[Bug 535029] Re: Update to OpenSSH 5.4p1
Here's the aforementioned PPA for Lucid: https://launchpad.net/~cjwatson/+archive/openssh Enjoy! -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
I've also blogged about this: http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/ubuntu/2010-05-10-openssh-5.5p1 -for-lucid.html -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
** Branch linked: lp:ubuntu/openssh -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
This bug was fixed in the package openssh - 1:5.5p1-3ubuntu1 --- openssh (1:5.5p1-3ubuntu1) maverick; urgency=low * Resynchronise with Debian. Remaining changes: - Add support for registering ConsoleKit sessions on login. - Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they take up a lot of CD space, and I suspect that rolling them out in security updates has covered most affected systems now. - Convert to Upstart. The init script is still here for the benefit of people running sshd in chroots. - Install apport hook. * Stop setting OOM adjustment in Upstart job; sshd does it itself now. openssh (1:5.5p1-3) unstable; urgency=low * Discard error messages while checking whether rsh, rlogin, and rcp alternatives exist (closes: #579285). * Drop IDEA key check; I don't think it works properly any more due to textual changes in error output, it's only relevant for direct upgrades from truly ancient versions, and it breaks upgrades if /etc/ssh/ssh_host_key can't be loaded (closes: #579570). openssh (1:5.5p1-2) unstable; urgency=low * Use dh_installinit -n, since our maintainer scripts already handle this more carefully (thanks, Julien Cristau). openssh (1:5.5p1-1) unstable; urgency=low * New upstream release: - Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths. - Include a language tag when sending a protocol 2 disconnection message. - Make logging of certificates used for user authentication more clear and consistent between CAs specified using TrustedUserCAKeys and authorized_keys. openssh (1:5.4p1-2) unstable; urgency=low * Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049). * Convert to dh(1), and use dh_installdocs --link-doc. * Drop lpia support, since Ubuntu no longer supports this architecture. * Use dh_install more effectively. * Add a NEWS.Debian entry about changes in smartcard support relative to previous unofficial builds (closes: #231472). openssh (1:5.4p1-1) unstable; urgency=low * New upstream release (LP: #535029). - After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): ssh -W host:port - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a - without a command. Also, allow whitespace to follow a - (closes: #531561). * Fix 'debian/rules quilt-setup' to avoid writing .orig files if some patches apply with offsets. * Include debian/ssh-askpass-gnome.png in the Debian tarball now that we're using a source format that permits this, rather than messing around with uudecode. * Drop compatibility with the old gssapi mechanism used in ssh-krb5 3.8.1p1-1. Simon Wilkinson refused this patch since the old gssapi mechanism was removed due to a serious security hole, and since these versions of ssh-krb5 are no longer security-supported by Debian I don't think there's any point keeping client compatibility for them. * Fix substitution of ETC_PAM_D_SSH, following the rename in 1:4.7p1-4. * Hardcode the location of xauth to /usr/bin/xauth rather than /usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP:
[Bug 535029] Re: Update to OpenSSH 5.4p1
Thanks Colin, But this bug with fix released means that it will be an update for the LTS Lucid with 5.5p1-3ubuntu1 or a backport from maverick or at last a PPA for Lucid ? -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
As per my previous comments in this bug, I intend to make this available in a PPA for Lucid. I have not done this yet, but I will update this bug when I have done so. -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
** Branch linked: lp:debian/sid/openssh -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
Progress update: openssh 1:5.4p1-1 is in Debian unstable now. I'm building an appropriate merge for Ubuntu at the moment, and will run that locally for a while before feeding it to a PPA. -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
** Branch linked: lp:~cjwatson/openssh/debian -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
Thanks for the attention, Colin. I can only imagine how busy you are right now. I'm very happy to hear the commitment to maintain a backport. Damien Miller has a pretty excellent track record, separate from OpenSSH's overall chain of successes (or lack thereof), but even so I can deeply understand the reluctance given the relative size, complexity, and *newness* of the certificate system. Personally I am convinced that its essential simplicity (compared to other certificate schemes) will prove successful in the long run. At any rate, thank you, and please accept my apologies for the out-of- protocol bug assignment. That was my bad, I was unsure of the best way to make sure my question came to your attention. Much appreciated, weaver -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
