[OpenSSH] OpenSSH 3.2.2 released

Contributed by Dengue on 2002-05-17 from the openssh dept.

OpenSSH 3.2.2 has just been released please use the mirrors listed at www.openssh.com . OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

The release announcement follows


Subject: OpenSSH 3.2.2 released
   Date: Fri, 17 May 2002 00:35:38 +0200
   From: Markus Friedl


     To: dengue@deadly.org




OpenSSH 3.2.2 has just been released. It will be available from the
mirrors listed at
http://www.openssh.com
shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.

Security Changes:
=================

- fixed buffer overflow in Kerberos/AFS token passing
- fixed overflow in Kerberos client code
- sshd no longer auto-enables Kerberos/AFS
- experimental support for privilege separation,
  see UsePrivilegeSeparation in sshd(8) and 
http://www.citi.umich.edu/u/provos/ssh/privsep.html

  for more information.
- only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger

Other Changes:
==============

- improved smartcard support (including support for OpenSC, see www.opensc.org)
- improved Kerberos support (including support for MIT-Kerberos V)
- fixed stderr handling in protocol v2
- client reports failure if -R style TCP forwarding fails in protocol v2
- support configuration of TCP forwarding during interactive sessions (~C)
- improved support for older sftp servers
- improved support for importing old DSA keys (from ssh.com software).
- client side suport for PASSWD_CHANGEREQ in protocol v2
- fixed waitpid race conditions
- record correct lastlogin time

Reporting Bugs:
===============

- please read
http://www.openssh.com/report.html
and
http://bugzilla.mindrot.org/


OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.

(Comments are closed)

Comments

By Anonymous Coward () on 2002-05-17 08:31

will this be merged into 3.1-STABLE?
Comments
1. By mirabile () on 2002-05-17 09:25
  
  Of course it will be merged into the last
  two releases, that are, 2.9 and 3.0
  3.1 isn't released yet, but it will be merged
  therein, too - and as soon as 3.1 is released,
  2.9 will be deprecated, i.e. the OpenSSH 3.2.2
  merge will be one of - if not The - last commits
  into 2.9
  Comments
  1. By Brad () brad@comstyle.com on 2002-05-18 13:01 mailto:brad@comstyle.com
    
    It will be merged into 2.9, 3.0 and 3.1. Just because 3.1 hasn't been released on the FTP site doesn't mean work isn't being done on the 3.1-stable branch.
By Niall O'Higgins () on 2002-05-17 23:59 http://www.sig11.com

I think this is really cool and should prevent many potential exploits. I hope other sub-port 1024 daemons learn from OpenSSH and start to employ this design.

Great stuff, OpenSSH team!
Comments
1. By Anonymous Coward () on 2002-05-18 03:13
  
  OpenSSH was the last service I had running as root, in fact the rest I run stopped using it years ago. What's left?
By RC () on 2002-05-18 12:21

OpenSSH has just about everything I could want in a secure communications package... All but one feature that is.

I'm sick of NFS, ASF only works well in a Kerberos setting, and SFTP functionality is on just about every SSH server out there...

So. Why not create a 'mount_sftp' ???
Public-key encryption, with several algorythms. Built-in compression (although I've never understood why libbzip2 is left out in the cold), compatability with PGP, etc.. So if we could just mount ssh servers as local volumes, I'd be happy, and I think we'd finally be rid of NFS.
Comments
1. By Sacha () on 2002-05-19 14:53
  
  Wasn't sftp a hacked ftp client?
  Then mount_sftp would be consist out of hacking the existing mount_ftp tool..
  Comments
  1. By Hmm () on 2002-05-24 14:42
    
    mount_ftp tool? What? Where? Thank you! :-)
  2. By Hmm () on 2002-05-24 14:42
    
    mount_ftp tool? What? Where? Thank you! :-)
2. By mra () on 2002-05-19 17:36
  
  There was work done to use SSH tunneling to encrypt NFS traffic. It was all on Linux, and required NFS to use TCP vs UDP, but it has been done, and probably could be ported without too much trouble. SysAdmin had a great article about it back in March. http://www.samag.com/documents/s=4072/sam0203d/
  Comments
  1. By RC () on 2002-05-20 05:58
    
    It's easy to tunnel NFS traffic... However, I wish tunneling NFS was unnecessary. SFTP can transfer files, why require the use of NFS as well?
    
