---

OpenSSH 5.9 Released

[ Thanks to An Anonymous Reader for this link. ]

Changes since OpenSSH 5.8 =========================

Features:

  • Introduce sandboxing of the pre-auth privsep child using an
    optional sshd_config(5) “UsePrivilegeSeparation=sandbox” mode that
    enables mandatory restrictions on the syscalls the privsep child
    can perform. This intention is to prevent a compromised privsep
    child from being used to attack other hosts (by opening sockets and
    proxying) or probing local kernel attack surface.

    Three concrete sandbox implementation are provided (selected at
    configure time): systrace, seatbelt and rlimit.

    The systrace sandbox uses systrace(4) in unsupervised
    “fast-path” mode, where a list of permitted syscalls is supplied.
    Any syscall not on the list results in SIGKILL being sent to the
    privsep child. Note that this requires a kernel with the new
    SYSTR_POLICY_KILL option (only OpenBSD has this mode at
    present).

    The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with
    a strict (kSBXProfilePureComputation) policy that disables access
    to filesystem and network resources.

    The rlimit sandbox is a fallback choice for platforms that don’t
    support a better one; it uses setrlimit() to reset the hard-limit
    of file descriptors and processes to zero, which should prevent the
    privsep child from forking or opening new network connections.

    Sandboxing of the privilege separated child process is currently
    experimental but should become the default in a future release.
    Native sandboxes for other platforms are welcome (e.g. Capsicum,
    Linux pid/net namespaces, etc.)

Complete
Story

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis