Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
X-Originating-IP: [68.101.148.229]
From: "Karl M" <karlm30 AT hotmail DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1
Date: Thu, 07 Nov 2002 06:59:08 -0800
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F131VqC0YkyXsLCAOWN00000b69@hotmail.com>
X-OriginalArrivalTime: 07 Nov 2002 14:59:08.0270 (UTC) FILETIME=[391FB8E0:01C2866E]

Hi All...

I just updated to 3.5p1-1. I had to set PermitUserEnvironment in my 
sshd_config file. Should this be included by default in the ssh-host-config 
script?

I was a bit puzzled by the file owner and permission checking for the host 
keys now (with StrictModes enabled)...If the owner is wrong, the mode 
checking is ignored. I recall this test being stronger in the past...didn't 
the owner have to be correct (SYSTEM)? If so, why the change to a kinder 
gentler (less effective) safety check?

Given the host local security issues with using Cygwim, is there much 
advantage to priv sep? Could someone please give a brief overview of what it 
is and how and why it helps?

Thanks,

...Karl

>From: Corinna Vinschen <vinschen AT redhat DOT com>
>Reply-To: cygwin AT cygwin DOT com
>To: cygwin AT cygwin DOT com
>Subject: [ANNOUNCEMENT] Updated: OpenSSH-3.5p1-1
>Date: Wed,  6 Nov 2002 09:39:10 -0500 (EST)
>
>I've updated the version of OpenSSH to 3.5p1-1.
>
>This is an official major version update, which has been released on
>15 Oct 2002.  Due to my vacation the Cygwin version is unfortunately
>rather late this time...
>
>The following comment from the 3.4p1-1 announcement still applies:
>
>========================================================================
>This version allows to use privilege separation in a slightly restricted
>way.  Since privilege separation is consisting of two independent parts
>(preauth, postauth) and only the postauth part requires descriptors
>passing, this version enables the usage of preauth privilege separation
>in Cygwin.  Note that this doesn't create an additional sshd process as
>described in the README.privsep file and note that this isn't still as
>secure as fully-fledged privilege separation but it's a good start.
>========================================================================
>
>Official Release Message:
>====================================================================
>OpenSSH 3.5 has just been released. It will be available from the
>mirrors listed at http://www.openssh.com/ shortly.
>
>OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
>implementation and includes sftp client and server support.
>
>We would like to thank the OpenSSH community for their continued
>support and encouragement.
>
>
>Changes since OpenSSH 3.4:
>============================
>
>* Improved support for Privilege Separation (Portability, Kerberos,
>   PermitRootLogin handling).
>
>* ssh(1) prints out all known host keys for a host if it receives an
>   unknown host key of a different type.
>
>* Fixed AES/Rijndael EVP integration for OpenSSL < 0.9.7 (caused
>   problems with bounds checking patches for gcc).
>
>* ssh-keysign(8) is disabled by default and only enabled if the
>   HostbasedAuthentication option is enabled in the global ssh_config(5)
>   file.
>
>* ssh-keysign(8) uses RSA blinding in order to avoid timing attacks
>   against the RSA host key.
>
>* A use-after-free bug was fixed in ssh-keysign(8).  This bug
>   broke hostbased authentication on several platforms.
>
>* ssh-agent(1) is now installed setgid in order to avoid ptrace(2)
>   attacks.
>
>* ssh-agent(1) now restricts the access with getpeereid(2) (or
>   equivalent, where available).
>
>* sshd(8) no longer uses the ASN.1 parsing code from libcrypto when
>   verifying RSA signatures.
>
>* sshd(8) now sets the SSH_CONNECTION environment variable.
>
>* Enhanced "ls" support for the sftp(1) client, including globbing and
>   detailed listings.
>
>* ssh(1) now always falls back to uncompressed sessions, if the
>   server does not support compression.
>
>* The default behavior of sshd(8) with regard to user settable
>   environ variables has changed:  the new option PermitUserEnvironment
>   is disabled by default, see sshd_config(5).
>
>* The default value for LoginGraceTime has been changed from 600 to 120
>   seconds, see sshd_config(5).
>
>* Removed erroneous SO_LINGER handling.
>
>====================================================================
>
>To update your installation, click on the "Install Cygwin now" link on
>the http://cygwin.com/ web page.  This downloads setup.exe to your
>system.  Once you've downloaded setup.exe, run it and select "Net" and
>then click on the appropriate field until the above announced version
>number appears if it is not displayed already.
>
>If you have questions or comments, please send them to the Cygwin
>mailing list at: cygwin AT cygwin DOT com .  I would appreciate it if you would
>use this mailing list rather than emailing me directly.  This includes
>ideas and comments about the setup utility or Cygwin in general.
>
>If you want to make a point or ask a question, the Cygwin mailing list
>is the appropriate place.
>
>               *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
>
>If you want to unsubscribe from the cygwin-announce mailing list, look
>at the "List-Unsubscribe: " tag in the email header of this message.
>Send email to the address specified there.  It will be in the format:
>
>cygwin-announce-unsubscribe-you=yourdomain DOT com AT cygwin DOT com
>
>If you need more information on unsubscribing, start reading here:
>
>http://sources.redhat.com/lists.html#unsubscribe-simple
>
>Please read *all* of the information on unsubscribing that is available
>starting at this URL.
>
>I implore you to READ this information before sending email about how
>you "tried everything" to unsubscribe.  In 100% of the cases where
>people were unable to unsubscribe, the problem was that they hadn't
>actually read and comprehended the unsubscribe instructions.
>
>If you need to unsubscribe from cygwin-announce or any other mailing
>list, reading the instructions at the above URL is guaranteed to
>provide you with the info that you need.
>
>--
>Corinna Vinschen                  Please, send mails regarding Cygwin to
>Cygwin Developer                                mailto:cygwin AT cygwin DOT com
>Red Hat, Inc.
>
>
>--
>Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>Bug reporting:         http://cygwin.com/bugs.html
>Documentation:         http://cygwin.com/docs.html
>FAQ:                   http://cygwin.com/faq/


_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/