17 comments

[ 3.4 ms ] story [ 43.5 ms ] thread
> "This is primarily a bug fix"

Followed later by

> "Add an Include directive for ssh_config(5) files"

Edit: my comment wasn't intended as negative, more a pleasant surprise. How often does "primarily a bug fix" release include functionality thats been requested by users for literally years?

Edit2: wow. Very unfortunate typo.

Bugfixes are considered more critical than new features so they get higher priority in announcements (unless you're, like, really excited about it). There are more security and bug fixes in this release than new features, so primarily bugfix release
"primarily", not "exclusively".
The ProxyJump (-J) and Include directive features are huge! Really improves a lot of workflows where a tool like gcloud autoconfigures hosts in your SSH config (and could now do so with a bastion host easily).

A bit ironic openssh.com doesn't have HTTPS: http://www.openssh.com/txt/release-7.3

Edit: corrected typo!

I think ProxyJump is a nice way to explicitly state that you want to jump hosts, but this is currently possible with ProxyCommand, such as the following...

  Host appserver1
    ProxyCommand ssh bastionhost.com -W %h:%p
The announcement already mentions that ProxyJump is meant to be a simplified version of indirection, not a completely new feature.

  commit ed877ef653847d056bb433975d731b7a1132a979
  Author: djm@openbsd.org <djm@openbsd.org>
  Date:   3 weeks ago

      upstream commit
    
      Add a ProxyJump ssh_config(5) option and corresponding -J ssh(1)
      command-line flag to allow simplified indirection through a
      SSH bastion or "jump host".
    
      These options construct a proxy command that connects to the
      specified jump host(s) (more than one may be specified) and uses
      port-forwarding to establish a connection to the next destination.
    
      This codifies the safest way of indirecting connections through SSH
      servers and makes it easy to use.
    
      ok markus@
    
      Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
That only sends commands via the proxy host. Jump allows you to connect to remote hosts via the jump host intermediary.
> A bit ironic openssh.com doesn't have HTTPS

You can however access the release notes (or any other file/page from the website for that matter) over SSH using CVS

    $ cvs -d anoncvs@anoncvs.ca.openbsd.org:/cvs get www/openssh/txt/release-7.3
Unless you've gotten anoncvs.ca.openbsd.org's host key fingerprint through some secure mechanism (say... HTTPS), SSH only encrypts the transport. It does nothing to stop a MITM (eg a malware injecting proxy).
(comment deleted)
Fun things to note:

  * ssh(1), sshd(8): Reduce the syslog level of some relatively common
    protocol events from LOG_CRIT. bz#2585
This will change the reporting of some systems' logs, which could result in different log reports. If you've ever wondered "why did we suddenly get 20% less critical alerts in August?", upgrading OpenSSH could be one reason.

  * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
    ATTEMPT!" message when forward and reverse DNS don't match. bz#2585
Lol. Also, for programs/scripts designed to expect specific interactive warning messages, this could break them.

As for the security fixes, the first means there's a potential DOS in older versions, the second means you could possibly detect valid accounts in old versions, and the fifth is a local attack that's viable in old versions:

  If PAM is configured to read user-specified environment variables and
  UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login
  via LD_PRELOAD or similar environment variables set via PAM.
Drop an LD_PRELOAD library in /tmp/, log in to the server passing the path to the library in the LD_PRELOAD variable, and PAM will load the library into the resulting login program. PAM then lets you run a root program with your own library functions. Fun stuff! (Also: I hate PAM)
> * ... for programs/scripts designed to expect specific interactive warning messages, this could break them.*

Possibly, and that is the reason why I a) read release notes before upgrading critical pieces of software and b) don't use production as my test network.

I learned the hard way many, many years ago.

> log in to the server passing the path to the library in the LD_PRELOAD variable

Doesn't that require AcceptEnv LD_PRELOAD? Are there people who run with AcceptEnv *?