diff options
author | Colin Watson <cjwatson@debian.org> | 2007-12-24 10:29:57 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2007-12-24 10:29:57 +0000 |
commit | c3e531b12b2335b7fa5a6bcc9a309d3c523ff64b (patch) | |
tree | b72c0867348e7e7914d64af6fc5e25c728922e03 /INSTALL | |
parent | 6b222fdf3cb54c11a446df38e027fe7acf2220cb (diff) | |
parent | 70847d299887abb96f8703ca99db6d817b78960e (diff) |
* New upstream release (closes: #453367).
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
creation of an untrusted cookie fails; found and fixed by Jan Pechanec
(closes: #444738).
- sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
installations are unchanged.
- The SSH channel window size has been increased, and both ssh(1)
sshd(8) now send window updates more aggressively. These improves
performance on high-BDP (Bandwidth Delay Product) networks.
- ssh(1) and sshd(8) now preserve MAC contexts between packets, which
saves 2 hash calls per packet and results in 12-16% speedup for
arcfour256/hmac-md5.
- A new MAC algorithm has been added, UMAC-64 (RFC4418) as
"umac-64@openssh.com". UMAC-64 has been measured to be approximately
20% faster than HMAC-MD5.
- Failure to establish a ssh(1) TunnelForward is now treated as a fatal
error when the ExitOnForwardFailure option is set.
- ssh(1) returns a sensible exit status if the control master goes away
without passing the full exit status.
- When using a ProxyCommand in ssh(1), set the outgoing hostname with
gethostname(2), allowing hostbased authentication to work.
- Make scp(1) skip FIFOs rather than hanging (closes: #246774).
- Encode non-printing characters in scp(1) filenames. These could cause
copies to be aborted with a "protocol error".
- Handle SIGINT in sshd(8) privilege separation child process to ensure
that wtmp and lastlog records are correctly updated.
- Report GSSAPI mechanism in errors, for libraries that support multiple
mechanisms.
- Improve documentation for ssh-add(1)'s -d option.
- Rearrange and tidy GSSAPI code, removing server-only code being linked
into the client.
- Delay execution of ssh(1)'s LocalCommand until after all forwardings
have been established.
- In scp(1), do not truncate non-regular files.
- Improve exit message from ControlMaster clients.
- Prevent sftp-server(8) from reading until it runs out of buffer space,
whereupon it would exit with a fatal error (closes: #365541).
- pam_end() was not being called if authentication failed
(closes: #405041).
- Manual page datestamps updated (closes: #433181).
Diffstat (limited to 'INSTALL')
-rw-r--r-- | INSTALL | 59 |
1 files changed, 37 insertions, 22 deletions
@@ -14,17 +14,37 @@ Blowfish) do not work correctly.) | |||
14 | 14 | ||
15 | The remaining items are optional. | 15 | The remaining items are optional. |
16 | 16 | ||
17 | OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system | ||
18 | supports it. PAM is standard on Redhat and Debian Linux, Solaris and | ||
19 | HP-UX 11. | ||
20 | |||
21 | NB. If you operating system supports /dev/random, you should configure | 17 | NB. If you operating system supports /dev/random, you should configure |
22 | OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of | 18 | OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of |
23 | /dev/random. If you don't you will have to rely on ssh-rand-helper, which | 19 | /dev/random, or failing that, either prngd or egd. If you don't have |
24 | is inferior to a good kernel-based solution. | 20 | any of these you will have to rely on ssh-rand-helper, which is inferior |
21 | to a good kernel-based solution or prngd. | ||
22 | |||
23 | PRNGD: | ||
24 | |||
25 | If your system lacks kernel-based random collection, the use of Lutz | ||
26 | Jaenicke's PRNGd is recommended. | ||
27 | |||
28 | http://prngd.sourceforge.net/ | ||
29 | |||
30 | EGD: | ||
31 | |||
32 | The Entropy Gathering Daemon (EGD) is supported if you have a system which | ||
33 | lacks /dev/random and don't want to use OpenSSH's internal entropy collection. | ||
34 | |||
35 | http://www.lothar.com/tech/crypto/ | ||
25 | 36 | ||
26 | PAM: | 37 | PAM: |
27 | http://www.kernel.org/pub/linux/libs/pam/ | 38 | |
39 | OpenSSH can utilise Pluggable Authentication Modules (PAM) if your | ||
40 | system supports it. PAM is standard most Linux distributions, Solaris, | ||
