Date: Fri, 24 Nov 2000 18:44:16 -0500 From: "Brian F. Feldman" <green@FreeBSD.org> To: audit@FreeBSD.org Cc: current@FreeBSD.org Subject: OpenSSH 2.3.0 pre-upgrade Message-ID: <200011242344.eAONiG560473@green.dyndns.org>
next in thread | raw e-mail | index | archive | help
(Please direct followups to audit@FreeBSD.org and remove all extraneous addresses. I'm cross-posting in hopes of reaching the right audiences that won't necessarily overlap.) It's time again for an upgrade to our FreeBSD OpenSSH. Version 2.3.0 was released a few weeks back, and working off that I've produced a set of diffs from either what's in the tree now or the original OpenBSD, 2.3.0 sources. What's new in this release? Mostly the adding of the AES (Rijndael) to the SSH2 algorithms. Is anything now broken? Well, nothing new broken that I know of; there was an issue of the canonical host name not being used, which I could have sworn it was before: in either case, it is used now. The auth loops previously did not take NULL struct passwd * arguments, but now they do (to inform them to fake authorization). This deprecated our fake auth loop, but gave me a lot of work to correct the logic in the code that expects non-NULL pw's. I think I did it all, but wouldn't be surprised if there's still a mistake, so I'd really appreciate others looking at it. There's some weird issue where for the Diffie-Hellman exchange, OpenSSH wants primes but doesn't seem to want to generate them... it expects an /etc/ssh/primes (which should become /var/run/ssh_primes, if anything) and I have no clue where the program is that supposedly generates them. So, for SSH2, the authentication stage generates a large warning and uses a hardcoded prime. This should not actually have an affect on security, though, according to my understanding of the Diffie-Hellman protocol. I probably fixed a ton of smaller bugs on the way I've all but forgotten about now. I'd appreciate anyone who can either test this out to see if it works for them (I upgraded all my OpenSSH stuff to 2.3.0, and it is working great) or review the changes. If I've made some mistakes in the code I've changed, it could easily be a huge security issue, so it would be really nice to have others back me up on the changes made. The patch to apply on a -CURRENT/-STABLE FreeBSD system's src tree to update to this version can be found at: http://green.bikeshed.org/OpenSSH-2.3.0.patch.gz Similarly, the diffs from plain OpenBSD OpenSSH 2.3.0 to ours are at: http://green.bikeshed.org/OpenSSH_to_FreeBSD-2.3.0.patch.gz Thanks! -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011242344.eAONiG560473>