Thema: SSH/SSL/VPN Tools...

[SiLæncer]

What's new: >>

* Performance improvment in kitty.exe (patch https://svn.filezilla-project.org/filezilla?view=revision&revision=4863)
* Performance improvment in ksftp.exe (https://svn.filezilla-project.org/filezilla?view=revision&revision=4864)
* New feature: switch between KiTTY windows with CTRL+TAB
* New feature: the working directory, the config directory and the content of KITTY_PATH variable are appended to the PATH variable environment (used to search for third part softwares such as winscp.exe)
* New feature: search for the the configuration file in the KITTY_INI_FILE environment variable
* New patch integration: wincrypt (from https://code.google.com/p/puttywincrypt/) to work with certificate
* bug fix: window title should not be set to cfg.wintitle value when restoring from task bar
* hyperlink patch is converted from C++ to C

http://www.9bis.net/kitty/?page=Welcome&zone=en

[SiLæncer]

Whats new: >>

Fixed: minor bug in the Management Console user interface

http://www.extenua.com/k2sxs

[SiLæncer]

Code: [Auswählen]

Changes since OpenSSH 6.4
=========================

This is a feature-focused release.

New features:

 * ssh(1), sshd(8): Add support for key exchange using elliptic-curve
   Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange
   method is the default when both the client and server support it.

 * ssh(1), sshd(8): Add support for Ed25519 as a public key type.
   Ed25519 is a elliptic curve signature scheme that offers
   better security than ECDSA and DSA and good performance. It may be
   used for both user and host keys.

 * Add a new private key format that uses a bcrypt KDF to better
   protect keys at rest. This format is used unconditionally for
   Ed25519 keys, but may be requested when generating or saving
   existing keys of other types via the -o ssh-keygen(1) option.
   We intend to make the new format the default in the near future.
   Details of the new format are in the PROTOCOL.key file.

 * ssh(1), sshd(8): Add a new transport cipher
   "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's
   ChaCha20 stream cipher and Poly1305 MAC to build an authenticated
   encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.

 * ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and
   servers that use the obsolete RSA+MD5 signature scheme. It will
   still be possible to connect with these clients/servers but only
   DSA keys will be accepted, and OpenSSH will refuse connection
   entirely in a future release.

 * ssh(1), sshd(8): Refuse old proprietary clients and servers that
   use a weaker key exchange hash calculation.

 * ssh(1): Increase the size of the Diffie-Hellman groups requested
   for each symmetric key size. New values from NIST Special
   Publication 800-57 with the upper limit specified by RFC4419.

 * ssh(1), ssh-agent(1): Support PKCS#11 tokens that only provide
   X.509 certs instead of raw public keys (requested as bz#1908).

 * ssh(1): Add a ssh_config(5) "Match" keyword that allows
   conditional configuration to be applied by matching on hostname,
   user and result of arbitrary commands.

 * ssh(1): Add support for client-side hostname canonicalisation
   using a set of DNS suffixes and rules in ssh_config(5). This
   allows unqualified names to be canonicalised to fully-qualified
   domain names to eliminate ambiguity when looking up keys in
   known_hosts or checking host certificate names.

 * sftp-server(8): Add the ability to whitelist and/or blacklist sftp
   protocol requests by name.

 * sftp-server(8): Add a sftp "fsync@openssh.com" to support calling
   fsync(2) on an open file handle.

 * sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation,
   mirroring the longstanding no-pty authorized_keys option.

 * ssh(1): Add a ssh_config ProxyUseFDPass option that supports the
   use of ProxyCommands that establish a connection and then pass a
   connected file descriptor back to ssh(1). This allows the
   ProxyCommand to exit rather than staying around to transfer data.

Bugfixes:

 * ssh(1), sshd(8): Fix potential stack exhaustion caused by nested
   certificates.

 * ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort.

 * sftp(1): bz#2137: fix the progress meter for resumed transfer.

 * ssh-add(1): bz#2187: do not request smartcard PIN when removing
   keys from ssh-agent.

 * sshd(8): bz#2139: fix re-exec fallback when original sshd binary
   cannot be executed.

 * ssh-keygen(1): Make relative-specified certificate expiry times
   relative to current time and not the validity start time.

 * sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block.

 * sftp(1): bz#2129: symlinking a file would incorrectly canonicalise
   the target path.

 * ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent
   helper executable.

 * sshd(8): Improve logging of sessions to include the user name,
   remote host and port, the session type (shell, command, etc.) and
   allocated TTY (if any).

 * sshd(8): bz#1297: tell the client (via a debug message) when
   their preferred listen address has been overridden by the
   server's GatewayPorts setting.

 * sshd(8): bz#2162: include report port in bad protocol banner
   message.

 * sftp(1): bz#2163: fix memory leak in error path in do_readdir().

 * sftp(1): bz#2171: don't leak file descriptor on error.

 * sshd(8): Include the local address and port in "Connection from
   ..." message (only shown at loglevel>=verbose).

Portable OpenSSH:

 * Please note that this is the last version of Portable OpenSSH that
   will support versions of OpenSSL prior to 0.9.6. Support (i.e.
   SSH_OLD_EVP) will be removed following the 6.5p1 release.

 * Portable OpenSSH will attempt compile and link as a Position
   Independent Executable on Linux, OS X and OpenBSD on recent gcc-
   like compilers. Other platforms and older/other compilers may
   request this using the --with-pie configure flag.

 * A number of other toolchain-related hardening options are used
   automatically if available, including -ftrapv to abort on signed
   integer overflow and options to write-protect dynamic linking
   information.  The use of these options may be disabled using the
   --without-hardening configure flag.

 * If the toolchain supports it, one of the -fstack-protector-strong,
   -fstack-protector-all or -fstack-protector compilation flag are
   used to add guards to mitigate attacks based on stack overflows.
   The use of these options may be disabled using the
   --without-stackprotect configure option.

 * sshd(8): Add support for pre-authentication sandboxing using the
   Capsicum API introduced in FreeBSD 10.

 * Switch to a ChaCha20-based arc4random() PRNG for platforms that do
   not provide their own.

 * sshd(8): bz#2156: restore Linux oom_adj setting when handling
   SIGHUP to maintain behaviour over retart.

 * sshd(8): bz#2032: use local username in krb5_kuserok check rather
   than full client name which may be of form user@REALM.

 * ssh(1), sshd(8): Test for both the presence of ECC NID numbers in
   OpenSSL and that they actually work. Fedora (at least) has
   NID_secp521r1 that doesn't work.

 * bz#2173: use pkg-config --libs to include correct -L location for
   libedit.

Checksums:
==========

 - SHA1 (openssh-6.5.tar.gz) = 0a375e20d895670489a9241f8faa57670214fbed
 - SHA256 (openssh-6.5.tar.gz) = sK5q2rB0o5JCbEmbeE/6N9DtJkT81dwmeuhogT4i900=

 - SHA1 (openssh-6.5p1.tar.gz) = 3363a72b4fee91b29cf2024ff633c17f6cd2f86d
 - SHA256 (openssh-6.5p1.tar.gz) = oRle1V25RSUtWhcw1KKipcHJpqoB7y5a91CpYmI9kCc=

Please note that the PGP key used to sign releases has been rotated.
The new key has been signed by the old key to provide continuity. It
is available from the mirror sites as RELEASE_KEY.asc.

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh@openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.


http://www.openssh.org/

[SiLæncer]

Whats new: >>

Fixed: bug in the Unix Time encoding function
Critical update: fixes a bug that broke compatibility with CoreFTP and the JSCH library

http://www.extenua.com/k2sxs

[SiLæncer]

MyEnTunnel is a simple system tray application that establishes and maintains TCP SSH tunnels. It does this by launching Plink (PuTTY Link) in the background and then monitors the process. If the Plink process dies (e.g. connection drops, server restarts or otherwise becomes unreachable) MyEnTunnel will automatically restart Plink to reestablish the tunnels in the background. It tries to use as little CPU and system resources as possible when monitoring.