(Sorry for the double-post, just want threads of record like this to be accurate) Turns out revocation *is* supported, it's clearly in the release notes: http://www.openssh.com/txt/release-5.4 -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
Colin, what can be done to convince folks that inclusion of this OpenSSH release in lucid is the best idea? The certificate authentication support is most compelling for large institutional installations, the same user base that focuses on LTS releases (and have long upgrade cycles). Missing it in this release will be costly to those same users. The fact that OpenSSH included the features in a point release is a compelling argument to the importance of the feature and the quality of implementation. -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
** Changed in: openssh (Ubuntu) Assignee: (unassigned) = Colin Watson (cjwatson) -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 535029] Re: Update to OpenSSH 5.4p1
On Wed, Mar 17, 2010 at 06:17:25PM -, Matthew Weaver wrote: Colin, what can be done to convince folks that inclusion of this OpenSSH release in lucid is the best idea? The certificate authentication support is most compelling for large institutional installations, the same user base that focuses on LTS releases (and have long upgrade cycles). Thanks for your comments. I'm excited by this feature too, but as I said, I'm not comfortable with supporting basically an unknown-quantity .0 release of it for five years; I'm concerned that it seems the sort of thing that may well require revision once it sees non-trivial deployment. For example, https://lists.mindrot.org/pipermail/openssh-unix-dev/2010-February/028325.html is a mail with some concerns from a GnuPG developer, and in the followup from an OpenSSH developer it transpires that revocation isn't implemented yet. Isn't that likely to be pretty critical for a number of large institutions? I'm not criticising the OpenSSH developers for this - hey, they did the work and I would be surprised if it weren't pretty robust as far as it goes - but it's pretty clear that this is an initial version that will require some extensions. As for what could be done to convince me - I don't know, release it a month earlier? :-) Really, this is a time thing more than anything else. This is exactly the sort of thing that feature freeze is *for*. The sheer size and newness (in design terms - it's a certification system designed *from scratch*, albeit by competent cryptographic implementors but still) of the feature just makes me more reluctant to override feature freeze for it. The fact that OpenSSH included the features in a point release is a compelling argument to the importance of the feature and the quality of implementation. No, that doesn't hold given OpenSSH's release history, I'm afraid. Since 2.0 or so, OpenSSH has just incremented the minor number each time, and bumped the major number when the minor number would otherwise have hit 10. There's little if any correlation between the minor number and the character of the release, and 5.4p1 isn't a point release the way it might be in other projects. In terms of new features, it's the most significant since at least 5.1, maybe 4.9. (Note, too, that 5.5p1 is planned soon to address some new issues in 5.4p1.) Once the dust settles a little, I am prepared to maintain a backport of a version of OpenSSH with certificate authentication support in a special archive for Lucid users (or possibly in lucid-backports, although I don't know which people would tend to trust more; perhaps both). But I'm afraid I'm not persuaded that this should be *the* version of OpenSSH in Ubuntu 10.04 LTS. 5.3p1 is pretty solid at this point and I'm much more comfortable with it. -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 535029] Re: Update to OpenSSH 5.4p1
On Wed, Mar 17, 2010 at 08:24:19PM -, Matthew Weaver wrote: ** Changed in: openssh (Ubuntu) Assignee: (unassigned) = Colin Watson (cjwatson) I'm going to leave this as it is since I'll doubtless be doing the work anyway, but in general it's polite only to assign bugs to people if you manage them or if you've checked with them first ... -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
Colin: understood. But that means that LTS will lack those features for another 2 years :( Particularly the certificate and the umask feature are interesting for server installations. -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 535029] Re: Update to OpenSSH 5.4p1
I understand your concern, but I would rather that 10.04 LTS lacked these features than that we introduced them and they were then found to be broken in some way. There'll be more releases ... -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 535029] Re: Update to OpenSSH 5.4p1
** Tags removed: kernel-series-unknown -- Update to OpenSSH 5.4p1 https://bugs.launchpad.net/bugs/535029 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
