Contributed by dwc on from the cryptic-conversations dept.
Damien Miller just announced the good news of a great new version of OpenSSH! This version has some really nice new features, like per-user authentication config. Read on for changes, new features, and more fun stuff...
OpenSSH 4.6 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots and purchased
T-shirts or posters.
T-shirt, poster and CD sales directly support the project. Pictures
and more information can be found at:
http://www.openbsd.org/tshirts.html and
http://www.openbsd.org/orders.html
For international orders use http://https.openbsd.org/cgi-bin/order
and for European orders, use http://https.openbsd.org/cgi-bin/order.eu
Changes since OpenSSH 4.5:
============================
* sshd now allows the enabling and disabling of authentication
methods on a per user, group, host and network basis via the
Match directive in sshd_config.
* The following bugs have been fixed in this release:
- Clear SIGALRM when restarting due to SIGHUP. Prevents stray
signal from taking down sshd if a connection was pending at
the time SIGHUP was received
- sftp returned a zero exit status when upload failed due to write
errors (bugzilla #1252)
- fixed an inconsistent check for a terminal when displaying scp
progress meter (bugzilla #1265)
- Parsing of time values in Match blocks was incorrectly applied
to the global configuration (bugzilla #1275)
- Allow multiple forwarding options to work when specified in a
PermitOpen directive (bugzilla #1267)
- Interoperate with ssh.com versions that do not support binding
remote port forwarding sessions to a hostname (bugzilla #1019)
* Portable OpenSSH bugs fixed:
- "hang on exit" when background processes are running at the time
of exit on a ttyful/login session (bugzilla #52)
- Fix typos in the ssh-rand-helper(8) man page (bugzilla #1259)
- Check that some SIG records have been returned in getrrsetbyname
(bugzilla #1281)
- Fix contrib/findssl for platforms that lack "which" (bugzilla
#1237)
- Work around bug in OpenSSL 0.9.8e that broke aes256-ctr,
aes192-ctr, arcfour256 (bugzilla #1291)
Checksums:
==========
- SHA1 (openssh-4.6.tar.gz) = c1700845be464a769428f34ef727c1f530728afc
- SHA1 (openssh-4.6p1.tar.gz) = b2aefeb1861b4688b1777436035239ec32a47da8
Reporting Bugs:
===============
- please read http://www.openssh.com/report.html
and http://bugzilla.mindrot.org/
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
[Edited to correct OpenSSH 0.9.6e to OpenSSL 0.9.8e -dwc]
(Comments are closed)
By Anonymous Coward (122.49.157.192) on
mod me down, i'm too lazy to email
By Anonymous Coward (83.149.231.208) on
By Cabal (Cabal) Cabal on http://www.enginuity.org/
Comments
By Darren Tucker (dtucker) on
> horizon? 2.1, 3.0, etc?
No. SSH2 was designed to be extensible so major revisions aren't necessary for most things.
> Who decides on the direction of the SSH protocol, a consortium?
The IETF secsh working group (which had representatives from pretty much all of the implementations) did SSH2. The WG has been wrapped up (see http://tools.ietf.org/wg/secsh/), I imagine a new one would have to be formed for a hypothetical SSH3, but I can't imagine it happening either.
I would expect any new protocol features to be implemented mostly as vendor-specific extensions (which the are explicitly defined in the spec) and maybe a few of them becoming new standards built on top of the existing RFCs.
By Anonymous Coward (70.179.123.124) on
SSH is covered by RFCs; if you've got a prospective change, you can write it up and submit it as an Internet Draft.
The most recent RFC I could find was RFC 4252, which is co-authored by T. Ylonen, who is the Finn who is responsible for bringing us SSH in the first place. Who is also the founder of SSH Communications Security Corp; which, if memory serves, is the dreaded SSH.com
By Anonymous Coward (213.118.134.55) on
Comments
By Anonymous Coward (193.63.217.208) on
Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
TIA
Comments
By Anonymous Coward (88.82.33.37) on
>
> Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
bunbun:*:1005:1005:Mailinglists only:/home/bunbun:/usr/libexec/sftp-server
Now... how does one do sftp access only in a chroot jail?
Comments
By Anonymous Coward (82.69.64.101) on
> >
> > Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
>
> bunbun:*:1005:1005:Mailinglists only:/home/bunbun:/usr/libexec/sftp-server
>
> Now... how does one do sftp access only in a chroot jail?
Just an idea...
http://chrootssh.sourceforge.net/ claims to chroot to openssh.
In FreeBSD's ports tree (openssh-portable) chroot'ing users is a compile-time option. I've used it succesfully with 4.5-portable.
user:*:1000:1000::/home/user/./whatever:/usr/libexec/sftp-server
There's no patch for 4.6 yet and I've never tried it with OpenBSD so YMMV.
By Anonymous Coward (213.118.134.55) on
I can't believe I didn't think of that.. Thanks a lot :)
By Venture37 (venture37) on www.geeklan.co.uk
>
> Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
>
> TIA
>
check out rssh
http://www.pizzashack.org/rssh/
By Anonymous Coward (84.186.19.51) on
>
> Giving SFTP access without full shell access would be hugely useful to me too. Is this possible, if so how?
>
> TIA
>
The following patch chroots the user to the folder you specify provided that his homedir has a trailing "/./". Users without this are not affected.
