[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
This bug was fixed in the package openssh - 1:5.1p1-1ubuntu1 --- openssh (1:5.1p1-1ubuntu1) intrepid; urgency=low * Resynchronise with Debian. Remaining changes: - Add support for registering ConsoleKit sessions on login. - Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they take up a lot of CD space, and I suspect that rolling them out in security updates has covered most affected systems now. openssh (1:5.1p1-1) unstable; urgency=low * New upstream release (closes: #474301). Important changes not previously backported to 4.7p1: - 4.9/4.9p1 (http://www.openssh.com/txt/release-4.9): + Added chroot(2) support for sshd(8), controlled by a new option "ChrootDirectory" (closes: #139047, LP: #24777). + Linked sftp-server(8) into sshd(8). The internal sftp server is used when the command "internal-sftp" is specified in a Subsystem or ForceCommand declaration. When used with ChrootDirectory, the internal sftp server requires no special configuration of files inside the chroot environment. + Added a protocol extension method "[EMAIL PROTECTED]" for sftp-server(8) to perform POSIX atomic rename() operations; sftp(1) prefers this if available (closes: #308561). + Removed the fixed limit of 100 file handles in sftp-server(8). + ssh(8) will now skip generation of SSH protocol 1 ephemeral server keys when in inetd mode and protocol 2 connections are negotiated. This speeds up protocol 2 connections to inetd-mode servers that also allow Protocol 1. + Accept the PermitRootLogin directive in a sshd_config(5) Match block. Allows for, e.g. permitting root only from the local network. + Reworked sftp(1) argument splitting and escaping to be more internally consistent (i.e. between sftp commands) and more consistent with sh(1). Please note that this will change the interpretation of some quoted strings, especially those with embedded backslash escape sequences. + Support "Banner=none" in sshd_config(5) to disable sending of a pre-login banner (e.g. in a Match block). + ssh(1) ProxyCommands are now executed with $SHELL rather than /bin/sh. + ssh(1)'s ConnectTimeout option is now applied to both the TCP connection and the SSH banner exchange (previously it just covered the TCP connection). This allows callers of ssh(1) to better detect and deal with stuck servers that accept a TCP connection but don't progress the protocol, and also makes ConnectTimeout useful for connections via a ProxyCommand. + scp(1) incorrectly reported "stalled" on slow copies (closes: #140828). + scp(1) date underflow for timestamps before epoch. + ssh(1) used the obsolete SIG DNS RRtype for host keys in DNS, instead of the current standard RRSIG. + Correctly drain ACKs when a sftp(1) upload write fails midway, avoids a fatal() exit from what should be a recoverable condition. + Fixed ssh-keygen(1) selective host key hashing (i.e. "ssh-keygen -HF hostname") to not include any IP address in the data to be hashed. + Make ssh(1) skip listening on the IPv6 wildcard address when a binding address of 0.0.0.0 is used against an old SSH server that does not support the RFC4254 syntax for wildcard bind addresses. + Enable IPV6_V6ONLY socket option on sshd(8) listen socket, as is already done for X11/TCP forwarding sockets (closes: #439661). + Fix FD leak that could hang a ssh(1) connection multiplexing master. + Make ssh(1) -q option documentation consistent with reality. + Fixed sshd(8) PAM support not calling pam_session_close(), or failing to call it with root privileges (closes: #372680). + Fix activation of OpenSSL engine support when requested in configure (LP: #119295). + Cache SELinux status earlier so we know if it's enabled after a chroot (LP: #237557). - 5.1/5.1p1 (http://www.openssh.com/txt/release-5.1): + Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1) and ssh-keygen(1). Visual fingerprint display is controlled by a new ssh_config(5) option "VisualHostKey". The intent is to render SSH host keys in a visual form that is amenable to easy recall and rejection of changed host keys. + sshd_config(5) now supports CIDR address/masklen matching in "Match address" blocks, with a fallback to classic wildcard matching. + sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys from="..." restrictions, also with a fallback to classic wildcard matching. + Added an extended test mode (-T) to sshd(8) to request that it write its effective configuration to stdout and exit. Extended test mode also su
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
See this link for openssh 5.1 and internal chrooted sftp server logging ability added in this version: https://bugzilla.mindrot.org/show_bug.cgi?id=1488 -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
