OpenSSH 5.4 Released 127
HipToday writes "As posted on the OpenBSD Journal, OpenSSH 5.4 has been released: 'Some highlights of this release are the disabling of protocol 1 by default, certificate authentication, a new "netcat mode," many changes on the sftp front (both client and server) and a collection of assorted bugfixes. The new release can already be found on a large number of mirrors and of course on www.openssh.com.'"
SFTP improvements (Score:4, Informative)
* Many improvements to the sftp(1) client, many of which were implemented by Carlos Silva through the Google Summer of Code program:...
... - Add recursive transfer support for get/put and on the commandline
(Alas!!)
Whole host of other improvements and bugfixes; give it read if SSH is pertinent to your environment....
Re: (Score:3, Funny)
Re: (Score:2)
No, no, he meant to write "Atlas!!"
Weirdo.
Re: (Score:2, Funny)
- Implement tab-completion of commands, local and remote filenames
Well thank frak.
Re: (Score:2)
Why sftp when you can scp? scp -r has worked fine for recursive transfers, and Bash has been tab completing remote filenames for a while now.
Re: (Score:3, Interesting)
Doesn't that tab completion only work if your key is either not protected by a passphrase or cached by ssh-agent? Unfortunately, the policy where I work is that you cannot cache credentials like that, and they must be protected by a passphrase. The new features are actually good for me!
Re: (Score:2)
I usually have my credentials in ssh-agent, but I think I've been prompted for a password after hitting tab before.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
of course
I don't think that's obvious. Remote file completion using scp has been working (with the correct packages) for a while now. Here's a bug report for a regression where it used to work, but then something changed and broke the behavior going from Jaunty to Karmic (Major Ubuntu releases.)
https://bugs.launchpad.net/ubuntu/karmic/+source/bash-completion/+bug/449349 [launchpad.net]
Re: (Score:2)
Re: (Score:2)
Maybe YOU were. Hatta (the person to whom I first replied) was talking about Bash/scp.
http://tech.slashdot.org/comments.pl?sid=1578336&cid=31431572 [slashdot.org]
Re: (Score:2)
Re: (Score:2)
True. I guess maybe Hatta's question was "What's the point?" And maybe the answer is "For people who don't use Bash."
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This scripts has served me well over the years. There hasn't been a unix-alike where it has failed me in a very long time now. It also makes the target directory hierarchy for you automatically if needed.
$ cat bin/stjput
#!/bin/sh
# e.g. copy all non-hidden files and dirs from your home dir using protocol 2
# $ cd && stjput '-24 remuser@host' . *
IFS='
'
case $# in ...]' >&2
[012])
echo 'Usage: stjput sshopts remdir file|dir [file|dir
Re: (Score:2)
Hmm that's not all of it, I continue:
`
# learn how many octets are in remdir
# wc is annoying since it was buggy on BSD and sometimes returns number of 'characters'
foo $n
# tar does not support --, so need to make sure all file/dir args start with /
# or . (not starting with - is not good enough, some versions of tar treat @
# as special for example.
m=''
for i in "$@"
do
m="$m"x
done
foo() {
case "$c" in
"$m")
Re: (Score:2)
There's just a little bit more: /dev/null`" && mkdir -p "$n" && cd "$n" && bunzip2 -c - | tar xvf -'\'''
cat
Re: (Score:2)
I have NO idea how to get this to post on slashdot, here is the guts of the last line (in some heavy quoting):
IFS=""; n="`dd bs='$n' count=1 2>/dev/null`" && mkdir -p "$n" && cd "$n" && bunzip2 -c - | tar xvf -
The idea is that the name of the destination dir is sent over stdin to the target host. This way I do not need to deal with all the arcane quoting. The command line itself is fixed save for the integer of the length of the dir name, so no complicated quoting is needed there.
Re: (Score:2)
Something like pastebin would have been useful.
http://pastebin.com/ [pastebin.com]
Re: (Score:2)
I ended-up just putting it here:
http://home.fnal.gov/~mzs/tips/unix/ssh/stjput [fnal.gov]
Yeah I should have used pastebin, it was late.
