Релиз OpenSSH 5.9

Вышел очередной релиз OpenSSH, 5.9.


Changes since OpenSSH 5.8


* Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
This intention is to prevent a compromised privsep child from being
used to attack other hosts (by opening sockets and proxying) or
probing local kernel attack surface.

Three concrete sandbox implementation are provided (selected at
configure time): systrace, seatbelt and rlimit.

The systrace sandbox uses systrace(4) in unsupervised "fast-path"
mode, where a list of permitted syscalls is supplied. Any syscall not
on the list results in SIGKILL being sent to the privsep child. Note
that this requires a kernel with the new SYSTR_POLICY_KILL option
(only OpenBSD has this mode at present).

The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a
strict (kSBXProfilePureComputation) policy that disables access to
filesystem and network resources.

The rlimit sandbox is a fallback choice for platforms that don't
support a better one; it uses setrlimit() to reset the hard-limit
of file descriptors and processes to zero, which should prevent
the privsep child from forking or opening new network connections.

Sandboxing of the privilege separated child process is currently
experimental but should become the default in a future release.
Native sandboxes for other platforms are welcome (e.g. Capsicum,
Linux pid/net namespaces, etc.)

* Add new SHA256-based HMAC transport integrity modes from
These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
and hmac-sha2-512-96, and are available by default in ssh(1) and

* The pre-authentication sshd( privilege separation slave process
now logs via a socket shared with the master process, avoiding the
need to maintain /dev/log inside the chroot.

* ssh(1) now warns when a server refuses X11 forwarding

* sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace. The undocumented AuthorizedKeysFile2
option is deprecated (though the default for AuthorizedKeysFile
includes .ssh/authorized_keys2)

* sshd_config(5): similarly deprecate UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile and
GlobalKnownHostsFile accept multiple options and default to
include known_hosts2

* Retain key comments when loading v.2 keys. These will be visible
in "ssh-add -l" and other places. bz#439

* ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as
IPv4 ToS/DSCP). bz#1855

* ssh_config(5)'s ControlPath option now expands %L to the host
portion of the destination host name.

* ssh_config(5) "Host" options now support negated Host matching, e.g.

Host *.example.org !c.example.org
User mekmitasdigoat

Will match "a.example.org", "b.example.org", but not "c.example.org"

* ssh_config(5): a new RequestTTY option provides control over when a
TTY is requested for a connection, similar to the existing -t/-tt/-T
ssh(1) commandline options.

* sshd(8): allow GSSAPI authentication to detect when a server-side
failure causes authentication failure and don't count such failures
against MaxAuthTries; bz#1244

* ssh-keygen(1): Add -A option. For each of the key types (rsa1, rsa,
dsa and ecdsa) for which host keys do not exist, generate the host
keys with the default key file path, an empty passphrase, default
bits for the key type, and default comment. This is useful for
system initialisation scripts.

* ssh(1): Allow graceful shutdown of multiplexing: request that a mux
server removes its listener socket and refuse future multiplexing
requests but don't kill existing connections. This may be requested
using "ssh -O stop ..."

* ssh-add(1) now accepts keys piped from standard input. E.g.
"ssh-add - < /path/to/key"

* ssh-keysign( now signs hostbased authentication
challenges correctly using ECDSA keys; bz#1858

* sftp(1): document that sftp accepts square brackets to delimit
addresses (useful for IPv6); bz#1847a

* ssh(1): when using session multiplexing, the master process will
change its process title to reflect the control path in use and
when a ControlPersist-ed master is waiting to close; bz#1883 and

* Other minor bugs fixed: 1849 1861 1862 1869 1875 1878 1879 1892
1900 1905 1913

Portable OpenSSH Bugfixes:

* Fix a compilation error in the SELinux support code. bz#1851

* This release removes support for ssh-rand-helper. OpenSSH now
obtains its random numbers directly from OpenSSL or from
a PRNGd/EGD instance specified at configure time.

* sshd( now resets the SELinux process execution context before
executing passwd for password changes; bz#1891

* Since gcc >= 4.x ignores all -Wno-options options, test only the
corresponding -W-option when trying to determine whether it is
accepted; bz#1901

* Add ECDSA key generation to the Cygwin ssh-{host,user}-config

* Updated .spec and init files for Linux; bz#1920

* Improved SELinux error messages in context change failures and
suppress error messages when attempting to change from the
"unconfined_t" type; bz#1924 bz#1919

* Fix build errors on platforms without dlopen(); bz#1929

Аватар пользователя tiffanyjewelry

The reality is that several

The reality is that several people know exactly what they are looking for such as ray ban sunglasses when it comes to custom made colors and the conventional aspect of trying has become outdated.So, tiffany jewelry outlet are more than just an accessory to enhance your style.When considering what these options are, it is best to compare your swiss replica watches that are available with this advantage of health.Buying cheap designer handbags can often be confusing.When you are looking for replica watches, one of the best solutions is to break conventional practices and seek the opportunities which could be found online.Color has been one of the selling points for sunglasses discount.Browse through our buying abercrombie & fitch outlet tips to get an insight into buying the right one.Among the most important cheap tiffany jewelry buying tips are - always buy only from a reputed store and read thoroughly through the warranty policy.One of the most important sunglasses discount buying tips when it comes to gemstones, is to beware of imitations in plastic and glass.The synthetically manufactured replica designer handbags are less expensive than naturally mined stones.The online environment features millions of stores with hundreds of tiffany jewelry usually attempting to market the exact same products or services.When it comes to improving or maintaining an individual's health, there are various replica handbags that can be followed to accomplish this objective.When it comes to abercrombie and fitch sale, since natural pearls are rare, most pearls used in jewelry are either cultured or imitation pearls.A designer replica handbags's value is based on its size, and the quality of it's nacre coating, which imparts the sheen.Diet and exercise are often a hot topic of replica watches wholesale in the fitness market as individuals try to maintain a healthy image and improve their daily lives.When supply outweighs demand you would uncover a fundamental economic law which would steer down the price of ray ban sunglasses so as to generate greater sales.In fact, the majority of consumers make use of wholesale tiffany jewelry to buy designer brands such as, more out of habit than as a conscious choice that represents their best buying tool.This oversaturation in the market has companies fighting to get hold of oakley sunglasses, inspiring them to take measures which are usually not seen in the conventional purchasing environment.One of the possibilities of cheap replica watches that individuals ought to take is with the benefit of utilizing to protect their eyes from the damaging UV rays and improve the health of their eyes.Traditionally most people look to abercrombie and fitch like mall outlets or specialized stores so as to meet their need.Whilst this is a choice which allows for individual interaction and the opportunity to try on various, it might not provide you with your best oakley sunglasses in design and price.The internet has become a leading aspect in purchasing abercrombie sale from the corporate retailers, as a result of the economic indicator of supply and demand.