[Bug 286337] Re: Please backport OpenSSH 5.1 to Hardy

VTKnightMare arasm at vt.edu
Sat Oct 10 18:33:50 BST 2009 

I will volunteer happily! :)

Aras "Russ" Memisyazici
Systems Administrator

Office of Research
Virginia Tech


-----Original Message-----
From: Scott Kitterman <ubuntu at kitterman.com>
Sent: Saturday, October 10, 2009 11:25 AM
To: Memisyazici, Aras <arasm at vt.edu>
Subject: [Bug 286337] Re: Please backport OpenSSH 5.1 to Hardy


This bug and the rationale for it has morphed a bit over time.  Based on
the features being discussed, I can see where a backport might make
sense if we can test it adequately (meaning make sure it works with all
the rdepends).  Is anyone up for doing the testing?

--
Please backport OpenSSH 5.1 to Hardy
https://bugs.launchpad.net/bugs/286337
You received this bug notification because you are a direct subscriber
of the bug.

Status in Hardy Heron Backports: Won't Fix

Bug description:
OpenSSH 4.9 - 5.1 has been out for some time but unfortunately wasn't placed into Hardy Heron.

It has a number of features which would are very interesting and should
improve security. One of the most important features introduced in 5.1
according to my view is the chroot simplification.

OpenSSH now has a chroot option built-in which allows administrators to
simplify their chroot installations a lot if they're only need SSH cli
access and SFTP. This means fewer mis-configurations and improved
overall security.

Basically, introducing a chroot setup with OpenSSH has become as simple
as adding 2-3 lines in the sshd config file.

Since Hardy Heron is supposed to be an LTS version, I'm actually really
surprised that this isn't in Hardy already. This is because the feature
I'm describing here was introduced in OpenSSH 4.9 and Ubuntu Hardy is
apparently using an even older version.

This gives me some concerns with regards to security in Hardy Heron and
makes me (and my company) wonder if LTS is really the way to go.



Other changes include:

Added an extended test mode (-T) to sshd(8) to request that it write
   its effective configuration to stdout and exit. Extended test mode
   also supports the specification of connection parameters (username,
   source address and hostname) to test the application of
   sshd_config(5) Match rules.

ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving
   network data, resulting in a ~10% speedup

"Match group" blocks in sshd_config(5) now support negation of
   groups. E.g. "Match group staff,!guests" (bz#1315)

The sftp-server(8) manual now describes the requirements for
   transfer logging in chroot environments. (bz#1488)


Already introduced in OpenSSH 4.9 (!!!)

Added chroot(2) support for sshd(8), controlled by a new option
    "ChrootDirectory". Please refer to sshd_config(5) for details, and
    please use this feature carefully. (bz#177 bz#1352)

Linked sftp-server(8) into sshd(8). The internal sftp server is
    used when the command "internal-sftp" is specified in a Subsystem
    or ForceCommand declaration. When used with ChrootDirectory, the
    internal sftp server requires no special configuration of files
    inside the chroot environment. Please refer to sshd_config(5) for
    more information.

-- 
Please backport OpenSSH 5.1 to Hardy
https://bugs.launchpad.net/bugs/286337
You received this bug notification because you are a member of Ubuntu
Backports Testing Team, which is subscribed to Hardy Backports.

More information about the ubuntu-backports mailing list