4d3fc8b057
This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation |
||
|---|---|---|
| .. | ||
| aix | ||
| cygwin | ||
| hpux | ||
| redhat | ||
| solaris | ||
| suse | ||
| findssl.sh | ||
| gnome-ssh-askpass1.c | ||
| gnome-ssh-askpass2.c | ||
| gnome-ssh-askpass3.c | ||
| Makefile | ||
| README | ||
| ssh-copy-id | ||
| ssh-copy-id.1 | ||
| sshd.pam.freebsd | ||
| sshd.pam.generic | ||
Other patches and addons for OpenSSH. Please send submissions to
djm@mindrot.org
Externally maintained
---------------------
SSH Proxy Command -- connect.c
Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
https CONNECT style proxy server. His page for connect.c has extensive
documentation on its use as well as compiled versions for Win32.
https://bitbucket.org/gotoh/connect/wiki/Home
X11 SSH Askpass:
Jim Knoble <jmknoble@pobox.com> has written an excellent X11
passphrase requester. This is highly recommended:
http://www.jmknoble.net/software/x11-ssh-askpass/
In this directory
-----------------
ssh-copy-id:
Phil Hands' <phil@hands.com> shell script to automate the process of adding
your public key to a remote machine's ~/.ssh/authorized_keys file.
gnome-ssh-askpass[12]:
A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or
"make gnome-ssh-askpass2" to build.
sshd.pam.generic:
A generic PAM config file which may be useful on your system. YMMV
sshd.pam.freebsd:
A PAM config file which works with FreeBSD's PAM port. Contributed by
Dominik Brettnacher <domi@saargate.de>
findssl.sh:
Search for all instances of OpenSSL headers and libraries and print their
versions. This is intended to help diagnose OpenSSH's "OpenSSL headers do not
match your library" errors.
aix:
Files to build an AIX native (installp or SMIT installable) package.
caldera:
RPM spec file and scripts for building Caldera OpenLinuix packages
cygwin:
Support files for Cygwin
hpux:
Support files for HP-UX
redhat:
RPM spec file and scripts for building Redhat packages
suse:
RPM spec file and scripts for building SuSE packages