Re: (Score:2)
I can't believe how badly slash code munged the script. Here is a link:
http://home.fnal.gov/~mzs/tips/unix/ssh/stjput [fnal.gov]
Re: (Score:2)
Couldn't you use tar (ask it to filter non-hidden files/directories) then pipe to ssh? I'm actually curious if there is an obscure reason why a script is necessary.
Re: (Score:2)
That's exactly what the script does but over the years it got more useful. It used to use cpio at first, so I would pipe find output into it. But then I ran into a machine that did not have cpio, so I changed it to tar. Then I ran into trouble once where a file started with -, so the checks for that. At some point I started using more OSX machines and then I routinely ran into paths with spaces and got tired double escaping that for ssh, so the work around. Then then the switch to chsum instead of wc becaus
Some interesting features... (Score:1, Informative)
I'm interested to see how the certificates and netcat features get used in the real world with SSH. I regenerated all of my SSH keys because they are defaulted to AES-128 bit encrypted and the public exponent is changed to 65537.
johnny stoops.
Re: (Score:2)
ssh proxy nc host port
has been working fine for quite a while, but I guess getting rid of the netcat dependency is a good thing.
Re: (Score:2)
I've been using this in my ssh_config for a while:
ProxyCommand /usr/bin/ssh -24 -o PermitLocalCommand=no -qaxT gateway exec /usr/bin/nc %h %p
I find that -qaxT are really key to getting everything to work right and that's not documented well. You can of course forward X11 and what not, the trick is to not get the gateway involved, it just passes it on to the host and that sshd handles it. You don't need the pty on the gateway either, etc for the other options. That with ControlMaster and screen has really be
Re: (Score:2)
Both -a and -x are default though, and -T is also default if you give a command to execute, so only -q will actually do something there.
It is quite common to turn on agent and X11 forwarding in ssh_config though, and then there is a point to those options (and I guess they don't hurt).
Re: (Score:2)
Yes, I did a bad job of explaining, for example I have such entries:
Host host.gateway /usr/bin/ssh -24 -o PermitLocalCommand=no -qaxT gateway.example exec /usr/bin/nc %h %p
ForwardX11 yes
ForwardX11Trusted yes
TCPKeepAlive yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
HostName host.example
ProxyCommand
In my "Hosts *" sction earlier I have various items I usually like enabled (I have A LOT of hosts I ssh to, many not behind a gateway), such as agent and X11 forwarding. So before it dawned on me that I
Re: (Score:2)
It is quite common to turn on agent and X11 forwarding in ssh_config though, and then there is a point to those options (and I guess they don't hurt).
Agent forwarding should be selectively enabled only for hosts that you trust completely. A root user on the remote host can use your credentials for as long as you are connected.
Cygwin's package was updated, too (Score:5, Interesting)
Re:Cygwin's package was updated, too (Score:5, Interesting)
Could you not do this with a combination of Match User and ForceCommand directives? Something like:
Match User anonymous /home/anonymous
ForceCommand sftp-server -R
ChrootDirectory
Re: (Score:3, Insightful)
Re: (Score:2)
Have they fixed the bug with ChrootDirectory on Mac OS X? On that system / is group writeable and that fails some sanity check. I do not permit any admin users to ssh in though so it should not really be a problem in practice. (To admin you need to ssh in as yourself, then /usr/bin/login -p admin, from there sudo.) I used to have a dylib I would preload but at some point it stopped working so I would compile my own versions.
Also it seemed a while back that I would be able to use sftp on even if sftp was dis
Re: (Score:2)
Have they fixed the bug with ChrootDirectory on Mac OS X? On that system / is group writeable and that fails some sanity check.
Don't really know, as I haven't had a need to do much advanced configuration on OS X sshd. Sounds like a strange bug, though.
Also it seemed a while back that I would be able to use sftp on even if sftp was disabled on the server.