Apply patch to OpenSSH-4.6 with tar xfz openssh-4.6.tar.gz cd ssh patch -p0 < sftp-server-46-chroot.diff make obj make cleandir make depend make make install chmod 4555 /usr/libexec/sftp-server Chroot a user to its homedir with setting by homedir to /path/to/home/./ and setting his shell to sftp-server (add binary to /etc/shells before) User will be sftp-only and can't login to shell --- sftp-server.c.old Thu Mar 8 20:11:45 2007 +++ sftp-server.c Thu Mar 8 20:18:43 2007 @@ -40,6 +40,8 @@ #include "sftp.h" #include "sftp-common.h" +#define CHROOT + /* helper */ #define get_int64() buffer_get_int64(&iqueue); #define get_int() buffer_get_int(&iqueue); @@ -1183,6 +1185,37 @@ exit(1); } +#ifdef CHROOT +void +chroot_init(void) +{ + char *user_dir, *new_root; + + user_dir = getenv("HOME"); + + if (!user_dir) + fatal("HOME isn't in environment"); + + new_root = user_dir + 1; + + while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if (chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s: %s",user_dir, strerror(errno)); + + setenv("HOME", new_root, 1); + break; + } + new_root += 2; + } +} +#endif /* CHROOT */ + + int main(int argc, char **argv) { @@ -1247,6 +1280,15 @@ pw->pw_name, client_addr); handle_init(); + +#ifdef CHROOT + chroot_init(); +#endif /* CHROOT */ + + setuid(getuid()); + + if (setuid(getuid()) != 0) + fatal("Couldn't drop privileges: %s", strerror(errno)); in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO);Comments
By Darren Tucker (dtucker) on
> + user_dir = getenv("HOME"); > [...] > + if (chroot(user_dir) != 0)It's not a good idea to trust an environment variable for that. In general they are under the control of the user. In this case there are a couple of ways for users to potentially change them: SendEnv in ssh_config (if sshd is configured to allow it) or via a shell startup script (eg if you're using ForceCommand rather than changing the user's shell).Local users could also chroot sftp-server to arbritary locations although I'm not sure what that might buy them.
It's safer to look up the user's passwd entry yourself, since this can't be easily faked out, eg:
if ((pw = getpwuid(getuid()) == NULL) error... user_dir = pw->pw_dir;By jirib (195.212.29.163) on
>
> Apply patch to OpenSSH-4.6 with
>
> tar xfz openssh-4.6.tar.gz
> cd ssh
> patch -p0 < sftp-server-46-chroot.diff
> make obj
> make cleandir
> make depend
> make
> make install
> chmod 4555 /usr/libexec/sftp-server
>
> Chroot a user to its homedir with setting by homedir to /path/to/home/./
> and setting his shell to sftp-server (add binary to /etc/shells before)
> User will be sftp-only and can't login to shell
>
>
> --- sftp-server.c.old Thu Mar 8 20:11:45 2007
> +++ sftp-server.c Thu Mar 8 20:18:43 2007
> @@ -40,6 +40,8 @@
> #include "sftp.h"
> #include "sftp-common.h"
>
> +#define CHROOT
> +
> /* helper */
> #define get_int64() buffer_get_int64(
> #define get_int() buffer_get_int(
> @@ -1183,6 +1185,37 @@
> exit(1);
> }
>
> +#ifdef CHROOT
> +void
> +chroot_init(void)
> +{
> + char *user_dir, *new_root;
> +
> + user_dir = getenv("HOME");
> +
> + if (!user_dir)
> + fatal("HOME isn't in environment");
> +
> + new_root = user_dir + 1;
> +
> + while ((new_root = strchr(new_root, '.')) != NULL) {
> + new_root--;
> + if (strncmp(new_root, "/./", 3) == 0) {
> + *new_root = '\0';
> + new_root += 2;
> +
> + if (chroot(user_dir) != 0)
> + fatal("Couldn't chroot to user directory %s: %s",user_dir, strerror(errno));
> +
> + setenv("HOME", new_root, 1);
> + break;
> + }
> + new_root += 2;
> + }
> +}
> +#endif /* CHROOT */
> +
> +
> int
> main(int argc, char **argv)
> {
> @@ -1247,6 +1280,15 @@
> pw->pw_name, client_addr);
>
> handle_init();
> +
> +#ifdef CHROOT
> + chroot_init();
> +#endif /* CHROOT */
> +
> + setuid(getuid());
> +
> + if (setuid(getuid()) != 0)
> + fatal("Couldn't drop privileges: %s", strerror(errno));
>
> in = dup(STDIN_FILENO);
> out = dup(STDOUT_FILENO);
>
I don't know, why not just use ForceCommand with sftp-server which would be executed via systrace wrapper? That would restrict user without changing OpenSSH code. ???
By jirib (195.212.29.163) on
Sure, just use ForceCommand in Match section - the command should be /usr/lib/sftp-server
It works :) but not for scp 'coz scp is just a cat in pipe. Maybe you could make a systrace wrapper which would jail sftp user just in his/her home dir. I haven't tried this.
Comments
By Anonymous Coward (195.212.29.163) on
>
"a cat" - lol. I thought `cat` command :)
By Anonymous Coward (85.178.104.188) on
The OpenSSH website doesn`t mention ANY new release nor is ANY announcement in the archives (misc@) nor is the Code in the CVS tagged for OpenBSD 4.0.
This looks suspicious, realy.
Comments
By phessler (69.12.168.115) on
>
> The OpenSSH website doesn`t mention ANY new release nor is ANY announcement in the archives (misc@) nor is the Code in the CVS tagged for OpenBSD 4.0.
>
>
> This looks suspicious, realy.
go away troll