[ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1
Karl M
karlm30@hotmail.com
Thu Nov 7 06:59:00 GMT 2002
Hi All...
I just updated to 3.5p1-1. I had to set PermitUserEnvironment in my
sshd_config file. Should this be included by default in the ssh-host-config
script?
I was a bit puzzled by the file owner and permission checking for the host
keys now (with StrictModes enabled)...If the owner is wrong, the mode
checking is ignored. I recall this test being stronger in the past...didn't
the owner have to be correct (SYSTEM)? If so, why the change to a kinder
gentler (less effective) safety check?
Given the host local security issues with using Cygwim, is there much
advantage to priv sep? Could someone please give a brief overview of what it
is and how and why it helps?
Thanks,
...Karl
>From: Corinna Vinschen <vinschen@redhat.com>
>Reply-To: cygwin@cygwin.com
>To: cygwin@cygwin.com
>Subject: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1
>Date: Wed, 6 Nov 2002 09:39:10 -0500 (EST)
>
>I've updated the version of OpenSSH to 3.5p1-1.
>
>This is an official major version update, which has been released on
>15 Oct 2002. Due to my vacation the Cygwin version is unfortunately
>rather late this time...
>
>The following comment from the 3.4p1-1 announcement still applies:
>
>========================================================================
>This version allows to use privilege separation in a slightly restricted
>way. Since privilege separation is consisting of two independent parts
>(preauth, postauth) and only the postauth part requires descriptors
>passing, this version enables the usage of preauth privilege separation
>in Cygwin. Note that this doesn't create an additional sshd process as
>described in the README.privsep file and note that this isn't still as
>secure as fully-fledged privilege separation but it's a good start.
>========================================================================
>
>Official Release Message:
>====================================================================
>OpenSSH 3.5 has just been released. It will be available from the
>mirrors listed at http://www.openssh.com/ shortly.
>
>OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
>implementation and includes sftp client and server support.
>
>We would like to thank the OpenSSH community for their continued
>support and encouragement.
>
>
>Changes since OpenSSH 3.4:
>============================
>
>* Improved support for Privilege Separation (Portability, Kerberos,
> PermitRootLogin handling).
>
>* ssh(1) prints out all known host keys for a host if it receives an
> unknown host key of a different type.
>
>* Fixed AES/Rijndael EVP integration for OpenSSL < 0.9.7 (caused
> problems with bounds checking patches for gcc).
>
>* ssh-keysign(8) is disabled by default and only enabled if the
> HostbasedAuthentication option is enabled in the global ssh_config(5)
> file.
>
>* ssh-keysign(8) uses RSA blinding in order to avoid timing attacks
> against the RSA host key.
>
>* A use-after-free bug was fixed in ssh-keysign(8). This bug
> broke hostbased authentication on several platforms.
>
>* ssh-agent(1) is now installed setgid in order to avoid ptrace(2)
> attacks.
>
>* ssh-agent(1) now restricts the access with getpeereid(2) (or
> equivalent, where available).
>
>* sshd(8) no longer uses the ASN.1 parsing code from libcrypto when
> verifying RSA signatures.
>
>* sshd(8) now sets the SSH_CONNECTION environment variable.
>
>* Enhanced "ls" support for the sftp(1) client, including globbing and
> detailed listings.
>
>* ssh(1) now always falls back to uncompressed sessions, if the
> server does not support compression.
>
>* The default behavior of sshd(8) with regard to user settable
> environ variables has changed: the new option PermitUserEnvironment
> is disabled by default, see sshd_config(5).
>
>* The default value for LoginGraceTime has been changed from 600 to 120
> seconds, see sshd_config(5).
>
>* Removed erroneous SO_LINGER handling.
>
>====================================================================
>
>To update your installation, click on the "Install Cygwin now" link on
>the http://cygwin.com/ web page. This downloads setup.exe to your
>system. Once you've downloaded setup.exe, run it and select "Net" and
>then click on the appropriate field until the above announced version
>number appears if it is not displayed already.
>
>If you have questions or comments, please send them to the Cygwin
>mailing list at: cygwin@cygwin.com . I would appreciate it if you would
>use this mailing list rather than emailing me directly. This includes
>ideas and comments about the setup utility or Cygwin in general.
>
>If you want to make a point or ask a question, the Cygwin mailing list
>is the appropriate place.
>
> *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
>
>If you want to unsubscribe from the cygwin-announce mailing list, look
>at the "List-Unsubscribe: " tag in the email header of this message.
>Send email to the address specified there. It will be in the format:
>
>cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com
>
>If you need more information on unsubscribing, start reading here:
>
>http://sources.redhat.com/lists.html#unsubscribe-simple
>
>Please read *all* of the information on unsubscribing that is available
>starting at this URL.
>
>I implore you to READ this information before sending email about how
>you "tried everything" to unsubscribe. In 100% of the cases where
>people were unable to unsubscribe, the problem was that they hadn't
>actually read and comprehended the unsubscribe instructions.
>
>If you need to unsubscribe from cygwin-announce or any other mailing
>list, reading the instructions at the above URL is guaranteed to
>provide you with the info that you need.
>
>--
>Corinna Vinschen Please, send mails regarding Cygwin to
>Cygwin Developer mailto:cygwin@cygwin.com
>Red Hat, Inc.
>
>
>--
>Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
>Bug reporting: http://cygwin.com/bugs.html
>Documentation: http://cygwin.com/docs.html
>FAQ: http://cygwin.com/faq/
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
More information about the Cygwin
mailing list