Is there really a point to disabling sftp? If you have the filesystem-level permissions, you can perform those operations through SSH.
"get" a file: ssh remote "cat rfile" > lfile
"put" a file: ssh remote "cat > rfile" lfile
And if the admin does some tricky things to only allow certain commands to be executed from the SSH session, they probably aren't stopping those commands
Re: (Score:2)
It's funny but I use rbash (restricted) and rsh (remote)just like that (vxworks).
But I think we are agreeing, seems pointless to disable sftp if you let people login instead of restricting to certain commands.
Re: (Score:2)
Re: (Score:3, Insightful)
Just because it's public data doesn't mean you want anyone else to know what that particular user is doing.
Re:Cygwin's package was updated, too (Score:5, Insightful)
Yes, you are missing the point.
FTP is a fucking mess, I hate it, I wish I could kill it today everywhere. It is a disaster to manage with a firewall. The horrendous idea of using separate random ports for data connection vs control connections, the active/passive methods, it's is pure evil.
SFTP is not FTP over SSH if you did not understand, it is a proper FTP that happens to run over a secured link.
history of FTP (Score:2, Informative)
FTP is a fucking mess, I hate it, I wish I could kill it today everywhere. It is a disaster to manage with a firewall. The horrendous idea of using separate random ports for data connection vs control connections, the active/passive methods, it's is pure evil.
At the time of its invention FTP's design made sense.
TCP allows bi-directional traffic on a port, but TCP was not invented when FTP was first created (1971). The protocol that was around only allowed one-way transmission of data on any connection. So when you FTPed into a machine, and server had to open a connection back to the client to return any data.
Also remember that firewalls were also not invented until the late '80s (earlier '90s?), so the blocking of connections back to the client weren't an issue.
Re: (Score:2)
I don't dispute any of that, it's obviously true, but FTP should have been either abolished about 20 years ago or at least modified as a protocol standard to transition to a new more sensible implementation. So when the question arises about the reasons of switching to SFTP, well, even disregarding the 'secure' part, the protocol deficiency itself is a valid reason to switch.
FTP should be dead, long live SFTP (Score:2)
I really should do some sort of https thing to allow secure upload of files instead of users having to use FTP, but never get around to more than googling in vain for others doing the same thing. Has anyone seen anything like that?
Re: (Score:2)
"The folder you entered does not appear to be valid. Please choose another"
The wikipedia page really sums up how it's far more confusing to people to set up than emailing brief instructions on how to connect via FTP.
The major purpose of FTP now IMHO is to transport files that are too large to email and too sensitive to post on a public web site. That means a lot of novice or occasional users for whichever method and FTP (or ideally SFTP) has a shorter learning curve than WebDAV.
Re: (Score:2)
You mean like rcp or uucp? ftp was so dominant simply because the ftp client was wonderfully interactive for its time.
Re: (Score:2)
no, I mean like ftp. FTP should have been modified as a protocol and implementation over time to be more like other well behaved protocols.
Re: (Score:2)
You're obviously not running OpenBSD firewalls. ;)
Re:Cygwin's package was updated, too (Score:4, Insightful)
I am running OpenBSD firewall ... I have the pf and ftp-proxy configured correctly (checked by someone who knows this by heart), still can't have the ftp working for the internal network. Gone through all configurations, docs, still don't have it working. Have to waste more time on this later, just because the users 'need' the ftp to download shit from other firm...
Sorry, but the pf/ftp-proxy combination works as advertised. I'd suggest your configuration is wrong. Asserting that it doesn't work because "someone who knows this by heart" examined it is meaningless.
Fix your configuration and stop complaining. Both pf and ftp-proxy can do detailed logging. If you understand FTP, and you examine the logged output, you'll quickly find the source of your errors and, by extension, the solution.
Granted FTP is a creaky protocol, and while it's true that most people don't understand it (even those that claim they do), it's just as true that it ain't going anywhere. Maybe it's time to brush up on the RFCs?
Re: (Score:2)
tcpdump is your friend too. It is likely simply some client is not using PASV.or BIN modes.
