(Please direct followups to [EMAIL PROTECTED] and remove all
extraneous addresses. I'm cross-posting in hopes of reaching the
right audiences that won't necessarily overlap.)
It's time again for an upgrade to our FreeBSD OpenSSH. Version 2.3.0 was
released a few weeks back, and working off that I've produced a set of diffs
from either what's in the tree now or the original OpenBSD, 2.3.0 sources.
What's new in this release? Mostly the adding of the AES (Rijndael) to the
SSH2 algorithms. Is anything now broken? Well, nothing new broken that I
know of; there was an issue of the canonical host name not being used, which
I could have sworn it was before: in either case, it is used now. The auth
loops previously did not take NULL struct passwd * arguments, but now they
do (to inform them to fake authorization). This deprecated our fake auth
loop, but gave me a lot of work to correct the logic in the code that
expects non-NULL pw's. I think I did it all, but wouldn't be surprised if
there's still a mistake, so I'd really appreciate others looking at it.
There's some weird issue where for the Diffie-Hellman exchange, OpenSSH
wants primes but doesn't seem to want to generate them... it expects an
/etc/ssh/primes (which should become /var/run/ssh_primes, if anything) and I
have no clue where the program is that supposedly generates them. So, for
SSH2, the authentication stage generates a large warning and uses a
hardcoded prime. This should not actually have an affect on security,
though, according to my understanding of the Diffie-Hellman protocol.
I probably fixed a ton of smaller bugs on the way I've all but forgotten
about now. I'd appreciate anyone who can either test this out to see if it
works for them (I upgraded all my OpenSSH stuff to 2.3.0, and it is working
great) or review the changes. If I've made some mistakes in the code I've
changed, it could easily be a huge security issue, so it would be really
nice to have others back me up on the changes made.
The patch to apply on a -CURRENT/-STABLE FreeBSD system's src tree to update
to this version can be found at:
http://green.bikeshed.org/OpenSSH-2.3.0.patch.gz
Similarly, the diffs from plain OpenBSD OpenSSH 2.3.0 to ours are at:
http://green.bikeshed.org/OpenSSH_to_FreeBSD-2.3.0.patch.gz
Thanks!
--
Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! /
[EMAIL PROTECTED] `------------------------------'
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
