OpenSSH-2.5.2 (fwd)

Dave Dittrich dittrich at cac.washington.edu
Thu Mar 22 11:27:56 PST 2001


[See notice of new OpenSSH release at bottom.]

For those using OpenSSH, there are some great developments here.
Most notably, addressing a passive monitoring attack that I alluded to
in the netsys meeting this week, and use of "bubble babble" format for
key fingerprints for better interoperability with SSH.COM's v2
servers:

[SSH.COM 2.4.0]
% ssh-keygen2 -F /etc/ssh2/hostkey.pub
Fingerprint for key:
xivot-dovyf-ceten-kymov-gudat-konos-comyr-kypoh-davim-noryl-cuxyx

vs.

[OpenSSH_2.3.0p1 ]

$ ssh-keygen -l -f /etc/ssh/ssh_host_key.pub
1054 4d:51:41:58:4f:8b:97:78:b8:bc:81:a3:14:06:4d:ad root at foo

This will make fingerprint identification much simpler (we'll only
need to publish one form, not two, for keys. As always, we will put
C&C server keys on the UWICK kit and ftp.cac so you can pre-load
them on your clients.)

--
Dave Dittrich Computing & Communications
dittrich at cac.washington.edu Client Services
http://staff.washington.edu/dittrich University of Washington

PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

---------- Forwarded message ----------
Date: Thu, 22 Mar 2001 16:49:00 +0100
Subject: OpenSSH-2.5.2 (fwd)
From: Jonas Eriksson <je at SEKURE.NET>
To: BUGTRAQ at SECURITYFOCUS.COM

---------- Forwarded message ----------
Date: Thu, 22 Mar 2001 11:49:03 +0100
From: Markus Friedl <Markus.Friedl at informatik.uni-erlangen.de>
To: announce at openbsd.org
Subject: OpenSSH-2.5.2

OpenSSH 2.5.2 is now available from the mirror sites
listed at http://www.openssh.com/

Security related changes:
Improved countermeasure against "Passive Analysis of SSH
(Secure Shell) Traffic"
http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt

The countermeasures introduced in earlier OpenSSH-2.5.x versions
caused interoperability problems with some other implementations.

Improved countermeasure against "SSH protocol 1.5 session
key recovery vulnerability"
http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm

New options:
permitopen authorized_keys option to restrict portforwarding.

PreferredAuthentications allows client to specify the order in which
authentication methods are tried.

Sftp:
sftp client supports globbing (get *, put *).

Support for sftp protocol v3 (draft-ietf-secsh-filexfer-01.txt).

Batch file (-b) support for automated transfers

Performance:
Speedup DH exchange. OpenSSH should now be significantly faster when
connecting use SSH protocol 2.

Preferred SSH protocol 2 cipher is AES with hmac-md5. AES offers
much faster throughput in a well scrutinised cipher.

Bugfixes:
stderr handling fixes in SSH protocol 2.

Improved interoperability.

Client:
The client no longer asks for the the passphrase if the key
will not be accepted by the server (SSH2_MSG_USERAUTH_PK_OK)

Miscellaneous:
scp should now work for files > 2GB

ssh-keygen can now generate fingerprints in the "bubble babble"
format for exchanging fingerprints with SSH.COM's SSH protocol 2
implementation.

Preliminary patches for OpenBSD-2.6 are available on request.

-m




More information about the Linux mailing list