Re: (Score:2)
I constantly get my users complaining that their FTP server isn't working because port 20 incoming isn't open. I've had to start sending them a diagram of how FTP works.
Re: (Score:2)
Asserting that it doesn't work because "someone who knows this by heart" examined it is meaningless.
- well, I did get someone who knows by heart. A person of this list: openBSD commercial support [openbsd.org], Russel.
Now, "asserting that it doesn't work because ... it doesn't work" - because it doesn't. I said something does not work, but it looks correct, logs are not showing problems, the configuration looks correct yet ftp cannot be reached from inside the network. Does it work? No. Did I say "openBSD doesn't work"? No. I said it's not working, whatever the cause is and it looks correct.
Re: (Score:2)
Look, I'm sure your cat is very intelligent, and I don't doubt that it's a better sysadmin than you, but I think it is a bit unreasonable to expect a common housepet to properly determine the cause of an issue like this.
Re: (Score:2)
couldn't be the cat, it was busy shitting in your soup bowl.
Re: (Score:2)
How'd you determine that? Did you 'read its logs with tcpdump'?
Re: (Score:2)
Pffft, that was weak. Didn't have to, it talks, told me all about how you ate the soup and liked it.
Re: (Score:2)
Funny you should mention talking cats, my nephew claims to have one as well. Of course he is 5, you should probably seek professional psychiatric help...
Of course with your condition you probably didn't catch this, but I was of course referencing this comment:
Re: (Score:2)
You know, the one where you managed to conclusivly demonstrated that you are both a jackass, and a complete idiot, at the same time. It's cute how you still don't get how you messed up right there.
- that is all in your head, it's small and shriveled now, after tasting that soup.
Re: (Score:2)
As I said, cute.
But I'm in a good mood today so I'll give you a hint: tcpdump isn't a pager, you don't read logs with it.
Re: (Score:2)
I'll give you a hint
bitch.
Re: (Score:2)
If you really think packet logs are the only logs relevant to your issue, or the only appropriate use of tcpdump, then I'm afraid I'm at a loss of words to describe the new level of idiocy you have achieved. The best I can do is offer forth my congratulations.
Re: (Score:2)
who said it was THE ONLY ONE, biatch?
Re: (Score:2)
A fellow slashdot commenter kindly suggested that you make use of tcpdump to help resolve your issues. You verbally harassed him for his trouble, saying that you have already used it to review your logs.
Ass-fiend.
Re: (Score:2)
What are you, a knight in the shining armor, fighting for the fella /.ers? Must be the cat shit in your brains.
Re: (Score:2)
I love this moderation: "I am having a problem, configured everything as found at open bsd web site, logs don't show any errors, a person with much more experience than I have in OpenBSD firewall configurations couldn't help either". /. moderator: "That's a flamebait, you can't be having a problem like that, that's impossible, you are starting a flamewar."
Love /.
Re: (Score:2)
"I am having a problem, configured everything as found at open bsd web site, logs don't show any errors, a person with much more experience than I have in OpenBSD firewall configurations couldn't help either". /. moderator: "That's a flamebait, you can't be having a problem like that, that's impossible, you are starting a flamewar."
Yeah, it should have been modded "troll."
This is what you actually originally said:
I have the pf and ftp-proxy configured correctly
(emphasis mine)
If it was configured correctly, you wouldn't be having the problems. Lots of people use pf+ftp-proxy for exactly this purpose.
Re: (Score:2)
well, shit, as I said, I paid for help, not from someone off the street. http://openbsd.org/support.html#Canada [openbsd.org] - search for the name Russel. He is listed at OpenBSD site. In his words he could not see anything wrong with the configuration and I configured it before he looked. So am I trolling? Obviously something is not right, but if someone off bsd official commercial support list couldn't help, well then, what can I say, something is broken but it does not look broken. You want to fix it?
Re: (Score:2)
I was just pointing out a difference between what you said and what you (obviously) thought. You didn't give all the information, so your post sounded like maybe a troll or flamebait.