41 | HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD. | ||
42 | |||
43 | Information about the various PAM implementations are available: | ||
44 | |||
45 | Solaris PAM: http://www.sun.com/software/solaris/pam/ | ||
46 | Linux PAM: http://www.kernel.org/pub/linux/libs/pam/ | ||
47 | OpenPAM: http://www.openpam.org/ | ||
28 | 48 | ||
29 | If you wish to build the GNOME passphrase requester, you will need the GNOME | 49 | If you wish to build the GNOME passphrase requester, you will need the GNOME |
30 | libraries and headers. | 50 | libraries and headers. |
@@ -37,19 +57,14 @@ passphrase requester. This is maintained separately at: | |||
37 | 57 | ||
38 | http://www.jmknoble.net/software/x11-ssh-askpass/ | 58 | http://www.jmknoble.net/software/x11-ssh-askpass/ |
39 | 59 | ||
40 | PRNGD: | 60 | TCP Wrappers: |
41 | |||
42 | If your system lacks Kernel based random collection, the use of Lutz | ||
43 | Jaenicke's PRNGd is recommended. | ||
44 | |||
45 | http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html | ||
46 | |||
47 | EGD: | ||
48 | 61 | ||
49 | The Entropy Gathering Daemon (EGD) is supported if you have a system which | 62 | If you wish to use the TCP wrappers functionality you will need at least |
50 | lacks /dev/random and don't want to use OpenSSH's internal entropy collection. | 63 | tcpd.h and libwrap.a, either in the standard include and library paths, |
64 | or in the directory specified by --with-tcp-wrappers. Version 7.6 is | ||
65 | known to work. | ||
51 | 66 | ||
52 | http://www.lothar.com/tech/crypto/ | 67 | http://ftp.porcupine.org/pub/security/index.html |
53 | 68 | ||
54 | S/Key Libraries: | 69 | S/Key Libraries: |
55 | 70 | ||
@@ -72,7 +87,7 @@ Autoconf: | |||
72 | If you modify configure.ac or configure doesn't exist (eg if you checked | 87 | If you modify configure.ac or configure doesn't exist (eg if you checked |
73 | the code out of CVS yourself) then you will need autoconf-2.61 to rebuild | 88 | the code out of CVS yourself) then you will need autoconf-2.61 to rebuild |
74 | the automatically generated files by running "autoreconf". Earlier | 89 | the automatically generated files by running "autoreconf". Earlier |
75 | version may also work but this is not guaranteed. | 90 | versions may also work but this is not guaranteed. |
76 | 91 | ||
77 | http://www.gnu.org/software/autoconf/ | 92 | http://www.gnu.org/software/autoconf/ |
78 | 93 | ||
@@ -162,7 +177,7 @@ Integration Architecture. The default for OSF1 machines is enable. | |||
162 | need the S/Key libraries and header files installed for this to work. | 177 | need the S/Key libraries and header files installed for this to work. |
163 | 178 | ||
164 | --with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) | 179 | --with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) |
165 | support. You will need libwrap.a and tcpd.h installed. | 180 | support. |
166 | 181 | ||
167 | --with-md5-passwords will enable the use of MD5 passwords. Enable this | 182 | --with-md5-passwords will enable the use of MD5 passwords. Enable this |
168 | if your operating system uses MD5 passwords and the system crypt() does | 183 | if your operating system uses MD5 passwords and the system crypt() does |
@@ -180,7 +195,7 @@ $DISPLAY environment variable. Some broken systems need this. | |||
180 | --with-default-path=PATH allows you to specify a default $PATH for sessions | 195 | --with-default-path=PATH allows you to specify a default $PATH for sessions |
181 | started by sshd. This replaces the standard path entirely. | 196 | started by sshd. This replaces the standard path entirely. |
182 | 197 | ||
183 | --with-pid-dir=PATH specifies the directory in which the ssh.pid file is | 198 | --with-pid-dir=PATH specifies the directory in which the sshd.pid file is |
184 | created. | 199 | created. |
185 | 200 | ||
186 | --with-xauth=PATH specifies the location of the xauth binary | 201 | --with-xauth=PATH specifies the location of the xauth binary |
@@ -251,4 +266,4 @@ Please refer to the "reporting bugs" section of the webpage at | |||
251 | http://www.openssh.com/ | 266 | http://www.openssh.com/ |
252 | 267 | ||
253 | 268 | ||
254 | $Id: INSTALL,v 1.77 2007/03/02 06:53:41 dtucker Exp $ | 269 | $Id: INSTALL,v 1.84 2007/08/17 12:52:05 dtucker Exp $ |