OpenSSH 5.4 Released - Slashdot

Slashdot

OpenSSH 5.4 Released 127

Posted by timothy on Wednesday March 10 2010, @04:40PM
from the but-it's-secret dept.

HipToday writes "As posted on the OpenBSD Journal, OpenSSH 5.4 has been released: 'Some highlights of this release are the disabling of protocol 1 by default, certificate authentication, a new "netcat mode," many changes on the sftp front (both client and server) and a collection of assorted bugfixes. The new release can already be found on a large number of mirrors and of course on www.openssh.com.'"

This discussion has been archived. No new comments can be posted.

OpenSSH 5.4 Released

Search 127 Comments Log In/Create an Account

Comments Filter:

Cygwin's package was updated, too (Score:5, Interesting)

by klui (457783) writes: on Wednesday March 10 2010, @05:06PM (#31430938)

The read-only feature of sftp makes it almost a replacement for anonymous ftp. Too bad it appears to be a global setting.

Share
twitter facebook
Please note: (Score:5, Interesting)

by Anonymous Coward writes: on Wednesday March 10 2010, @05:25PM (#31431190)

A brief quote from the project's home page:
Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products -- as a critically important security / access feature -- instead of writing their own SSH implementation or purchasing one from another vendor. This list specifically includes companies like Cisco, Juniper, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).
So go and DONATE, as i've just done.

Share
twitter facebook
Re:Cygwin's package was updated, too (Score:5, Interesting)

by Sancho (17056) writes: on Wednesday March 10 2010, @05:28PM (#31431224) Homepage

Could you not do this with a combination of Match User and ForceCommand directives? Something like:
Match User anonymous
ForceCommand sftp-server -R
ChrootDirectory /home/anonymous

Parent Share
twitter facebook
Re:SFTP improvements (Score:3, Interesting)

by Sancho (17056) writes: on Wednesday March 10 2010, @05:57PM (#31431620) Homepage

Doesn't that tab completion only work if your key is either not protected by a passphrase or cached by ssh-agent? Unfortunately, the policy where I work is that you cannot cache credentials like that, and they must be protected by a passphrase. The new features are actually good for me!

Parent Share
twitter facebook
Re:Cygwin's package was updated, too (Score:3, Interesting)

by Sancho (17056) writes: on Wednesday March 10 2010, @06:00PM (#31431658) Homepage

Arguably, running one less service would be nice. Also, OpenSSH's chrooting is pretty painless for sftp (though arguably, proper chrooting mostly precludes the need for read-only service--having your server read-only does add another layer of security.)

Parent Share
twitter facebook
Re:Thank you Open SSH devs (Score:3, Interesting)

by overlordofmu (1422163) writes: on Wednesday March 10 2010, @06:32PM (#31432052)

In my case, they block YouTube with a bogus DNS resolution. Internal DNS gives a intranet IP address (which gives a default intranet page) and my home server DNS gives the correct IP address(es). I tested this again, just now, and YouTube only works for me with that setting ("network.proxy.socks_remote_dns" as true) and is blocked if it is changed to false (which I believe is the default).

I am using Firefox version 3.5.8, 32-bit, for x86.

It seems, within Firefox itself, that your DNS queries with SOCKS 5 proxies still use the system default DNS and not the proxy DNS, but I could not say for sure without testing your machine. In my case, I am certain that Firefox is using the system DNS unless I change this setting from its default in Firefox. (I am certain because I just tested it 5 minutes ago.) Also, YouTube works without a proxy if I use the OpenDNS.org DNS servers in my Windows TCP/IP settings. (But then no intranet DNS queries work because OpenDNS knows nothing of our 10.*.*.* intranet.)

Again, I am only speculating, but please consider than your DNS queries are not being proxied and are evidence of where you surf even if your traffic is SSHed.

A final note, when I am really feeling paranoid about my surfing there is the AES 256-bit loopback block device that hold a Linux install on the work laptop. That way, there is no browser history to be searched by corporate. Hell, there is no Linux to be found; it looks like a whole partition of garbage without the decryption keys. It won't boot without them. However, I am developing for Windows on Windows, so the Linux boots are a rarity these days.

Parent Share
twitter facebook
Re:New, Problematic Protocol Introduced (Score:3, Interesting)

by OttoM (467655) writes: on Thursday March 11 2010, @05:38AM (#31435792)

The OpenSSH developers do not trust any X.509 code. The actual X.509 validation and trust decision mechanisms are pretty horiffic, and I'm glad they stayed away from that. You don't have to throw away your X.509 certs, you can keep using them for other purposes.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

1208 commentsInternet Responds To Racist Article, Gets Author Fired
1051 commentsRand Paul Has a Quick Fix For TSA: Pull the Plug
998 commentsHybrid Car Owners Not Likely To Buy Another Hybrid
911 commentsMandatory Brake-Override Proposed For All Cars
737 commentsGimp 2.8 Finally Released

Grandpa Charnock's Law: You never really learn to swear until you learn to drive. [I thought it was when your kids learned to drive. Ed.]