Optionally, MyEnTunnel can actively monitor the connection by creating looped tunnels (either a looped remote/local tunnel pair or a single local tunnel to the ssh servers echo service) and periodically send pings. If too many consecutive pings are lost it will restart the connection.

Since it uses Plink, you can use utilities such as Pageant (a SSH authentication agent for PuTTY, PSCP and Plink) and PuTTYgen (a RSA and DSA key generation utility), as well as named PuTTY sessions. All of the networking and encryption is done by plink.exe; not by MyEnTunnel.

Freeware







Latest Changes

Code: [Auswählen]

- Version 3.6.0 is a unicode rewrite of version 3.4.2.1
- GUI now supports dynamic languages
- Made some additional translations using Google Translate
- (However, the phrasing may not be correct or even make sense in other languages
- But hopefully it will convey the gist. And maybe a chuckle.)
- Now including both 32 and 64 bit builds
- Switched to INNO setup to create a multilingual installer
- The INNO installer will automatically install the 32 or 64 bit version based on the OS

- Note:

- If you're on a 64 bit system and want to make a portable install please use the 32 bit version
- You'll need to manually extract it from the installer
- See: innounp available at http://innounp.sourceforge.net/
- The plink monitoring routine has been placed in it's own thread
- The "Slow Poll" option has been removed as the application thread no longer blocks waiting on aitForSingleObject to return
- Updated bundled plink.exe to version Beta 0.63
- Added GUI fields for to pass additional command line arguments to plink
- Removed NT service as it requires rewriting for Windows 7/Vista
- Added two methods of detecting dead SSH connections after taking a look at autossh for unix. (Thanks for the ideas!)
- A remote and local tunnel pair to create a "looped back" connection
- Or a single tunnel to the servers Echo service
- The Echo service method uses less resources and should be used if available on the ssh server
- The default ping time is 10 seconds
- Three (3) pings must be missed to trigger a reconnect
- The round trip time (rtt) calculations are based on GetTickCount
- Both loopback and echo service pinging methods are on separate threads
- MyEnTunnel now has the RUNASADMIN flag in AppCompatFlags registry section
- The form will now minimize to the system tray instead of closing when clicking the Windows close button on the title bar
- Please use the right click menu option "Exit" to close the application
- Added popup menu on right click to the row of buttons on the bottom and main form body
- Local and Remote tunnels will ignore blanks and commented hash (#) lines
- GUI window can be resized at runtime
- Additional GUI changes, tweaks and internal clean ups
- The system tray icons have been slightly modified to help those who are color blind
- They will now be "unlocked" when red or yellow and "locked" when green
http://nemesis2.qx.net/software-myentunnel.php

[SiLæncer]

Latest Changes

- Fixes a bug when the login fails. (MyEnTunnel would assume it was logged in when it wasn't.)

http://nemesis2.qx.net/software-myentunnel.php

[SiLæncer]

Whats new: >>

Redesigned socket thread-pool: it's now faster and uses less memory (RAM)

http://www.extenua.com/k2sxs

[SiLæncer]

Code: [Auswählen]

This is primarily a bugfix release.

Security:

 * sshd(8): when using environment passing with a sshd_config(5)
   AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be
   tricked into accepting any enviornment variable that contains the
   characters before the wildcard character.

New / changed features:

 * ssh(1), sshd(8): this release removes the J-PAKE authentication code.
   This code was experimental, never enabled and had been unmaintained
   for some time.

 * ssh(1): when processing Match blocks, skip 'exec' clauses other clauses
   predicates failed to match.

 * ssh(1): if hostname canonicalisation is enabled and results in the
   destination hostname being changed, then re-parse ssh_config(5) files
   using the new destination hostname. This gives 'Host' and 'Match'
   directives that use the expanded hostname a chance to be applied.

