> "Add an Include directive for ssh_config(5) files"
Edit: my comment wasn't intended as negative, more a pleasant surprise. How often does "primarily a bug fix" release include functionality thats been requested by users for literally years?
Bugfixes are considered more critical than new features so they get higher priority in announcements (unless you're, like, really excited about it). There are more security and bug fixes in this release than new features, so primarily bugfix release
The ProxyJump (-J) and Include directive features are huge! Really improves a lot of workflows where a tool like gcloud autoconfigures hosts in your SSH config (and could now do so with a bastion host easily).
I think ProxyJump is a nice way to explicitly state that you want to jump hosts, but this is currently possible with ProxyCommand, such as the following...
commit ed877ef653847d056bb433975d731b7a1132a979
Author: djm@openbsd.org <djm@openbsd.org>
Date: 3 weeks ago
upstream commit
Add a ProxyJump ssh_config(5) option and corresponding -J ssh(1)
command-line flag to allow simplified indirection through a
SSH bastion or "jump host".
These options construct a proxy command that connects to the
specified jump host(s) (more than one may be specified) and uses
port-forwarding to establish a connection to the next destination.
This codifies the safest way of indirecting connections through SSH
servers and makes it easy to use.
ok markus@
Upstream-ID: fa899cb8b26d889da8f142eb9774c1ea36b04397
Unless you've gotten anoncvs.ca.openbsd.org's host key fingerprint through some secure mechanism (say... HTTPS), SSH only encrypts the transport. It does nothing to stop a MITM (eg a malware injecting proxy).
* ssh(1), sshd(8): Reduce the syslog level of some relatively common
protocol events from LOG_CRIT. bz#2585
This will change the reporting of some systems' logs, which could result in different log reports. If you've ever wondered "why did we suddenly get 20% less critical alerts in August?", upgrading OpenSSH could be one reason.
* sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
ATTEMPT!" message when forward and reverse DNS don't match. bz#2585
Lol. Also, for programs/scripts designed to expect specific interactive warning messages, this could break them.
As for the security fixes, the first means there's a potential DOS in older versions, the second means you could possibly detect valid accounts in old versions, and the fifth is a local attack that's viable in old versions:
If PAM is configured to read user-specified environment variables and
UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login
via LD_PRELOAD or similar environment variables set via PAM.
Drop an LD_PRELOAD library in /tmp/, log in to the server passing the path to the library in the LD_PRELOAD variable, and PAM will load the library into the resulting login program. PAM then lets you run a root program with your own library functions. Fun stuff! (Also: I hate PAM)
> * ... for programs/scripts designed to expect specific interactive warning messages, this could break them.*
Possibly, and that is the reason why I a) read release notes before upgrading critical pieces of software and b) don't use production as my test network.
17 comments
[ 3.4 ms ] story [ 43.5 ms ] threadFollowed later by
> "Add an Include directive for ssh_config(5) files"
Edit: my comment wasn't intended as negative, more a pleasant surprise. How often does "primarily a bug fix" release include functionality thats been requested by users for literally years?
Edit2: wow. Very unfortunate typo.
A bit ironic openssh.com doesn't have HTTPS: http://www.openssh.com/txt/release-7.3
Edit: corrected typo!
You can however access the release notes (or any other file/page from the website for that matter) over SSH using CVS
https://www.openbsd.org/anoncvs.html
As for the security fixes, the first means there's a potential DOS in older versions, the second means you could possibly detect valid accounts in old versions, and the fifth is a local attack that's viable in old versions:
Drop an LD_PRELOAD library in /tmp/, log in to the server passing the path to the library in the LD_PRELOAD variable, and PAM will load the library into the resulting login program. PAM then lets you run a root program with your own library functions. Fun stuff! (Also: I hate PAM)Possibly, and that is the reason why I a) read release notes before upgrading critical pieces of software and b) don't use production as my test network.
I learned the hard way many, many years ago.
Doesn't that require AcceptEnv LD_PRELOAD? Are there people who run with AcceptEnv *?