And it's entirely possible that the problem lies outside of pf+ftp-proxy. "Nothing in the logs" is another clue that pf+ftp-proxy may be working. So where's the real problem? I don't know.
As I mentioned elsewhere, I, too, think that FTP is a mess. I wholeheartedly share your pain and feelings on it.
Re: (Score:2)
I'll take both sides here. OpenBSD + pf + ftp-proxy does work as advertised if it's set up right. That said, I agree completely that FTP is a freakin' mess and needs to be taken out back and shot. We have an FTP server for clients to upload certain documents to us, but we've adamantly deprecated it for new customers and are setting them all up with WebDAV over HTTPS. The new system wins over the old in every way imaginable.
Re: (Score:2)
Chances are you are matching your FTP traffic in anther rule. Check the order of:
anchor "ftp-proxy/*"
Make sure it doesn't have a quick rule before or a block rule after which would match it.
Re: (Score:2)
They don't have to be random. Say you decide that will allow 20 simultaneous connections, so then you allocate a block of 40 (if it's not busy you can have less, but TIMEDWAIT after the connection is closed implies you should have some extras) below the ephemeral lower limit. Then in your firewall you open-up those 40 to the world or your organization. If nothing is listening on a port then there really is no harm having that port open. If you like you can block outgoing ICMP port unreachable messages. With
Re: (Score:2)
That said all the firewalls have very good mechanisms now for watching ftp connection and adding temporary rules for any secondary ports needed.
Not if the command channel is encrypted. Then the firewall can't read the PORT command.
FTP really is a mess that needs to go away, but we still get vendors who require it for one reason or another. We even have a couple who sniff the FTP prompt using something like an expect script, so if you're not using a particular version/vendor of FTP, they will fail. Of course, this sort of thing could happen with any protocol.
Anyway, the guy you replied to obviously has some other issues besides just FTP being a c
Re: (Score:3, Insightful)
I believe what he is saying is that FTP, in the classical sense, is not a properly done File Transfer Protocol. I'm inclined to agree.
Re: (Score:3, Interesting)
Arguably, running one less service would be nice. Also, OpenSSH's chrooting is pretty painless for sftp (though arguably, proper chrooting mostly precludes the need for read-only service--having your server read-only does add another layer of security.)
Re: (Score:2)
Encrypting the password.
Thank you Open SSH devs (Score:5, Informative)
Firefox sees it as a SOCKS 5 proxy at localhost. The tricky part was setting the config key in Firefox called "network.proxy.socks_remote_dns" to true. (Navigate to about:config and filter for "proxy" to find this setting quickly). The corporate network admins use bogus DNS resolution as a firewall.
I love you, OpenSSH devs. I sincerely thank you.
Thanks OpenSSH | Debian Devs DO NOT TOUCH. (Score:5, Funny)
OpenSSH is nothing short of magic. I too use it to tunnel out of work's firewall.
Now, Debian Dev. DON'T TOUCH. :)
Re: (Score:2)
Re: (Score:3, Informative)
Are you sure they're going through the proxy out of the box? My Firefox had that configuration knob set to "false" by default, and DNS queries are definitely hitting my company's DNS server.
If I tune the knob to true, they go through the proxy.
Both cases verified with tcpdump.
Re: (Score:3, Interesting)
I am using Firefox version 3.5.8, 32-bit, for x86.
It seems, within Firefox itself, that your DNS queries with SOCK
Re: (Score:1)
Re: (Score:2)
I do the same thing frequently. I've noticed a weird thing with my configuration. When I'm working through the tunnel, with DNS requests forwarded through the tunnel, and I go to a non-existent domain my ISP (cox) hijacks my NXDOMAIN and serves up a search page (with ads, obv). When I'm at home, I get NXDOMAIN just fine. Can't figure that one out.
Re: (Score:2)
My provider XS4ALL runs a ssh daemon on port 443 of their server. Using a HTTP (Netscape) proxy works just as well (another good reason to keep the ISP's proxy in the air). Thanks for the remote DNS hint, didn't think about that (DNS at our company is non-restricted).