Bugfixes:

 * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in
   ssh -W. bz#2200, debian#738692

 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace
   sandbox modes, as it is reachable if the connection is terminated
   during the pre-auth phase.

 * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum
   parsing. Minimum key length checks render this bug unexploitable to
   compromise SSH 1 sessions.

 * sshd_config(5): clarify behaviour of a keyword that appears in
   multiple matching Match blocks. bz#2184

 * ssh(1): avoid unnecessary hostname lookups when canonicalisation is
   disabled. bz#2205

 * sshd(8): avoid sandbox violation crashes in GSSAPI code by caching
   the supported list of GSSAPI mechanism OIDs before entering the
   sandbox. bz#2107

 * ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption
   that the SOCKS username is nul-terminated.

 * ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is
   not specified.

 * ssh(1), sshd(8): fix memory leak in ECDSA signature verification.

 * ssh(1): fix matching of 'Host' directives in ssh_config(5) files
   to be case-insensitive again (regression in 6.5).

Portable OpenSSH:

 * sshd(8): don't fatal if the FreeBSD Capsicum is offered by the
   system headers and libc but is not supported by the kernel.
 * Fix build using the HP-UX compiler.
http://www.openssh.org/

[SiLæncer]

What's new: >>

Parts of the TuTTY patch is added
you can now disable maximize, minimize and close button from system menu
you can now select a different font for underline characters, and mouse selected characters
A new comment field is added
New mecanism for login script feature: the file content is loaded when the session is saved. The original file can now be deleted
Bug fixe: the window in the task bar did not flash when receiving a BELL code
New 0.63 big bang bug fix: key authentication without running agent did not work

http://www.9bis.net/kitty/?page=Welcome&zone=en

[SiLæncer]

Ermöglicht es normalerweise unverschlüsselte Dienste wie POP3, IMAP und SMTP mittels SSL zu schützen.

Freeware

Whats new: >>

Code: [Auswählen]

Security bugfixes:
Added PRNG state update in fork threading (CVE-2014-0016)
New global configuration file defaults:
Default "fips" option value is now "no", as FIPS mode is only helpful for compliance, and never for actual security
Default "pid" is now "", i.e. not to create a pid file at startup
New service-level configuration file defaults:
Default "ciphers" updated to "HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2" due to AlFBPPS attack and bad performance of DH ciphersuites
Default "libwrap" setting is now "no" to improve performance
New features:
OpenSSL DLLs updated to version 1.0.1f
zlib DLL updated to version 1.2.8
autoconf scripts upgraded to version 2.69
TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode
New service-level option "redirect" to redirect SSL client connections on authentication failures instead of rejecting them
New global "engineDefault" configuration file option to control which OpenSSL tasks are delegated to the current engine. Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1
New service-level configuration file option "engineId" to select the engine by identifier, e.g. "engineId = capi"
New global configuration file option "log" to control whether to append (the default), or to overwrite log file while (re)opening
Different taskbar icon colors to indicate the service state
New global configuration file options "iconIdle", "iconActive", and "iconError" to select status icon on GUI taskbar
Removed the limit of 63 stunnel.conf sections on Win32 platform
Installation of a sample certificate was moved to a separate "cert" target in order to allow unattended (e.g. scripted) installations
Reduced length of the logged thread identifier. It is still based on the OS thread ID, and thus not unique over long periods of time
Improved readability of error messages printed when stunnel refuses to start due to a critical error
Bugfixes:
LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs)
CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary compatibility with diverse builds of OpenSSL (thx to Norm Jacobs)
Corrected round-robin failover behavior under heavy load
Numerous fixes in the engine support code
On Win32 platform .rnd file moved from c:\ to the stunnel folder
https://www.stunnel.org/index.html

[SiLæncer]

Whats new: >>

Fixed a minor bug in the incoming connection acceptance loop

http://www.extenua.com/silvershield

[SiLæncer]

