sftp(1), as a

first step towards making sftp(1) a drop-in replacement for scp(1).

Note that the rarely-used “-P sftp_server_path” option has been

moved to “-D sftp_server_path” to make way for “-P port” to match

scp(1).

- Add recursive transfer support for get/put and on the commandline

* New RSA keys will be generated with a public exponent of RSA_F4 ==

(2**16)+1 == 65537 instead of the previous value 35.

* Passphrase-protected SSH protocol 2 private keys are now protected

with AES-128 instead of 3DES. This applied to newly-generated keys

as well as keys that are reencrypted (e.g. by changing their

passphrase).

Bugfixes:

* Hold authentication debug messages until after successful

authentication. Fixes a minor information leak of environment

variables specified in authorized_keys if an attacker happens to

know the public key in use.

* When using ChrootDirectory, make sure we test for the existence of

the user’s shell inside the chroot and not outside (bz#1679)

* Cache user and group name lookups in sftp-server using

user_from_[ug]id(3) to improve performance on hosts where these

operations are slow (e.g. NIS or LDAP). bz#1495

* Fix problem that prevented passphrase reading from being interrupted

in some circumstances; bz#1590

* Ignore and log any Protocol 1 keys where the claimed size is not

equal to the actual size.

* Make HostBased authentication work with a ProxyCommand. bz#1569

* Avoid run-time failures when specifying hostkeys via a relative

path by prepending the current working directory in these cases.

bz#1290

* Do not prompt for a passphrase if we fail to open a keyfile, and log

the reason why the open failed to debug. bz#1693

* Document that the PubkeyAuthentication directive is allowed in a

sshd_config(5) Match block. bz#1577

* When converting keys, truncate key comments at 72 chars as per

RFC4716. bz#1630

* Do not allow logins if /etc/nologin exists but is not readable by the

user logging in.

* Output a debug log if sshd(8) can’t open an existing authorized_keys.

bz#1694

* Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we

usually don’t actually have a tty to read/set; bz#1686

* Prevent sftp from crashing when given a “-” without a command.

Also, allow whitespace to follow a “-”. bz#1691

* After sshd receives a SIGHUP, ignore subsequent HUPs while sshd

re-execs itself. Prevents two HUPs in quick succession from resulting

in sshd dying. bz#1692

* Clarify in sshd_config(5) that StrictModes does not apply to

ChrootDirectory. Permissions and ownership are always checked when

chrooting. bz#1532

* Set close-on-exec on various descriptors so they don’t get leaked to

child processes. bz#1643

* Fix very rare race condition in x11/agent channel allocation: don’t

read after the end of the select read/write fdset and make sure a

reused FD is not touched before the pre-handlers are called.

* Fix incorrect exit status when multiplexing and channel ID 0 is

recycled. bz#1570

* Fail with an error when an attempt is made to connect to a server

with ForceCommand=internal-sftp with a shell session (i.e. not a

subsystem session). Avoids stuck client when attempting to ssh to

such a service. bz#1606:

* Warn but do not fail if stat()ing the subsystem binary fails. This

helps with chrootdirectory+forcecommand=sftp-server and restricted

shells. bz #1599

* Change “Connecting to host…” message to “Connected to host.”

and delay it until after the sftp protocol connection has been

established. Avoids confusing sequence of messages when the

underlying ssh connection experiences problems. bz#1588

* Use the HostKeyAlias rather than the hostname specified on the

commandline when prompting for passwords. bz#1039

* Correct off-by-one in percent_expand(): we would fatal() when trying

to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to

actually work. Note that nothing in OpenSSH actually uses close to

this limit at present. bz#1607

* Fix passing of empty options from scp(1) and sftp(1) to the

underlying ssh(1). Also add support for the stop option “–”.

* Fix an incorrect magic number and typo in PROTOCOL; bz#1688

* Don’t escape backslashes when displaying the SSH2 banner. bz#1533

* Don’t unnecessarily dup() the in and out fds for sftp-server. bz#1566

* Force use of the correct hash function for random-art signature

display as it was inheriting the wrong one when bubblebabble

signatures were activated. bz#1611

* Do not fall back to adding keys without constraints (ssh-add -c /

-t …) when the agent refuses the constrained add request. bz#1612

* Fix a race condition in ssh-agent that could result in a wedged or

spinning agent. bz#1633

* Flush stdio before exec() to ensure that everying (motd

in particular) has made it out before the streams go away. bz#1596

* Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706

Portable OpenSSH Bugfixes:

* Use system’s kerberos principal name on AIX if it’s available.

bz#1583

* Disable OOM-killing of the listening sshd on Linux. bz#1470

* Use pkg-config for opensc config if it’s available. bz#1160

* Unbreak Redhat spec to allow building without askpass. bz#1677

* If PidFile is set in sshd_config, use it in SMF init file. bz#1628

* Print error and usage() when ssh-rand-helper is passed command-

line arguments as none are supported. bz#1568

* Add missing setsockopt() to set IPV6_V6ONLY for local forwarding

with GatwayPorts=yes. bz#1648

* Make GNOME 2 askpass dialog desktop-modal. bz#1645

* If SELinux is enabled set the security context to “sftpd_t” before

running the internal sftp server. bz#1637

* Correctly check libselinux for necessary SELinux functions; bz#1713

* Unbreak builds on Redhat using the supplied openssh.spec; bz#1731

* Fix incorrect privilege dropping order on AIX that prevented

chroot operation; bz#1567

* Call aix_setauthdb/aix_restoredb at the correct times on AIX to

prevent authentication failure; bz#1710

Tagged with: [ OpenSSH ]

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

« Firebug 1.5.3

Apache HTTP Server (httpd) 2.2.15 »

Blog Subscription

Subscribe via RSS Feed stay updated with blog articles

Recent Posts

Tags

.uk 2.3 Apache Apache 1.3 Apache 2.2 Apache 2.3 CCleaner Confirg DNS DNSSEC Firebug HTTP LINX Marketgrid MySQL MySQL 5.1 MySQL 5.5 MySQL Community Server MySQL Connect MySQL Connector MySql Connector/Net 6.3.3 MySQL Workbench NDB Cluster Net-SNMP Network Nominet OpenSSH OpenSSL PHP phpBB Production Sendmail Server SSH Thunderbird VirtualBox WinSCP Wordpress Zend Zend Framework
Archives
March 2010

M T W T F S S

« Feb Apr »

1 2 3 4 5 6 7

8 9 10 11 12 13 14

15 16 17 18 19 20 21

22 23 24 25 26 27 28

29 30 31
Categories
- Apache (5)
- DNS (5)
- MySQL (20)
- News (9)
- OpenSSH (1)
- OpenSSL (5)
- Releases (52)
- Tools (2)
- Uncategorized (1)
- Zend/PHP (8)
Links

Cloud Testing
Website Archiving Service
Website History Service
The Browser Guru
UK Forces Discounts
Nursery Fresh Postal Flowers
Nursery Fresh Wholesale Flowers
Website-Archiving Blog
- Digial watermarks for your archived webpage screenshots July 28, 2010
  To enhance our Website Archiving service (www.website-archive.com), we’ve just added digital watermarks to the daily screenshots we capture of your website pages, which is essential for compliance such as Sarbanes-Oxley (SOX) and FINRA. They are appended to the bottom of the image and contain the date and time of capture along with the URL (website […]
- Archiving of documents now in Beta July 23, 2010
  In addition to our current service that allows capture of screenshot of your website pages using real browsers, we’re pleased to announce that our new service to download and archive documents (.xls, .doc, .pdf, .mov, .wmv etc.) is now in beta. Phil Smith, CEO of Cloud Testing Ltd, the company behind Website-Archive said “We are […]
- New calendar facility for navigating your archived website screenshots July 21, 2010
  We’re pleased to announce the first of a number of navigational improvements to our website archiving service that will allow you to easier traverse your daily archived screenshots. In addition to the existing previous and next buttons, we’ve added a new calendar widget: Clicking on the widget allows you to then easily select the day […]
- Compliance archiving for your Twitter feed July 19, 2010
  Do you need to archive your Social Media for compliance purposes, such as FINRA. Why not make use of the Website-Archive.com service to take daily screenshots – take a look at our on-line demo for an example. Clicking through on one of the thumbnails will allow you to view the full sized image: […]
- FINRA Compliance July 9, 2010
  FINRA (Financial Industry Regulatory Authority) was created in July 2007 with the consolidation of the regulation enforcement and arbitration functions of the New York Stock Exchange with the National Association Of Securities Dealers (NASD). FINRA in conjunction with the Securities and Exchange Commission (SEC) are regulatory agencies for the financial serv […]
- Archive your web pages from $49 per year June 15, 2010
  We’ve just simplified our pricing: Monthly Archiving – $49 Weekly Archiving – $69 Daily Archiving – $99 Prices are per web page per year. For full details see our pricing at http://www.website-archive.com/website-archiving-service-pricing.php, or contact me via our website – see our contact page. […]
- Updated pricing and case studies June 11, 2010
  We’ve just updated the features and case studies information for the Website Archiving service: http://www.website-archive.com/website-archiving-service-pricing.php Contact me if you need any further information, and don’t forget we offer a 30 day trial of our service with no commitment. […]
- Daily, Weekly and Monthly Archive Views May 24, 2010
  You can now view the captured screenshots of your website in either Daily, Weekly or Montly views. The daily view is a single day with previous and next buttons for navigation: The weekly view is a seven day at a time view, again with previous and next buttons for navigation: The montly view is a […]
- Monthly Archive View May 20, 2010
  We’ve just released a number of new ways of viewing the captured archives, including the monthly view below. If you need to capture screenshots of your website and want it as a service, then please contact me for details – http://www.website-archive.com/ […]
- Website Archiving in Healthcare May 18, 2010
  As digital systems are used to ensure that the world of healthcare is as glitch-free as possible, the reliance on the Internet as a whole has never been more profound. Even though this can be a real advantage because of how data can be accessed from anywhere, this can also be something of a curse […]
The Browser Guru
- Firefox 3.6.8 released July 23, 2010
  Security Advisories Fixed in Firefox 3.6.8: MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix From http://www.mozilla.org/security/known-vulnerabilities/firefox36.html […]
- FINRA Compliance July 11, 2010
  FINRA (Financial Industry Regulatory Authority) was created in July 2007 with the consolidation of the regulation enforcement and arbitration functions of the New York Stock Exchange with the National Association Of Securities Dealers (NASD). FINRA in conjunction with the Securities and Exchange Commission (SEC) are regulatory agencies for the financial serv […]
- Firefox 3.6.6 June 27, 2010
  Firefox 3.6.6 modifies the crash protection feature to increase the amount of time that plugins are allowed to be non-responsive before being terminated. […]
- Firefox gets crash protection with release of version 3.6.4 June 23, 2010
  Firefox 3.6.4 has been released with crash protection for Adobe’s Flash Player, Apple ‘s QuickTime and Microsoft ‘s Silverlight plug-ins, and is available only in Firefox for Windows and Linux . Mozilla is still working on the “out of process plug-ins,” or OOPP feature, for the Mac version. The version also patches nine vulnerabilities, six […]
- Firefox 3.5.10 June 23, 2010
  Firefox 3.5.10 has been released – it patches nine vulnerabilities, six of them critical. […]
- Safari 5.0 June 10, 2010
  This update contains new features including: Safari Reader: Click on the new Reader icon to view articles on the web in a single, clutter-free page. Improved Performance: Safari 5 executes JavaScript up to 25% faster than Safari 4. Better page caching and DNS prefetching speed up browsing. Bing Search Option: New Bing search option for […]
- Firefox 3.6.2 March 20, 2010
  Mozilla yesterday released a beta version of the Firefox 3.6 browser to fix several stability and security issues. Firefox 3.6.2 has been released to Mozilla’s beta tester community, and includes several bug fixes such as crashes when using Adobe’s ClickMap add-on. Other problems reported by some users, such as there being no prompt to update […]
- Apple Safari 4.0.5 March 13, 2010
  Apple has released Safari 4.0.5 to address multiple vulnerabilities in ColorSync, ImageIO, PubSub, Safari, and WebKit. These vulnerabilities may allow a remote attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or bypass security restrictions. US-CERT encourages users and administrators to review Apple arti […]
- Firefox 3.5.8 and Firefox 3.0.18 February 18, 2010
  Firefox 3.5.8 and Firefox 3.0.18 address three critical flaws in the browsers’ Gecko rendering engines, the HTML parsers, and their implementations of web worker, an enhanced scripting functionality that lets site developers shift JavaScript computations to a background thread to reduce the performance hit on Firefox’s user interface. The fixes are already i […]
- Firebug 1.5.0 January 19, 2010
  Firebug 1.5 is Firebug 1.4 with enhancements and bug fixes. It supports Firefox 3.5 and 3.6. 1.5 release notes Among the major enhancements: Mike Radcliffe’s Inspector. A key feature, now solid as a rock, Jan ‘Honza’ Odvarko’s expanded and refined Net panel, with accurate timings, Steve Roussey’s reworking of HTML editing and entity support, Kevin […]

