
OpenSSH 7.3 released - frutiger
https://marc.info/?l=openssh-unix-announce&m=147005475229564&w=2
======
schmichael
The ProxyJump (-J) and Include directive features are huge! Really improves a
lot of workflows where a tool like gcloud autoconfigures hosts in your SSH
config (and could now do so with a bastion host easily).

A bit ironic openssh.com doesn't have HTTPS:
[http://www.openssh.com/txt/release-7.3](http://www.openssh.com/txt/release-7.3)

Edit: corrected typo!

~~~
idsout
I think _ProxyJump_ is a nice way to explicitly state that you want to jump
hosts, but this is currently possible with _ProxyCommand_ , such as the
following...

    
    
      Host appserver1
        ProxyCommand ssh bastionhost.com -W %h:%p

~~~
mineo
The announcement already mentions that ProxyJump is meant to be a simplified
version of indirection, not a completely new feature.

------
peterwwillis
Fun things to note:

    
    
      * ssh(1), sshd(8): Reduce the syslog level of some relatively common
        protocol events from LOG_CRIT. bz#2585
    

This will change the reporting of some systems' logs, which could result in
different log reports. If you've ever wondered "why did we suddenly get 20%
less critical alerts in August?", upgrading OpenSSH could be one reason.

    
    
      * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
        ATTEMPT!" message when forward and reverse DNS don't match. bz#2585
    

Lol. Also, for programs/scripts designed to expect specific interactive
warning messages, this could break them.

As for the security fixes, the first means there's a potential DOS in older
versions, the second means you could possibly detect valid accounts in old
versions, and the fifth is a local attack that's viable in old versions:

    
    
      If PAM is configured to read user-specified environment variables and
      UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login
      via LD_PRELOAD or similar environment variables set via PAM.
    

Drop an LD_PRELOAD library in /tmp/, log in to the server passing the path to
the library in the LD_PRELOAD variable, and PAM will load the library into the
resulting login program. PAM then lets you run a root program with your own
library functions. Fun stuff! (Also: I hate PAM)

~~~
geofft
> log in to the server passing the path to the library in the LD_PRELOAD
> variable

Doesn't that require AcceptEnv LD_PRELOAD? Are there people who run with
AcceptEnv *?

------
stephenr
> "This is primarily a bug fix"

Followed later by

> "Add an Include directive for ssh_config(5) files"

Edit: my comment wasn't intended as negative, more a pleasant surprise. How
often does "primarily a bug fix" release include functionality thats been
requested by users for literally years?

Edit2: wow. Very unfortunate typo.

~~~
peterwwillis
Bugfixes are considered more critical than new features so they get higher
priority in announcements (unless you're, like, really excited about it).
There are more security and bug fixes in this release than new features, so
primarily bugfix release

------
anfroid555
What distribution has this version