Whats new: >>

Code: [Auswählen]

pkcs11: use generic evp key instead of rsa
Add support of utun devices under Mac OS X
Add support to ignore specific options.
Add a note what setenv opt does for OpenVPN < 2.3.3
Add reporting of UI version to basic push-peer-info set.
Fix compile error in ssl_openssl introduced by polar external-management patch
Fix assertion when SIGUSR1 is received while getaddrinfo is successful
Add warning for using connection block variables after connection blocks
Introduce safety check for http proxy options
man page: Update man page about the tls_digest_{n} environment variable
Remove the --disable-eurephia configure option
plugin: Extend the plug-in v3 API to identify the SSL implementation used
autoconf: Fix typo
Fix file checks when --chroot is being used
Document authfile for socks server
Fix IPv6 examples in t_client.rc-sample
Fix slow memory drain on each client renegotiation.
t_client.sh: ignore fields from "ip -6 route show" output that distort results.
Make code and documentation for --remote-random-hostname consistent.
Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
Document issue with --chroot, /dev/urandom and PolarSSL.
Rename 'struct route' to 'struct route_ipv4'
Replace copied structure elements with including
Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
Always load intermediate certificates from a PKCS#12 file
Support non-ASCII TAP adapter names on Windows
Support non-ASCII characters in Windows tmp path
TLS version negotiation
Added "setenv opt" directive prefix.
Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
Fix spurious ignoring of pushed config options (trac#349).
Refactor tls_ctx_use_external_private_key()
--management-external-key for PolarSSL
external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
Correct error text when no Windows TAP device is present
Require a 1.2.x PolarSSL version
tls_ctx_load_ca: Improve certificate error messages
Remove duplicate cipher entries from TLS translation table.
Fix configure interaction with static OpenSSL libraries
Do not pass struct tls_session* as void* in key_state_ssl_init().
Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
Also update TLSv1_method() calls in support code to SSLv23_method() calls.
Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
If --tls-cipher is supplied, make --show-tls parse the list.
Add openssl-specific common cipher list names to ssl.c.
Add support for client-cert-not-required for PolarSSL.
Fix "." in description of utun.
http://openvpn.net/

[SiLæncer]

Whats new: >>

Fix man page and OSCP script: tls_serial_{n} is decimal
Fix is_ipv6 in case of tap interface.
IPv6 address/route delete fix for Win8
Add SSL library version reporting.
Minor t_client.sh cleanups
Repair --multihome on FreeBSD for IPv4 sockets.
Rewrite manpage section about --multihome
More IPv6-related updates to the openvpn man page.
Conditionalize calls to print_default_gateway on !ENABLE_SMALL
Use native strtoull() with MSVC 2013.
When tls-version-min is unspecified, revert to original versioning approach.
Change signedness of hash in x509_get_sha1_hash(), fixes compiler warning.
Fix OCSP_check.sh to also use decimal for stdout verification.
Fix build system to accept non-system crypto library locations for plugins.
Make serial env exporting consistent amongst OpenSSL and PolarSSL builds.
Fix SOCKSv5 method selection
Fix typo in sample build script to use LDFLAGS

http://openvpn.net/

[SiLæncer]

What's new: >>

New feature: It is now possible to set a port knocking sequence in connection panel (tested with knockd)
New feature: Auto reconnection delay is now configurable
Bug fix: CTRL+LEFT and CTRL+RIGHT keyboard sequences did not work
Bug fix: Since the previous update, login script feature in portable mode did not work anymore
Bug fix: mouse scrolling with a huge value in "Lines of scrollback" causes a crash
Feature modification: new "port forwarding" information window

http://www.9bis.net/kitty/?page=Welcome&zone=en

[SiLæncer]

SSH-Server für Windows-Systeme

kostenlos (für privaten Gebrauch)

Whats new: >>

OpenSSL Heartbleed Bug correction
Advanced features for SSH server configuration and more

http://mobassh.mobatek.net/