Fortunately I did not have to use it for a while, nowadays the proxy settings of the company proxy are more reasonable. Before that I had trouble retrieving many web pages with "bad words". Including those necessary to do my work.
Re: (Score:2)
I recently discovered that Thunderbird can also use SOCKS. No need for mutt in a putty session any more!
Re: (Score:1)
No need for mutt in a putty session any more!
Sure you don't "need" to, but why wouldn't you want to?!
Does thunderbird have the same dns issue as firefox (network.proxy.socks_remote_dns)?
Re: (Score:2)
I like to look at the pretty pictures.
Remote DNS? No idea. For some reason my work's DNS can see the Internet, so we can resolve everything anyway.
Re: (Score:2)
You know what, that's the same thing I did for getting over the Great Firewall of China with a server outside of the mainland.
Re: (Score:2)
I went ahead and set up my home server for NX (nomachine) and I run a firefox window on my desktop that is really on my server. Bonus is I can disconnect it and reconnect it. It will still be where I left it. The firewall here blocks most ports other then the standards, 22 is open and NX has no problems
Please note: (Score:5, Interesting)
A brief quote from the project's home page:
Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products -- as a critically important security / access feature -- instead of writing their own SSH implementation or purchasing one from another vendor. This list specifically includes companies like Cisco, Juniper, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).
So go and DONATE, as i've just done.
Re: (Score:2)
Re: (Score:3, Funny)
A brief quote from the project's home page:
Please take note of our Who uses it page, which list just some of the vendors who incorporate OpenSSH into their own products -- as a critically important security / access feature -- instead of writing their own SSH implementation or purchasing one from another vendor. This list specifically includes companies like Cisco, Juniper, Apple, Red Hat, and Novell; but probably includes almost all router, switch or unix-like operating system vendors. In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).
So go and DONATE, as i've just done.
Okay, we get it Theo.
Re:Please note: (Score:4, Insightful)
In the 10 years since the inception of the OpenSSH project, these companies have contributed not even a dime of thanks in support of the OpenSSH project (despite numerous requests).
And they don't have to, either morally or legally.
OpenSSH is released under the BSD license, and the devs know full well that they may not be financially rewarded for their work. To suddenly expect those users to donate cash just because they use the very code you freed is, to say, the least, hypocritical. After all, if you wanted to be paid for the work you do, why are you releasing it for free to the world under one of the most liberal software licenses possible? Why not a dual license that requires payment for commercial use? Naturally because the BSDs are all about freedom, of course.
Well, unless they think they're getting screwed financially.
Re: (Score:3, Insightful)
Re: (Score:2)
Legally, no. But morally? Well, I beg to differ: those companies generate millions of dollars a year and would be in a completely different situation right now if they didn't have OpenSSH to benefit from.
Uh, so what? Those developers *chose* to release their code under a license which creates absolutely no obligation on the part of the user. They made that choice because they feel that open, free code is a good thing. So if their users don't give them any cash, why should they be surprised or offended?
No X.509 certificateds? (Score:2)
Why can't they use X.509 certificates like everybody else does? Are they too complex for SSH? Why no smart card support for those really secure connections?
Maybe we should just use OpenSSL & telnet or something similar, at least OpenSSL has PKCS#11 support nowadays. The only other thing required is a way to multiplex multiple protocols over SSL, but that certainly sounds doable.
Re: (Score:2)
client X.509 certs with TLS is vulnerable to renegotiation attacks. telnet would be vulnerable to some timing attacks with TLS if it were not configured carefully as well. Sometimes simple is better.
Re: (Score:3, Insightful)
Please do tell what are the vital differences from version 1.4 made in 2008, because I think you're trolling. It looks like all RFCs normally look, either you haven't read many and don't have a clue what you're talking about or you are just trying to spread FUD.
Re:New, Problematic Protocol Introduced (Score:4, Informative)
Re: (Score:3, Interesting)
Re: (Score:2, Funny)