Changes since OpenSSH 5.2 ========================= General Bugfixes: * Do not limit home directory paths to 256 characters. bz#1615 * Several minor documentation and correctness fixes. Portable OpenSSH Bugfixes: * This release removes for support for very old versions of Cygwin and for Windows 95/98/ME * Move the deletion of PAM credentials on logout to after the session close. bz#1534 * Make PrintLastLog work on AIX. bz#1595 * Avoid compile errors on FreeBSD from conflicts in glob.h. bz#1634 * Delay dropping of root privileges on AIX so chroot and pam_open_session work correctly. bz#1249 and bz#1567 * Increase client IO buffer on Cygwin to 64K, realising a significant performance improvement. * Roll back bz#1241 (better handling for expired passwords on Tru64). The change broke password logins on some configurations. * Accept ENOSYS as a fallback error when attempting atomic rename(). bz#1535 * Fix passing of variables to recursive make(1) invocations on Solaris. bz#1505 * Skip the tcgetattr call on the pty master on Solaris, since it never succeeds and can hang if large amounts of data is sent to the slave (eg a copy-paste). bz#1528 * Fix detection of krb5-config. bz#1639 * Fix test for server-assigned remote forwarding port for non-root users. bz#1578 * Fix detection of libresolv on OSX 10.6. Changes since OpenSSH 5.1 ========================= Security: * This release changes the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". * This release also adds countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack. We believe that these attacks are rendered infeasible by these changes. New features: * Added a -y option to ssh(1) to force logging to syslog rather than stderr, which is useful when running daemonised (ssh -f) * The sshd_config(5) ForceCommand directive now accepts commandline arguments for the internal-sftp server. * The ssh(1) ~C escape commandline now support runtime creation of dynamic (-D) port forwards. * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards. (bz#1482) * Support remote port forwarding with a listen port of '0'. This informs the server that it should dynamically allocate a listen port and report it back to the client. (bz#1003) * sshd(8) now supports setting PermitEmptyPasswords and AllowAgentForwarding in Match blocks Bug and documentation fixes * Repair a ssh(1) crash introduced in openssh-5.1 when the client is sent a zero-length banner (bz#1496) * Due to interoperability problems with certain broken SSH implementations, the eow@openssh.com and no-more-sessions@openssh.com protocol extensions are now only sent to peers that identify themselves as OpenSSH. * Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. * Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1). * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539) * Correct fail-on-error behaviour in sftp(1) batchmode for remote stat operations. (bz#1541) * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave connections. (bz#1543) * Avoid hang in ssh(1) when attempting to connect to a server that has MaxSessions=0 set. * Multiple fixes to sshd(8) configuration test (-T) mode * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418, 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540 * Many manual page improvements. Changes since OpenSSH 5.0 ========================= Security: * sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly other platforms) when X11UseLocalhost=no When attempting to bind(2) to a port that has previously been bound with SO_REUSEADDR set, most operating systems check that either the effective user-id matches the previous bind (common on BSD-derived systems) or that the bind addresses do not overlap (Linux and Solaris). Some operating systems, such as HP/UX, do not perform these checks and are vulnerable to an X11 man-in-the-middle attack when the sshd_config(5) option X11UseLocalhost has been set to "no" - an attacker may establish a more-specific bind, which will be used in preference to sshd's wildcard listener. Modern BSD operating systems, Linux, OS X and Solaris implement the above checks and are not vulnerable to this attack, nor are systems where the X11UseLocalhost has been left at the default value of "yes". Portable OpenSSH 5.1 avoids this problem for all operating systems by not setting SO_REUSEADDR when X11UseLocalhost is set to no. This vulnerability was reported by sway2004009 AT hotmail.com. New features: * Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1) and ssh-keygen(1). Visual fingerprinnt display is controlled by a new ssh_config(5) option "VisualHostKey". The intent is to render SSH host keys in a visual form that is amenable to easy recall and rejection of changed host keys. This technique inspired by the graphical hash visualisation schemes known as "random art[*]", and by Dan Kaminsky's musings at 23C3 in Berlin. Fingerprint visualisation in is currently disabled by default, as the algorithm used to generate the random art is still subject to change. [*] "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf * sshd_config(5) now supports CIDR address/masklen matching in "Match address" blocks, with a fallback to classic wildcard matching. For example: Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* PasswordAuthentication yes * sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys from="..." restrictions, also with a fallback to classic wildcard matching. * Added an extended test mode (-T) to sshd(8) to request that it write its effective configuration to stdout and exit. Extended test mode also supports the specification of connection parameters (username, source address and hostname) to test the application of sshd_config(5) Match rules. * ssh(1) now prints the number of bytes transferred and the overall connection throughput for SSH protocol 2 sessions when in verbose mode (previously these statistics were displayed for protocol 1 connections only). * sftp-server(8) now supports extension methods statvfs@openssh.com and fstatvfs@openssh.com that implement statvfs(2)-like operations. (bz#1399) * sftp(1) now has a "df" command to the sftp client that uses the statvfs@openssh.com to produce a df(1)-like display of filesystem space and inode utilisation (requires statvfs@openssh.com support on the server) * Added a MaxSessions option to sshd_config(5) to allow control of the number of multiplexed sessions supported over a single TCP connection. This allows increasing the number of allowed sessions above the previous default of 10, disabling connection multiplexing (MaxSessions=1) or disallowing login/shell/subsystem sessions entirely (MaxSessions=0). * Added a no-more-sessions@openssh.com global request extension that is sent from ssh(1) to sshd(8) when the client knows that it will never request another session (i.e. when session multiplexing is disabled). This allows a server to disallow further session requests and terminate the session in cases where the client has been hijacked. * ssh-keygen(1) now supports the use of the -l option in combination with -F to search for a host in ~/.ssh/known_hosts and display its fingerprint. * ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of "rsa1". * Added an AllowAgentForwarding option to sshd_config(8) to control whether authentication agent forwarding is permitted. Note that this is a loose control, as a client may install their own unofficial forwarder. * ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving network data, resulting in a ~10% speedup * ssh(1) and sshd(8) will now try additional addresses when connecting to a port forward destination whose DNS name resolves to more than one address. The previous behaviour was to try the only first address and give up if that failed. (bz#383) * ssh(1) and sshd(8) now support signalling that channels are half-closed for writing, through a channel protocol extension notification "eow@openssh.com". This allows propagation of closed file descriptors, so that commands such as: "ssh -2 localhost od /bin/ls | true" do not send unnecessary data over the wire. (bz#85) * sshd(8): increased the default size of ssh protocol 1 ephemeral keys from 768 to 1024 bits. * When ssh(1) has been requested to fork after authentication ("ssh -f") with ExitOnForwardFailure enabled, delay the fork until after replies for any -R forwards have been seen. Allows for robust detection of -R forward failure when using -f. (bz#92) * "Match group" blocks in sshd_config(5) now support negation of groups. E.g. "Match group staff,!guests" (bz#1315) * sftp(1) and sftp-server(8) now allow chmod-like operations to set set[ug]id/sticky bits. (bz#1310) * The MaxAuthTries option is now permitted in sshd_config(5) match blocks. * Multiplexed ssh(1) sessions now support a subset of the ~ escapes that are available to a primary connection. (bz#1331) * ssh(1) connection multiplexing will now fall back to creating a new connection in most error cases. (bz#1439 bz#1329) * Added some basic interoperability tests against Twisted Conch. * Documented OpenSSH's extensions to and deviations from the published SSH protocols (the PROTOCOL file in the distribution) * Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent). Bug and documentation fixes * Make ssh(1) deal more gracefully with channel requests that fail. Previously it would optimistically assume that requests would always succeed, which could cause hangs if they did not (e.g. when the server runs out of file descriptors). (bz#1384) * ssh(1) now reports multiplexing errors via the multiplex slave's stderr where possible (subject to LogLevel in the mux master). * ssh(1) and sshd(8) now send terminate protocol banners with CR+LF for protocol 2 to comply with RFC 4253. Previously they were terminated with CR alone. Protocol 1 banners remain CR terminated. (bz#1443) * Merged duplicate authentication file checks in sshd(8) and refuse to read authorised_keys and .shosts from non-regular files. (bz#1438) * Ensure that sshd(8)'s umask disallows at least group and world write, even if a more permissive one has been inherited. (bz#1433) * Suppress the warning message from sshd(8) when changing to a non-existent user home directory after chrooting. (bz#1461) * Mention that scp(1) follows symlinks when performing recursive copies. (bz#1466) * Prevent sshd(8) from erroneously applying public key restrictions leaned from ~/.ssh/authorized_keys to other authentication methods when public key authentication subsequently fails. (bz#1472) * Fix protocol keepalive timeouts - in some cases, keepalive packets were being sent, but the connection was not being closed when the limit for missing replies was exceeded. (bz#1465) * Fix ssh(1) sending invalid TTY modes when a TTY was forced (ssh -tt) but stdin was not a TTY. (bz#1199) * ssh(1) will now exit with a non-zero exit status if ExitOnForwardFailure was set and forwardings were disabled due to a failed host key check. * Fix MaxAuthTries tests to disallow a free authentication try to clients that skipped the protocol 2 "none" authentication method. (part of bz#1432) * Make keepalive timeouts apply while synchronously waiting for a packet, particularly during key renegotiation. (bz#1363) * sshd(8) has been audited to eliminate fd leaks and calls to fatal() in conditions of file descriptor exhaustion. Portable OpenSSH-specific bugfixes * Avoid a sshd(8) hang-on-exit on Solaris caused by depending on the success of isatty() on a PTY master (undefined behaviour). Probably affected other platforms too. (bz#1463) * Fixed test for locked accounts on HP/UX with shadowed passwords disabled. (bz#1083) * Disable poll() fallback in atomiciov for Tru64. readv doesn't seem to be a comparable object there, which lead to compilation errors. (bz#1386) * Fall back to racy rename if link returns EXDEV. (bz#1447) * Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on some platforms (HP nonstop) it is a distinct errno. (bz#1467) * Avoid NULL dereferences in ancient sigaction replacement code. (bz#1240) * Avoid linking against libgssapi, which despite its name doesn't seem to implement all of GSSAPI. (bz#1276) * Use explicit noreturn attribute instead of __dead, fixing compilation problems on Interix. (bz#1112) * Added support password expiry on Tru64 SIA systems. (bz#1241) * Fixed an UMAC alignment problem that manifested on Itanium platforms. (bz#1462) * The sftp-server(8) manual now describes the requirements for transfer logging in chroot environments. (bz#1488) * Strip trailing dot from hostnames when the sshd_config(5) HostbasedUsesNameFromPacketOnly option is set. (bz#1200) Changes since OpenSSH 4.9: ============================ Security: * CVE-2008-1483: Avoid possible hijacking of X11-forwarded connections by refusing to listen on a port unless all address families bind successfully. Changes since OpenSSH 4.7: ============================ Security: * Disable execution of ~/.ssh/rc for sessions where a command has been forced by the sshd_config ForceCommand directive. Users who had write access to this file could use it to execute abritrary commands. This behaviour was documented, but was an unsafe default and an extra hassle for administrators. New features: * Added chroot(2) support for sshd(8), controlled by a new option "ChrootDirectory". Please refer to sshd_config(5) for details, and please use this feature carefully. (bz#177 bz#1352) * Linked sftp-server(8) into sshd(8). The internal sftp server is used when the command "internal-sftp" is specified in a Subsystem or ForceCommand declaration. When used with ChrootDirectory, the internal sftp server requires no special configuration of files inside the chroot environment. Please refer to sshd_config(5) for more information. * Added a "no-user-rc" option for authorized_keys to disable execution of ~/.ssh/rc * Added a protocol extension method "posix-rename@openssh.com" for sftp-server(8) to perform POSIX atomic rename() operations. (bz#1400) * Removed the fixed limit of 100 file handles in sftp-server(8). The server will now dynamically allocate handles up to the number of available file descriptors. (bz#1397) * ssh(8) will now skip generation of SSH protocol 1 ephemeral server keys when in inetd mode and protocol 2 connections are negotiated. This speeds up protocol 2 connections to inetd-mode servers that also allow Protocol 1 (bz#440) * Accept the PermitRootLogin directive in a sshd_config(5) Match block. Allows for, e.g. permitting root only from the local network. * Reworked sftp(1) argument splitting and escaping to be more internally consistent (i.e. between sftp commands) and more consistent with sh(1). Please note that this will change the interpretation of some quoted strings, especially those with embedded backslash escape sequences. (bz#778) * Support "Banner=none" in sshd_config(5) to disable sending of a pre-login banner (e.g. in a Match block). * ssh(1) ProxyCommands are now executed with $SHELL rather than /bin/sh. * ssh(1)'s ConnectTimeout option is now applied to both the TCP connection and the SSH banner exchange (previously it just covered the TCP connection). This allows callers of ssh(1) to better detect and deal with stuck servers that accept a TCP connection but don't progress the protocol, and also makes ConnectTimeout useful for connections via a ProxyCommand. * Many new regression tests, including interop tests against PuTTY's plink. * Support BSM auditing on Mac OS X The following bugs have been fixed in this release: - scp(1) incorrectly reported "stalled" on slow copies. (bz#799) - scp(1) date underflow for timestamps before epoch. (bz#828) - scp(1) and sftp(1) progressmeter type fixes. (bz#842) - SSH2_MSG_UNIMPLEMENTED packets did not correctly reset the client keepalive logic, causing disconnections on servers that did not explicitly implement "keepalive@openssh.com". (bz#1307) - ssh(1) used the obsolete SIG DNS RRtype for host keys in DNS, instead of the current standard RRSIG. (bz#1317) - Extract magic buffer size constants in scp(1) to #defines. (bz#1333) - Correctly drain ACKs when a sftp(1) upload write fails midway, avoids a fatal() exit from what should be a recoverable condition. (bz#1354) - Avoid pointer arithmetic and strict aliasing warnings. (bz#1355) - Fixed packet size advertisements. Previously TCP and agent forwarding incorrectly advertised the channel window size as the packet size, causing fatal errors under some conditions. (bz#1360) - Document KbdInteractiveAuthentication in sshd_config(5). (bz#1367) - Fixed sftp(1) file