OpenSSH 5.9 released
by admin ·
The new OpenSSH version 5.9 provides a number of improvements and new features. Among them is especially emphasized the possibility, the child process that performs the authentication to run in a sandbox.
The OpenSSH (SSH stands for Secure Shell) is a secure telnet replacement, the connections between two computers is encrypted. The package consists of a server and a client program and auxiliary programs. In addition, it supports secure FTP (SFTP) and Secure Copy to other computers (SCP).
For ten years OpenSSH already offers the possibility of the child processes that enable the user login to run under a separate, less-privileged user account. Thus, only the main process, which by default listens on port 22 for connections to run with root privileges.
The code in question is compact and correspondingly easy to secure against vulnerabilities. The much larger part of the new network connections and the authentication treated may be covered in the new version 5.9 even further. This is made possible by the new directive Use Privilege Separation=sandbox . This makes the process run in a sandbox are allowed only in the specific system calls.
The restrictions relate only to the SSHD process, but not to the shell to execute the user. For the user should therefore not change. Since the new function is still considered experimental, it is not enabled by default.
The project currently provides three different implementations of the sandbox available. Depending on your operating system may be more or less of these implementations are used. The systrace sandbox uses the only available on BSD systems systrace subsystem. This allows only system calls that are contained in a prescribed list. Only on Darwin and Mac OS X will run the seatbelt sandbox, the sandbox then uses the call. For all other systems, including Linux only rlimit sandbox available, which merely prevents the starting of new processes and open Network Connections. Implementations are more desirable, for example those using Linux namespaces.
Another expansion in OpenSSH 5.9 are based on SHA256 HMAC encryption algorithms. In addition, several options, including Authorized Keys File , extended so that they can contain multiple paths. For those options to AuthorizedKeysFile2 , User Known Hosts File2 etc. omitted. They are still supported for now, but should not be used. The other improvements and corrections can in the announcement of the new version be found.