OpenSSH-2.5.2 (fwd)

Dave Dittrich dittrich at
Thu Mar 22 11:27:56 PST 2001

[See notice of new OpenSSH release at bottom.]

For those using OpenSSH, there are some great developments here.
Most notably, addressing a passive monitoring attack that I alluded to
in the netsys meeting this week, and use of "bubble babble" format for
key fingerprints for better interoperability with SSH.COM's v2

[SSH.COM 2.4.0]
% ssh-keygen2 -F /etc/ssh2/
Fingerprint for key:


[OpenSSH_2.3.0p1 ]

$ ssh-keygen -l -f /etc/ssh/
1054 4d:51:41:58:4f:8b:97:78:b8:bc:81:a3:14:06:4d:ad root at foo

This will make fingerprint identification much simpler (we'll only
need to publish one form, not two, for keys. As always, we will put
C&C server keys on the UWICK kit and ftp.cac so you can pre-load
them on your clients.)

Dave Dittrich Computing & Communications
dittrich at Client Services University of Washington

PGP key
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

---------- Forwarded message ----------
Date: Thu, 22 Mar 2001 16:49:00 +0100
Subject: OpenSSH-2.5.2 (fwd)
From: Jonas Eriksson <je at SEKURE.NET>

---------- Forwarded message ----------
Date: Thu, 22 Mar 2001 11:49:03 +0100
From: Markus Friedl <Markus.Friedl at>
To: announce at
Subject: OpenSSH-2.5.2

OpenSSH 2.5.2 is now available from the mirror sites
listed at

Security related changes:
Improved countermeasure against "Passive Analysis of SSH
(Secure Shell) Traffic"

The countermeasures introduced in earlier OpenSSH-2.5.x versions
caused interoperability problems with some other implementations.

Improved countermeasure against "SSH protocol 1.5 session
key recovery vulnerability"

New options:
permitopen authorized_keys option to restrict portforwarding.

PreferredAuthentications allows client to specify the order in which
authentication methods are tried.

sftp client supports globbing (get *, put *).

Support for sftp protocol v3 (draft-ietf-secsh-filexfer-01.txt).

Batch file (-b) support for automated transfers

Speedup DH exchange. OpenSSH should now be significantly faster when
connecting use SSH protocol 2.

Preferred SSH protocol 2 cipher is AES with hmac-md5. AES offers
much faster throughput in a well scrutinised cipher.

stderr handling fixes in SSH protocol 2.

Improved interoperability.

The client no longer asks for the the passphrase if the key
will not be accepted by the server (SSH2_MSG_USERAUTH_PK_OK)

scp should now work for files > 2GB

ssh-keygen can now generate fingerprints in the "bubble babble"
format for exchanging fingerprints with SSH.COM's SSH protocol 2

Preliminary patches for OpenBSD-2.6 are available on request.


More information about the Linux mailing list