handle leak on download when the local file could not be opened. (bz#1375) - Fixed ssh-keygen(1) selective host key hashing (i.e. "ssh-keygen -HF hostname") to not include any IP address in the data to be hashed. (bz#1376) - Fix clobbering of struct passwd from multiple getpwid calls, resulting in fatal errors inside tilde_expand_filename. (bz#1377) - Fix parsing of port-forwarding specifications to correctly detect errors in either specified port number. (bz#1378) - Fix memory leak in ssh(1) ~ escape commandline handling. (bz#1379) - Make ssh(1) skip listening on the IPv6 wildcard address when a binding address of 0.0.0.0 is used against an old SSH server that does not support the RFC4254 syntax for wildcard bind addresses. (bz#1381) - Remove extra backslashes in the RB_PROTOTYPE macro definition. (bz#1385) - Support ssh(1) RekeyLimits up to the maximum allowed by the protocol: 2**32-1. (bz#1390) - Enable IPV6_V6ONLY socket option on sshd(8) listen socket, as is already done for X11/TCP forwarding sockets. (bz#1392) - Fix FD leak that could hang a ssh(1) connection multiplexing master. (bz#1398) - Improve error messages when hostname resolution fails due to a system error. (bz#1417) - Make ssh(1) -q option documentation consistent with reality. (bz#1427 bz#1429) Portable OpenSSH bugs fixed: - Fixed sshd(8) PAM support not calling pam_session_close(), or failing to call it with root privileges. (bz#926) - Made sshd(8) use configuration-specified SyslogFacility for hosts_access(3) messages for denied connections. (bz#1042) - Implement getgrouplist(3) for AIX, enabling NSS LDAP to work on this platform. (bz#1081) - Fix compilation errors on AIX due to misdefinition of LLONG_MAX. (bz#1347) - Force use of local glob(3) implementation on Mac OS X and FreeBSD, as the platform versions lack features or have unexpected behaviour. (bz#1407) - Reduce stdout/stderr noise from ssh-copy-id. (bz#1431) - Fix activation of OpenSSL engine support when requested in configure. (bz#1437) Changes since OpenSSH 4.6: ============================ Security bugs resolved in this release: * Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec. Other changes, new functionality and fixes in this release: * sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. * The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. * ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. * A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. * A -K flag was added to ssh(1) to set GSSAPIAuthentication=Yes * Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. * ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. (bz #1261) * The following bugs have been fixed in this release: - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work (bz #616) - Make scp(1) skip FIFOs rather than hanging (bz #856) - Encode non-printing characters in scp(1) filenames. these could cause copies to be aborted with a "protocol error" (bz #891) - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated (bz #1196) - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms (bz #1220) - Improve documentation for ssh-add(1)'s -d option (bz #1224) - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. (bz #1225) - Delay execution of ssh(1)'s LocalCommand until after all forwadings have been established. (bz #1232) - In scp(1), do not truncate non-regular files (bz #1236) - Improve exit message from ControlMaster clients. (bz #1262) - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error. (bz #1286) * Portable OpenSSH bugs fixed: - Fix multiple inclusion of paths.h on AIX 5.1 systems. (bz #1243) - Implement getpeereid for Solaris using getpeerucred. Solaris systems will now refuse ssh-agent(1) and ssh(1) ControlMaster clients from different, non-root users (bz #1287) - Fix compilation warnings by including string.h if found. (bz #1294) - Remove redefinition of _res in getrrsetbyname.c for platforms that already define it. (bz #1299) - Fix spurious "chan_read_failed for istate 3" errors from sshd(8), a side-effect of the "hang on exit" fix introduced in 4.6p1. (bz #1306) - pam_end() was not being called if authentication failed (bz #1322) - Fix SELinux support when SELinux is in permissive mode. Previously sshd(8) was treating SELinux errors as always fatal. (bz #1325) - Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys. (bz #1339) - Fix privilege separation on QNX - pre-auth only, this platform does not support file descriptior passing needed for post-auth privilege separation. (bz #1343) Changes since OpenSSH 4.5: ============================ * sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. * The following bugs have been fixed in this release: - Clear SIGALRM when restarting due to SIGHUP. Prevents stray signal from taking down sshd if a connection was pending at the time SIGHUP was received - sftp returned a zero exit status when upload failed due to write errors (bugzilla #1252) - fixed an inconsistent check for a terminal when displaying scp progress meter (bugzilla #1265) - Parsing of time values in Match blocks was incorrectly applied to the global configuration (bugzilla #1275) - Allow multiple forwarding options to work when specified in a PermitOpen directive (bugzilla #1267) - Interoperate with ssh.com versions that do not support binding remote port forwarding sessions to a hostname (bugzilla #1019) * Portable OpenSSH bugs fixed: - "hang on exit" when background processes are running at the time of exit on a ttyful/login session (bugzilla #52) - Fix