Several months of random hacking and bug-fixing have passed since the previous lsh release. And now, I'm happy to have the code in good enough shape to release lsh-1.3.7.
The most important new feature in this release is improved key re-exchange handling. Previous versions changed the session key whenever the other end requested it, but never initiated a key re-exchange. lsh-1.3.7 changes the session key about once every hour. As this is quite a big improvement, securitywise, and it's too hard to back-port it to lsh-1.2.x, this also means that we're at the end of the lsh-1.2.x and lsh-1.3.x series. I will give you a week or two for testing lsh-1.3.7, after that, lsh-1.3.7 + bugfixes will be released as lsh-1.4.0, and we will have a new stable branch 1.4.x, which hopefully will converge to something really nice and stable. Bug reports, portability improvements, etc, are most welcome. When significant new features are added next, a new unstable branch lsh-1.5.x will be created. You can get lsh-1.3.7 at the usual places, http://www.lysator.liu.se/~nisse/archive/lsh-1.3.7.tar.gz ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-1.3.7.tar.gz News for the 1.3.7 release Improved key reexchange handling. Should now request key reexchange about once per hour (reexchange requests after 1GB data not yet implemented). Use the aes256-cbc cipher by default. Includes sparc assembler code, and the C implementation has been optimized as well. Rewrote the RSA code to use Nettle's functions for signatures and key generation. Build requirements changed, lsh now needs liboop-0.8 or later, and GMP-3.1 or later. lshd handles SIGHUP by closing its listening socket, and then waiting for existing connections to be closed before exiting. Implemented handshake timeout, both server and client disconnects if handshake and userauthentication is not completed in about ten minutes. Reorganized server pty handling. Now it works also on Solaris. Added utmp logging. Rewrote the code for executing user processes. Now it avoids the sequence fork(), setuid(), exec(), which may leave server memory readable by users between setuid and exec. Instead, the server exec:s a helper program lsh-execuv that changes the uid before exec:ing the shell. Helper program to let the server use PAM passwords. Contributed by Pontus Sk�ld. New option --server to lsh-keygen and lsh-writekey. It makes the programs use the system seed-file, and also changes lsh-writekey's default output files to /etc/lsh_host_key and /etc/lsh_host_key.pub. Made lsh-writekey a little smarter, now it doesn't create any output files until it has something to write to them. In interactive mode, the client modifyes the terminal's VMIN and VTIME values to get more than one character per packet. Fixed the default port handling on systems that don't include ssh in /etc/services. New client option --subsystem for starting a subsystem such as sftp on the server. Appeared already in 1.3.6, but wasn't mentioned in NEWS. Pontus Sk�ld's file transfer client lsftp is included in the distribution. Happy hacking, /Niels
