OpenSSH 5.9 released
OpenSSH 5.9 has been released. It’s be available from the mirrors listed at http://www.openssh.com/.Features:
- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) „UsePrivilegeSeparation=sandbox” mode that enables mandatory restrictions on the syscalls the privsep child can perform. This intention is to prevent a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface.
- ssh(1) now warns when a server refuses X11 forwarding
- The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot.
- sshd_config(5)’s AuthorizedKeysFile now accepts multiple paths, separated by whitespace. The undocumented AuthorizedKeysFile2 option is deprecated (though the default for AuthorizedKeysFile includes .ssh/authorized_keys2)
- ssh_config(5) „Host” options now support negated Host matching