typos in the ssh-rand-helper(8) man page (bugzilla #1259) - Check that some SIG records have been returned in getrrsetbyname (bugzilla #1281) - Fix contrib/findssl for platforms that lack "which" (bugzilla #1237) - Work around bug in OpenSSL 0.9.8e that broke aes256-ctr, aes192-ctr, arcfour256 (bugzilla #1291) Changes since OpenSSH 4.4: ============================ This is a bugfix only release. No new features have been added. Security bugs resolved in this release: * Fix a bug in the sshd privilege separation monitor that weakened its verification of successful authentication. This bug is not known to be exploitable in the absence of additional vulnerabilities. This release includes the following non-security fixes: * Several compilation fixes for portable OpenSSH * Fixes to Solaris SMF/process contract support (bugzilla #1255) Thanks to everyone who has contributed patches, reported bugs and tested releases. Changes since OpenSSH 4.3: ============================ Security bugs resolved in this release: * Fix a pre-authentication denial of service found by Tavis Ormandy, that would cause sshd(8) to spin until the login grace time expired. * Fix an unsafe signal hander reported by Mark Dowd. The signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial of service. On portable OpenSSH, this vulnerability could theoretically lead to pre-authentication remote code execution if GSSAPI authentication is enabled, but the likelihood of successful exploitation appears remote. * On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. This release includes the following new functionality and fixes: * Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post- authentication options are supported and more are expected to be added in future releases. * Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. * Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. * Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. * Add optional logging of transactions to sftp-server(8). * ssh(1) will now record port numbers for hosts stored in ~/.ssh/authorized_keys when a non-standard port has been requested. * Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. * Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. * Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. * Many manpage fixes and improvements * New portable OpenSSH-specific features: - Add optional support for SELinux, controlled using the --with-selinux configure option (experimental) - Add optional support for Solaris process contracts, enabled using the --with-solaris-contracts configure option (experimental) This option will also include SMF metadata in Solaris packages built using the "make package" target - Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. * Bugs from http://bugzilla.mindrot.org fixed: #482 - readconf doesn't accept paths with spaces in them. #906 - syslog messages from sshd [net] lost. #975 - Kerberos authentication timing can leak information about account validity. #981 - Flow stop in SSH2. #1102 - C program 'write' with zero length hangs. #1129 - sshd hangs for command-only invocations due to fork/child signals. #1131 - error "buffer_append_space:alloc not supported" #1138 - Passphrase asked for (but ignored) if key file permissions too liberal.. #1156 - Closes connection after C-c is pressed on QNX. #1157 - ssh-keygen doesn't handle DOS line breaks. #1159 - %u and %h not handled in IdentityFile. #1161 - scp -r fails. #1162 - Inappropriate sequence of syslog messages. #1166 - openssh-4.3p1 has some issues compiling. #1171 - configure can't always figure out LLONG_MAX.. #1173 - scp reports lost connection for very large files. #1177 - Incorrect sshrc file location in Makefile.in. #1179 - sshd incorrectly rejects connections due to IP options. #1181 - configure should detect when openssl-0.9.8x needs -ldl. #1186 - ssh tries multiple times to open unprotected keys. #1188 - keyboard-interactive should not allow retry after pam_acct_mgmt fails. #1193 - Open ssh will not allow changing of passwords on usernames greater than 8 characters.. #1201 - Bind address information is not specified in command line help messages. #1203 - configure.ac is missing an open [. #1207 - sshd does not clear unsuccessful login count on non-interactive logins. #1218 - GSSAPI client code permits SPNEGO usage. #1221 - Banner only suppressed at log level = QUIET (used to be at log level < INFO). * Fixes to memory and file descriptor leaks reported by the Coverity static analysis tool * Fixes to inconsistent pointer checks reported by the Stanford SATURN tool Thanks to everyone who has contributed patches, reported bugs and tested releases. Changes since OpenSSH 4.2: ============================ Security bugs resolved in this release: * CVE-2006-0225: scp (as does rcp, on which it is based) invoked a subshell to perform local to local, and remote to remote copy operations. This subshell exposed filenames to shell expansion twice; allowing a local attacker to create filenames containing shell metacharacters that, if matched by a wildcard, could lead to execution of attacker-specified commands with the privilege of the user running scp (Bugzilla #1094) This is primarily a bug-fix release, only one new feature has been added: * Add support for tunneling arbitrary network packets over a connection between an OpenSSH client and server via tun(4) virtual network interfaces. This allows the use of OpenSSH (4.3+) to create a true VPN between the client and server providing