tech-security: Ssh 1.2.23 available

Subject: Ssh 1.2.23 available
To: None <tech-security@NetBSD.ORG>
From: Tero Kivinen <kivinen@iki.fi>
List: tech-security
Date: 05/12/1998 10:54:29
-----BEGIN PGP SIGNED MESSAGE-----

SSH-1.2.23 (and its PGP signature) is now available from
ftp.cs.hut.fi:/pub/ssh. It should appear to other mirror sites soon.

Ssh 1.2.23 release notes

SECURITY
=3D=3D=3D=3D=3D=3D=3D=3D

* Fixed no-port-forwarding so that it will also disable local port
  forwardings at the server side.

* Added GatewayPorts option and -g option from Steve Bellovin
  <smb@research.att.com>. After this all port forwardings are bind to
  localhost address only, unless -g option is given.


SSHD
=3D=3D=3D=3D

* Added .rhosts to understand #-comment in the end of the line.
  Patch from <lamont@cranston.fc.hp.com>.

* Added setting of REMOTEUSER environment variable name if remote
  username available.

* Added configure option --with-nologin-allow[=3D/etc/nologin.allow]
  to have sshd read the given file for a list of usernames exempt from
  /etc/nologin. This allows administrators retain remote access in the
  case of needed maintainence when users needed to not be on the
  system. Jointly created by Philip Kizer <pckizer@nostrum.com> and
  <steele@nostrum.com>.

* Added IgnoreRootRhosts option to server config file. Patch from
  Luke Mewburn <lm@cs.rmit.edu.au>.

* Added ssh version 2 compat option. The ssh2 will start ssh1 with -V
  option if the client is not ssh2 client.

* Added code that will ignore the string given to SSH_MSG_IGNORE.
  Bug reported by Bernard Perrot <perrot@lal.in2p3.fr>.

* Check that proxy command isn't empy before starting it. Patch
  from Chuck Goodhart <ceg@alumni.caltech.edu>.

* Added patch from Bill O'Neill <woneill@thunder.ocis.temple.edu>
  that will fix the Digital Unix 4.0 C2 password expiration problems.

* Patch from John P.Speno <speno@isc.upenn.edu> to allow osf c2
  resources to be set to 0.

* Added checking of system default lock from John P.Speno
  <speno@isc.upenn.edu>.

* Added patch that will force password change if OSF C2 password
  is expired. Patch from Florian Fuchs.

* Added libwrap calls to debug mode sshd also.

* Added code that will set resource limits under BSD/OS. Patch
  from Payl Borman <prb@bsdi.com>.

* Added setting of AUTHSTATE and KRB5CCNAME environment variables
  if we have authenticate() in AIX. Patch from Matt Richards
  (v2matt@btv.ibm.com).

* FreeBSD /etc/login.conf capabilities patches from Steve Birnbaum
  <sbirn@security.org.il> and torstenb@FreeBSD.ORG.

* Fixed idle_timeout code in serverloop.c. Patch from Bob Goellner
  <bgelnr@bbn.com>.

* Moved initgroups before closing all filedescriptors. Patch from
  Donald Buczek <buczek@MPING-Berlin-Dahlem.MPG.DE>.

* Combined two getpwent calls in the ssh.c to get around bug in
  red hat 4.2 nis library.

* Added using of aix authenticate function if it exists from Matt
  Richards (v2matt@btv.ibm.com).

* Added check that kerberos initialization succeeds from Dima
  Ruban (dima@best.net).

* Added check that .rhosts/.shosts file cannot have any other
  control characters except whitespaces.

* includes.h (S_ISLNK): Fixed bug reported by Paul J. Sanchez
  <paul@spectrum.slu.edu>.


AGENT
=3D=3D=3D=3D=3D

* Fixed too early free of authsocket in the authfd.c (reported by
  many people).

* Added grabbing of keyboard in ssh-askpass. Patch from Raymund
  Will <ray@caldera.de>.

* Allow authentication socket to be symlink, if we are not suid.
  Patch from Steve Birnbaum <sbirn@security.org.il>.


SSH
=3D=3D=3D

* Configurable password prompt from Maciej W. Rozycki
  <macro@ds2.pg.gda.pl>.

* Added setsid patch for -f option in ssh from Garance A Drosehn
  <gad@eclipse.its.rpi.edu>.

* Disabled TCP_NODELAY and added --enable-tcp-nodelay configure
  option to enable it again (Sean Doran <smb@ebone.net>).


SCP
=3D=3D=3D

* Fixed 2 GB file handling in scp. Bug reported by Anthony
  Talltree <aad@nwnet.net>.


MAKE-KNOWN-HOSTS.PL
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

* Fixed make-known-hosts.pl so that it will first send SIGINT to
  ssh and then wait 1 second before sending SIGKILL. This will allow
  ssh-client to die cleanly and restore the terminal settings before
  exiting.


CONFIGURE
=3D=3D=3D=3D=3D=3D=3D=3D=3D

* Added cray T3E patches from Kaj Mustikkam=94ki
  (kaj.mustikkamaki@csc.fi).

* Added socks5 with kerberos patches from E. Jay Berkenbilt
  <ejb@ql.org>.

* Added dectection of ttyslot function in the configure.in. Use it if
  found.

* Added support for X11 socket being in the /var/X/.X11-unix
  instead of /tmp/.X11-unix directory (mcr@sandelman.ottawa.on.ca).


GENERAL
=3D=3D=3D=3D=3D=3D=3D

* Make make install compatible with ssh-2. It will now install the
  binaries as <program>1 and if the <program>2 already exists it
  doesn't do anything more. If <program>2 does not exists, make
  install will make a symbolic link from <program> to <program>1. This
  means that if you have ssh2 installed then the make install doesn't
  touch ssh-program, it will just install itself as ssh1. You can
  manually change the ssh link to point either ssh1 or ssh2.


REMEMBER
=3D=3D=3D=3D=3D=3D=3D=3D

* Ssh compilation success/failure web-page. You can fill in the reply
  form about your compilation at
  <URL:http://www.ssh.net/ssh_form.html>. You can query about the
  success/failure database from
  <URL:http://www.ssh.net/ssh_query.html>.
- --
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBNVhg1gZxbwkZogNBAQEdvQP/Uo7dOOLknH3Tc3PzKY1uWwwn/YgEjcTA
BbP0Fo70c5jqcdXhWNPVAmg0tH8YAb7lyUIjQ15EamIs7PNVx85QXsHsDZ8TwTMR
kk459wJaJ7uCEzr2eEsQ2jMEIpNPu7IsMpJp8JBjxK7jSUTRpXeIaA8k3TK54gxz
SG8OMWtoPQI=3D
=3D2hbI
-----END PGP SIGNATURE-----