March 2010
M	T	W	T	F	S	S
« Feb		Apr »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

Marketgrid on Twitter
Cloud Testing Blog
- Firefox 3.6.8 released July 23, 2010
  Security Advisories Fixed in Firefox 3.6.8: MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix From http://www.mozilla.org/security/known-vulnerabilities/firefox36.html […]
- Release of 1.9.0 Cloud Testing agent software July 23, 2010
  We’re pleased to announce the release of version 1.9.0 of the agent software. This has been deployed onto our Cloud Testing servers, and is available to Private Agent subscribers in the download area. New features include: Extra commands – see recent posting. Improved timeout handling (there is a 15 minute maximum run time for a […]
- New commands added July 21, 2010
  Following a request from a customer (Andrew from AMEE), we’ve added a number of new commands to our Functional and Cross Browser testing service. Our standard service always captures a screenshot after the following Selenium commands: Open Click and Wait Open Window Refresh Refresh and Wait Submit Submit and Wait Go Back Go Back and […]
- Network issues at LINX (London Internet Exchange) July 21, 2010
  LINX (London Internet Exchange) http://www.linx.net/ appears to be currently suffering from network issues. We have rerouted traffic around LINX and will do so until LINX engineers have resolved the problem. […]
- User Agent string for Firefox 4.0 beta 1 July 16, 2010
  This is what Firefox 4.0 beta 1 describes itself as: “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:2.0b1) Gecko/20100630 Firefox/4.0b1″ […]
- Firefox 4.0 beta 1 July 16, 2010
  Firefox 4 Beta 1 includes an updated Windows interface that’s sleeker and easier to use. (Mac & Linux are coming soon!) New Tab Location Switch to Tab Firefox Button Under the Hood WebSockets Developers will be able to build real-time online interactions like gaming and chatting. Stylin’ Pages with CSS3 With support for new CSS3 […]
- FRCP Compliance July 12, 2010
  The Federal Rules of Civil Procedure FRCP govern civil procedure (i.e. for civil lawsuits) in United States district (federal) courts. The two applicable rules are: Rule 26 – Duty to Disclose; General Provisions Governing Discovery Rule 37 – Failure to Make Disclosure or Cooperate in Discovery For more detail see: http://www.frcp-compliance.com http://www.fr […]
- FINRA Compliance July 9, 2010
  FINRA (Financial Industry Regulatory Authority) was created in July 2007 with the consolidation of the regulation enforcement and arbitration functions of the New York Stock Exchange with the National Association Of Securities Dealers (NASD). FINRA in conjunction with the Securities and Exchange Commission (SEC) are regulatory agencies for the financial serv […]
- Firefox 3.6.6 June 27, 2010
  Firefox 3.6.6 modifies the crash protection feature to increase the amount of time that plugins are allowed to be non-responsive before being terminated. […]
- Cloud Agents updated with Firefox 3.5.10 June 24, 2010
  To enable our users to test with Firefox 3.5.10, our testing agents (servers) have now been updated. For more details see the updates section at http://www.cloudtesting.com/blog/updates/ […]

Marketgrid Consulting Blog

Recent Posts

MySql Connector/Net 6.3.3 (beta 2) released

CCleaner v2.34

MySQL Community Server 5.1.49

Traffic stats from LINX (London Internet Exchange)

Browse by Tags

OpenSSH 5.4

Blog Subscription

Recent Posts

Archives

Categories

Links

Website-Archiving Blog

The Browser Guru

Marketgrid on Twitter

Cloud Testing Blog