real network connectivity at layer 2 or 3. This feature is experimental and is currently supported on OpenBSD, Linux, NetBSD (IPv4 only) and FreeBSD. Other operating systems with tun/tap interface capability may be added in future portable OpenSSH releases. Please refer to the README.tun file in the source distribution for further details and usage examples. Some of the other bugs resolved and internal improvements are: * Reduce default key length for new DSA keys generated by ssh-keygen back to 1024 bits. DSA is not specified for longer lengths and does not fully benefit from simply making keys longer. As per FIPS 186-2 Change Notice 1, ssh-keygen will refuse to generate a new DSA key smaller or larger than 1024 bits * Fixed X forwarding failing to start when a the X11 client is executed in background at the time of session exit (Bugzilla #1086) * Change ssh-keygen to generate a protocol 2 RSA key when invoked without arguments (Bugzilla #1064) * Fix timing variance for valid vs. invalid accounts when attempting Kerberos authentication (Bugzilla #975) * Ensure that ssh always returns code 255 on internal error (Bugzilla #1137) * Cleanup wtmp files on SIGTERM when not using privsep (Bugzilla #1029) * Set SO_REUSEADDR on X11 listeners to avoid problems caused by lingering sockets from previous session (X11 applications can sometimes not connect to 127.0.0.1:60xx) (Bugzilla #1076) * Ensure that fds 0, 1 and 2 are always attached in all programs, by duping /dev/null to them if necessary. * Xauth list invocation had bogus "." argument (Bugzilla #1082) * Remove internal assumptions on key exchange hash algorithm and output length, preparing OpenSSH for KEX methods with alternate hashes. * Ignore junk sent by a server before it sends the "SSH-" banner (Bugzilla #1067) * The manpages has been significantly improves and rearranged, in addition to other specific manpage fixes: #1037 - Man page entries for -L and -R should mention -g. #1077 - Descriptions for "ssh -D" and DynamicForward should mention they can specify "bind_address" optionally. #1088 - Incorrect descriptions in ssh_config man page for ControlMaster=no. #1121 - Several corrections for ssh_agent manpages * Lots of cleanups, including fixes to memory leaks on error paths (Bugzilla #1109, #1110, #1111 and more) and possible crashes (#1092) * Portable OpenSSH-specific fixes: - Pass random seed during re-exec for each connection: speeds up processing of new connections on platforms using the OpenSSH's builtin entropy collector (ssh-rand-helper) - PAM fixes and improvements: #1045 - Missing option for ignoring the /etc/nologin file #1087 - Show PAM password expiry message from LDAP on login #1028 - Forward final non-query conversations to client #1126 - Prevent user from being forced to change an expired password repeatedly on AIX in some PAM configurations. #1045 - Do not check /etc/nologin when PAM is enabled, instead allow PAM to handle it. Note that on platforms using PAM, the pam_nologin module should be used in sshd's session stack in order to maintain past behaviour - Portability-related fixes: #989 - Fix multiplexing regress test on Solaris #1097 - Cross-compile fixes. #1096 - ssh-keygen broken on HPUX. #1098 - $MAIL being set incorrectly for HPUX server login. #1104 - Compile error on Tru64 Unix 4.0f #1106 - Updated .spec file and startup for SuSE. #1122 - Use _GNU_SOURCE define in favor of __USE_GNU, fixing compilation problems on glibc 2.4 Thanks to everyone who has contributed patches, reported bugs or test releases. Changes since OpenSSH 4.1: ============================ - SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused GatewayPorts to be incorrectly activated for dynamic ("-D") port forwardings when no listen address was explicitly specified. - SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI credentials to be delegated to users who log in with methods other than GSSAPI authentication (e.g. public key) when the client requests it. This behaviour has been changed in OpenSSH 4.2 to only delegate credentials to users who authenticate using the GSSAPI method. This eliminates the risk of credentials being inadvertently exposed to an untrusted user/host (though users should not activate GSSAPIDelegateCredentials to begin with when the remote user or host is untrusted) - Added a new compression method that delays the start of zlib compression until the user has been authenticated successfully. The new method ("Compression delayed") is on by default in the server. This eliminates the risk of any zlib vulnerability leading to a compromise of the server from unauthenticated users. NB. Older OpenSSH (<3.5) versions have a bug that will cause them to refuse to connect to any server that does not offer compression when the client has compression requested. Since the new "delayed" server mode isn't supported by these older clients, they will refuse to connect to a new server unless compression is disabled (on the client end) or the original compression method is enabled on the server ("Compression yes" in sshd_config) - Another round of proactive changes for signed vs unsigned integer bugs has been completed, including changing the atomicio() API to encourage safer programming. This work is ongoing. - Added support for the improved arcfour cipher modes from draft-harris-ssh-arcfour-fixes-02. The improves the cipher's resistance to a number of attacks by discarding early keystream output. - Increase the default size of new RSA/DSA keys generated