Skip navigation

ssh version  5.6p1 is old, should be OpenSSH 6.0: April 22, 2012

622 Views 8 Replies Latest reply: May 7, 2012 8:10 AM by Mark Jalbert RSS
dgerman Level 1 Level 1 (5 points)
Currently Being Moderated
May 5, 2012 8:54 AM

Can someone please  check the version of ssh included in Mountain Lion? And post it here.  I post this mostly as a public notice.  Please add OpenSSH to your list of OPENBSD packages that are included in Apple's OS X distribution that are out dated.   See also: rsync version  2.6.9 included very old, should be 3.0.9  https://discussions.apple.com/message/17211026#17211026  why do I have to check for updates in four different places and not in a single one?!  https://discussions.apple.com/message/17216243#17216243

  • Barney-15E Level 7 Level 7 (33,370 points)

    Anybody that would do that would violate their non-disclosure agreement with Apple.

     

    As rsync 3.x is GPL v3, I would doubt that it will ever be bundled with an Apple OS until the GPL people stop trying to control the hardware that it is bundled with. That would apply to anything with a GPL v3 license. But, that was all explained in the links you posted.

     

    OpenSSH uses the BSD License, so it might be updated, but don't know for sure.

     

    Being that you can just download and compile the source, you can load whatever version you want.

  • Bart1977 Level 2 Level 2 (285 points)

    At first, I wanted to reply, "who cares", because as long as the functionality is okay, then there isn't always a need to update the software.

     

    But with the whole Flashback debacle, I'm not so sure anymore I really trust the automatic update system. The thing is, I'm not really sure how to avoid it. Apple includes 3rd-party software such as OpenSSH, but doesn't keep it up-to-date, like you mentioned.

     

    And I'm a bit wary about that. I've already subscribed to the Apple security mailing list, but that wouldn't have helped me in the Flashback case. Is anyone aware of an outside OS-X only security mailing list?

  • Mark Jalbert Level 5 Level 5 (4,385 points)

    Why should it be openssh 6.0? Newer versions usually add features though they may at times may include security fixes. And with that said, does the security fix need to be applied to a particular operating system? My advice: Take a step back and relax. Apple dropped the ball on this whole Flashback issue but there does not exist any user interface that is 100% secure.

  • Barney-15E Level 7 Level 7 (33,370 points)

    dgerman wrote:

     

    Barney-15E, Thank you for you reply.   The issue here is not the ability of updating software included with Apple's distribution,  rather the need for every individual user to perform (literally) untold updates for each of their systems lest they encounter problems that have already been resolved.

    Most users don't know about or use rsync, ssh, or the myriad of programs in the unix background. If you need them, it is pretty simple to google the name and find the distributions. Installing them may not be that simple, but for the most part, if you know what they are and why you need them, you likely know how to install them.

    So, there isn't much of a need for anyone to maintain a list of versions as you seek. If you think it is important and others would find it useful, why don't you create it and maintain it?

  • daviangel Level 1 Level 1 (125 points)

    Just use MacPorts that's what I use and like 99% of any Linux/Unix software you need can be installed using that.

    There is also HomeBrew and other alternatives.

  • Bart1977 Level 2 Level 2 (285 points)

    Mark Jalbert wrote:

     

    Why should it be openssh 6.0? Newer versions usually add features though they may at times may include security fixes. And with that said, does the security fix need to be applied to a particular operating system? My advice: Take a step back and relax.

     

    That's what I first did as well, but after Flashback, I feel I need to stay involved. The OS vendor for my servers, RedHat, runs a security mailing list, and it's very quick with updates. With Apple, there's a security-related list but it's lagging a lot -- 3rd party sources are much quicker.

     

    The most recent issue is now the plain text logging of passwords when you're running FileVault 1 under Lion:

    http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-pas swords-in-clear-text/11963

     

    So dgerman's suggestion that there should be a unified way to update software, is an excellent one. But after fixing this, they should also run a tight ship with informing people. In the meantime, I'll rely on outside sources.

  • Mark Jalbert Level 5 Level 5 (4,385 points)

    So dgerman's suggestion that there should be a unified way to update software, is an excellent one.

    That has been a long standing gripe amoung those that rely upon the CLI and it isn't going to change. New versions  normally occur with the roll out of a major os version . Patches to the current version of a binary on your operating system may happen.

     

    So, if you want the latest and greatest then your options are to install a third party package management system such as fink or MacPorts, or roll your own. Whatever you do, do not replace any libraries or binaries supplied by the operating system.

     

    Apple proprietary sofware is another story.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.