    Comments
    
    By Anonymous Coward () on 2002-05-20 07:24
    
    mmm...
    file locking, buffering and caching come to mind...
    
    Comments
    
    By Sacha () on 2002-05-22 10:07
    
    So some SNFS should be invented soon? Not hacked NFS versions.
    
    Comments
    
    By RC () on 2002-05-23 09:22
    
    Why not? I'm merely suggesting it not be some entirely new protocol. Why not just allow people to make servers using SFTP look like part of the local filesystem.
3. By Chris () on 2002-04-10 13:00
  
  Not sure if this is like what you are looking for:
  http://sourceforge.net/projects/lufs/
By Your Mama () me@privacy.net on 2002-05-20 03:15 mailto:me@privacy.net

Let me start by saying that i know ssh is doing the right thing here and waiting for open file descriptors to be closed before it exits but this doesn't change the fact that it is still a major pain in the ass. The 1.2.27 (i think) never had this issue under Solaris and running openssh has been a major improvement except for this one amazingly annoying problem. I was hoping the openssh development team would come up with a command line option to ignore the open file descriptors (again i know it is doing what it supposed to do). Fixing all the software that i run that is "broke" is just not an option in my current situation. Does anyone have a workaround for this that works? I have tried the "shopt -s huponexit" in bash but that doesn't work and i can't redirect to /dev/null because the daemons/utilites that i am having trouble with require me to enter passwords/keys when they start up (Netscape Web server, sudo, etc.). Anybody have anything that will work for me?
Comments
1. By Anonymous Coward () on 2002-05-20 15:18
  
  ~. is always an option
By Anonymous Coward () on 2002-05-21 02:21

-install openbsd 3.0 from cd
-install openssh 3.2.2
-apply openssh patch for 3.0
-apply openBSD 3.0 patches except for those dealing
with openssh ??
From the source code it looks like openssh 3.2.2
deprecates ALL prior patches relating to the openssh
on the 3.0 CD.
corectemundo?
Comments
1. By Anonymous Coward () on 2002-05-22 22:00
  
  yes, correct
  Comments
  1. By Anonymous Coward () on 2002-05-23 21:15
    
    I feel like I am getting a hint of a CS degree. As
    a windows refugee, let me say that after one year
    of working with openBSD I just have really learned
    to appreciate the structure of this OS.
    Windows*, os2-4, linux*, freebsd 4.2, OpenBSD 2.9.
    When I say windows refugee, I really mean 100% GUI
    centric, if its not intuitive stop wasting my time,
    kind of windows user.
    -- Only in the past 2 years have I been able to free
    myself from the windows universe. And it has not been
    an easy road to hoe. Definitely there have been
    some headbanging moments, but it has all been worth
    it. I have learned that if someone says an OS is
    intuitive that almost always means that a developer
    has put a layer of complexity between myself and
    the guts of the OS. Sometimes it is easier, but ofter
    times that layer of complexity hinders my progress
    once I know what I need to do and how I need to do it.
    Never again. I have the source code.
    I am king of my little universe.
    --oh yea, thanks for the confirmation. Sometimes I
    still need help connecting the dots.
    Thank you openbsd team!!!
    
    Comments
    
    By Roo () on 2002-05-23 23:16
    
    That warms the cockles of my black heart. I didn't think that people ever bothered to leave what was comfy and try something new...
    
    I think you are discovering the payoffs of "Occam's Razor"... Basically it amounts to Keep It Simple Stupid. Windows is too bloody complicated to work properly in the first place...
    
    The history of Computer Science is littered with the bloated corpses of "sophisticated" dinosaurs. :)
    
    -Roo.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (9)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]