by ssh-keygen from 1024 to 2048 bits. - Many bugfixes and improvements to connection multiplexing, including: - Added ControlMaster=auto/autoask options to support opportunistic multiplexing (see the ssh_config(5) manpage for details). - The client will now gracefully fallback to starting a new TCP connection if it cannot connect to a specified multiplexing control socket - Added %h (target hostname), %p (target port) and %r (remote username) expansion sequences to ControlPath. Also allow ControlPath=none to disable connection multiplexing. - Implemented support for X11 and agent forwarding over multiplexed connections. Because of protocol limitations, the slave connections inherit the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding their own. - Portable OpenSSH: Added support for long passwords (> 8-char) on UnixWare 7. - The following bugs from http://bugzilla.mindrot.org/ were closed: #471 - Misleading error message if /dev/tty perms wrong #623 - Don't use $HOME in manpages #829 - Don't allocate a tty if -n option is set #1025 - Correctly handle disabled special character in ttymodes #1033 - Fix compile-time warnings #1046 - AIX 5.3 Garbage on Login #1054 - Don't terminate connection on getpeername() failure #1076 - GSSAPIDelegateCredentials issue mentioned above - Lots of other improvements and fixes. Please refer to the ChangeLog for details Thanks to everyone who has contributed patches, problem or test reports. Changes since OpenSSH 4.0: ============================ * This is a bugfix release, no new features have been added. Some notable fixes are: - Fix segfault when using forwardings configured in ssh_config(5) and ClearAllForwardings (bugzilla #996) - Limit input buffer size for channels. A peer could send more data than the buffer code was willing to accept. This would cause OpenSSH to abort the connection (bugzilla #896) * Several improvements to the regression tests * Portable OpenSSH: - OpenSSH will now always normalise IPv4 in IPv6 mapped addresses back to IPv4 addresses. This means that IPv4 addresses in log messages on IPv6 enabled machines will no longer be prefixed by "::ffff:" and AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style addresses only for 4-in-6 mapped connections. This ensures a consistent representation of IPv4 addresses regardless of whether or not the machine is IPv6 enabled. * Other bugfixes, including bugzilla #950, #997, #998, #999, #1005, #1006, #1024, and #1038 Changes since OpenSSH 3.9: ============================ * ssh(1) now allows the optional specification of an address to bind to in port forwarding connections (local, remote and dynamic). Please refer to the documentation for the -L and -R options in the ssh(1) manual page and the LocalForward and RemoteForward options in the ssh_config(5) manpage. (Bugzilla #413) * To control remote bindings while retaining backwards compatibility, sshd(8)'s GatewayPorts option has been extended. To allow client specified bind addresses for remote (-R) port forwardings, the server must be configured with "GatewayPorts clientspecified". * ssh(1) and ssh-keyscan(1) now support hashing of host names and addresses added to known_hosts files, controlled by the ssh(1) HashKnownHosts configuration directive. This option improves user privacy by hiding which hosts have been visited. At present this option is off by default, but may be turned on once it receives sufficient testing. * Added options for managing keys in known_hosts files to ssh-keygen(1), including the ability to search for hosts by name, delete hosts by name and convert an unhashed known_hosts file into one with hashed names. These are particularly useful for managing known_hosts files with hashed hostnames. * Improve account and password expiry support in sshd(8). Ther server will now warn in advance for both account and password expiry. * sshd(8) will now log the source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups (Bugzilla #909) * Added AddressFamily option to sshd(8) to allow global control over IPv4/IPv6 usage. (Bugzilla #989) * Improved sftp(1) client, including bugfixes and optimisations for the ``ls'' command and command history and editing support using libedit. * Improved the handling of bad data in authorized_keys files, eliminating fatal errors on corrupt or very large keys. (Bugzilla #884) * Improved connection multiplexing support in ssh(1). Several bugs have been fixed and a new "command mode" has been added to allow the control of a running multiplexing master connection, including checking that it is up, determining its PID and asking it to exit. * Have scp(1) and sftp(1) wait for the spawned ssh to exit before they exit themselves. This prevents ssh from being unable to restore terminal modes (not normally a problem on OpenBSD but common with -Portable on POSIX platforms). (Bugzilla #950) * Portable OpenSSH: - Add *EXPERIMENTAL* BSM audit support for Solaris systems (Bugzilla #125) - Enable IPv6 on AIX where possible (see README.platform for details), working around a misfeature of AIX's getnameinfo. (Bugzilla #835) - Teach sshd(8) to write failed login records to btmp for unsuccessful auth attempts. Currently this is only for password, keyboard-interactive and challenge/response authentication methods and only on Linux and HP-UX. - sshd(8) now sends output from failing PAM session modules to the user before exiting, similar to the way /etc/nologin is handled - Store credentials from gssapi-with-mic authentication early enough