Please backport OpenSSH 5.1 to Hardy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Hardy Backports |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
OpenSSH 4.9 - 5.1 has been out for some time but unfortunately wasn't placed into Hardy Heron.
It has a number of features which would are very interesting and should improve security. One of the most important features introduced in 5.1 according to my view is the chroot simplification.
OpenSSH now has a chroot option built-in which allows administrators to simplify their chroot installations a lot if they're only need SSH cli access and SFTP. This means fewer mis-configurations and improved overall security.
Basically, introducing a chroot setup with OpenSSH has become as simple as adding 2-3 lines in the sshd config file.
Since Hardy Heron is supposed to be an LTS version, I'm actually really surprised that this isn't in Hardy already. This is because the feature I'm describing here was introduced in OpenSSH 4.9 and Ubuntu Hardy is apparently using an even older version.
This gives me some concerns with regards to security in Hardy Heron and makes me (and my company) wonder if LTS is really the way to go.
Other changes include:
Added an extended test mode (-T) to sshd(8) to request that it write
its effective configuration to stdout and exit. Extended test mode
also supports the specification of connection parameters (username,
source address and hostname) to test the application of
sshd_config(5) Match rules.
ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving
network data, resulting in a ~10% speedup
"Match group" blocks in sshd_config(5) now support negation of
groups. E.g. "Match group staff,!guests" (bz#1315)
The sftp-server(8) manual now describes the requirements for
transfer logging in chroot environments. (bz#1488)
Already introduced in OpenSSH 4.9 (!!!)
Added chroot(2) support for sshd(8), controlled by a new option
"ChrootDire
please use this feature carefully. (bz#177 bz#1352)
Linked sftp-server(8) into sshd(8). The internal sftp server is
used when the command "internal-sftp" is specified in a Subsystem
or ForceCommand declaration. When used with ChrootDirectory, the
internal sftp server requires no special configuration of files
inside the chroot environment. Please refer to sshd_config(5) for
more information.
Thank you for your bug report, but I've removed the security flag. This should be used to highlight a specific security vulnerability in a package. In the event of a specific security vulnerability, a bug report should be opened against the affected package, so that the package can be fixed as a SRU in hardy-security. In this scenario, a backport is not normally appropriate.