It seems internal sftp-server added to ease chroot suffer from a big missing feature as of 4.8: It is impossible to use sftp logging as with usual external sftp-server. So open-ssh 5.1 should be considered for Intrepid as logging users is required in many environments (corporate, legal aspects in some countries). Otherwise I think users will stay with current restricted shell + chroot as usual. To ease the process, scponly is easy to use but to be able to log sftp users it's version should be upgraded to 4.8, keeping the creation of /chroot_path/dev/null mknod as of current 4.6_ubuntu version as this null device creation is still missing upstream. Automatically adding -a /chroot_path/dev/log to syslogd for chrooted installs should also be a good idea. On Hardy, compiling from my own scponly 4.8 was the easiest way I found to handle the problem. -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
Oh, sorry. Missed the point / previous comments - that's exactly it. Please ignore my previous comment (and this one). -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
JFI: there's something on OpenSSH for it since February already.. don't know if it's in a released version though. See http://undeadly.org/cgi?action=article&sid=20080220110039 -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
Back to fix committed; I'll be aiming to get this into Intrepid. (What the backports folks do is up to them. :-) ) ** Changed in: openssh (Ubuntu) Assignee: (unassigned) => Colin Watson (kamion) Status: Confirmed => Fix Committed -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
I understand... maybe it could be in the backports short list after the release? Cause it's really a missing feature a lot of people was expecting for long, especially for an LTS version that targets servers/enterprises (that will live for next 5 years)... Regards -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
This change was only recently applied to OpenSSH portable mainline, and I want to let it be shaken out in the 4.8 release process before applying it. As such I'm afraid I think it's too late for Hardy. -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
You can view current package versions here: http://packages.ubuntu.com/hardy/allpackages Currently: openssh-server (1:4.7p1-4ubuntu1) That would probably NOT move up to 4.8 at this point since Hardy has already moved past Feature Freeze. Bug fixes only at this point. :-Dustin -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
Oupsss... On my last post I wrote Gutsy but was of course thinking of Hardy... Regards -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
Will the version of OpenSSH server included in Gutsy be 4.8? Otherwise, applying this patch to the version of OpenSSH included in Gutsy should be considered for an LTS version (used in enterprise, lots of them trying to get rid of unsecured FTP servers without the hassle to handle a chroot setup/mainenance by hand). Regards -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
** Changed in: openssh (Ubuntu) Status: Fix Committed => Confirmed -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
** Changed in: openssh (Ubuntu) Status: In Progress => Fix Committed -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
This fix is included on openssh 4.8, marking as fix commited ** Changed in: openssh (Ubuntu) Status: New => In Progress -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
(it has been fixed by adding support for an in-process sftp-server to avoid the need to configure the chroot with support files.) -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
This has been fixed upstream and will be in openssh-4.8. -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
** Changed in: openssh Status: Unknown => Fix Released -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
** Changed in: openssh Bugwatch: OpenSSH Portable Bugzilla #177 => OpenSSH Portable Bugzilla #1352 Status: Confirmed => Unknown -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
** Changed in: openssh Status: Unknown => Confirmed -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
** Changed in: openssh Status: Confirmed => Unknown -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
** Changed in: openssh (upstream) Status: Unknown => Confirmed -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server
** Also affects: openssh (upstream) via http://bugzilla.mindrot.org/show_bug.cgi?id=177 Importance: Unknown Status: Unknown ** Changed in: openssh (Ubuntu) Assignee: Colin Watson => (unassigned) -- Apply openssh sftp-chroot patch to openssh-server https://bugs.launchpad.net/bugs/24777 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