to be available to PAM session modules when privsep=yes. Changes since OpenSSH 3.8: ============================ * Added new "IdentitiesOnly" option to ssh(1), which specifies that it should use keys specified in ssh_config, rather than any keys in ssh-agent(1) * Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things * Add strict permission and ownership checks to programs reading ~/.ssh/config NB ssh(1) will now exit instead of trying to process a config with poor ownership or permissions * Implemented the ability to pass selected environment variables between the client and the server. See "AcceptEnv" in sshd_config(5) and "SendEnv" in ssh_config(5) for details * Added a "MaxAuthTries" option to sshd(8), allowing control over the maximum number of authentication attempts permitted per connection * Added support for cancellation of active remote port forwarding sessions. This may be performed using the ~C escape character, see "Escape Characters" in ssh(1) for details * Many sftp(1) interface improvements, including greatly enhanced "ls" support and the ability to cancel active transfers using SIGINT (^C) * Implement session multiplexing: a single ssh(1) connection can now carry multiple login/command/file transfer sessions. Refer to the "ControlMaster" and "ControlPath" options in ssh_config(5) for more information * The sftp-server has improved support for non-POSIX filesystems (e.g. FAT) * Portable OpenSSH: Re-introduce support for PAM password authentication, in addition to the keyboard-interactive driver. PAM password authentication is less flexible, and doesn't support pre-authentication password expiry but runs in-process so Kerberos tokens, etc are retained * Improved and more extensive regression tests * Many bugfixes and small improvements Changes since OpenSSH 3.7.1: ============================ * sshd(8) now supports forced changes of expired passwords via /usr/bin/passwd or keyboard-interactive authentication. Note for AIX: sshd will now deny password access to accounts with passwords expired longer than their maxexpired attribute. For details, see the AIX section in README.platform. * ssh(1) now uses untrusted cookies for X11-Forwarding. Some X11 applications might need full access to the X11 server, see ForwardX11Trusted in ssh(1) and xauth(1) for more information. * ssh(1) now supports sending application layer keep-alive messages to the server. See ServerAliveInterval in ssh(1) for more information. * Improved sftp(1) batch file support. * New KerberosGetAFSToken option for sshd(8). * Updated /etc/moduli file and improved performance for protocol version 2. * Support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details. * Fix a number of memory leaks. * The experimental "gssapi" support has been replaced with the "gssapi-with-mic" to fix possible MITM attacks. The two versions are not compatible. Changes since OpenSSH 3.6.1: ============================ * The entire OpenSSH code-base has undergone a license review. As a result, all non-ssh1.x code is under a BSD-style license with no advertising requirement. Please refer to README in the source distribution for the exact license terms. * Rhosts authentication has been removed in ssh(1) and sshd(8). * Changes in Kerberos support: - KerberosV password support now uses a file cache instead of a memory cache. - KerberosIV and AFS support has been removed. - KerberosV support has been removed from SSH protocol 1. - KerberosV password authentication support remains for SSH protocols 1 and 2. - This release contains some GSSAPI user authentication support to replace legacy KerberosV authentication support. At present this code is still considered experimental and SHOULD NOT BE USED. * Changed order that keys are tried in public key authentication. The ssh(1) client tries the keys in the following order: 1. ssh-agent(1) keys that are found in the ssh_config(5) file 2. remaining ssh-agent(1) keys 3. keys that are only listed in the ssh_config(5) file This helps when an ssh-agent(1) has many keys, where the sshd(8) server might close the connection before the correct key is tried. * SOCKS5 support has been added to the dynamic forwarding mode in ssh(1). * Removed implementation barriers to operation of SSH over SCTP. * sftp(1) client can now transfer files with quote characters in their filenames. * Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed. * Fix a number of memory leaks. * Support for sending tty BREAK over SSH protocol 2. * Workaround for other vendor bugs in KEX guess handling. * Support for generating KEX-GEX groups (/etc/moduli) in ssh-keygen(1). * Automatic re-keying based on amount of data sent over connection. * New AddressFamily option on client to select protocol to use (IPv4 or IPv6). * Experimental support for the "aes128-ctr", "aes192-ctr", and "aes256-ctr" ciphers for SSH protocol 2. * Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details. * Portable OpenSSH: - Replace PAM password authentication kludge with a more correct PAM challenge-response module from FreeBSD. - PAM support may now be enabled/disabled at runtime using the UsePAM directive. - Many improvements to the OpenSC smartcard support. - Regression tests now work with portable OpenSSH. Please refer to regress/README.regress in the source distribution. - On platforms that support it, portable OpenSSH now honors the UMASK, PATH and SUPATH attributes set in /etc/default/login. - Deny access to locked accounts, regardless of authentication method in use.