Corinna Vinschen <vinschen@xxxxxxxxxx> wrote: > There's a backward incompatible change in this release which is not > mentioned in the release notes. The slogin symlink as well as the > slogin.1 man page are not created anymore by the Makefile. > > This change potentially breaks lots and lots of aliases, shell scripts, > and GUI keyboard shortcuts. This may also be a serious security issue! On most systems I know of the brandnew versions of OpenSSH are installed in parallel to the SSH that ships with the operating system. So users put (for example) /usr/local/bin in front of /usr/bin to get the new OpenSSH binaries instead of the old ones from the system. The shell automatically uses the new binaries because they come first in the shell command path. Now, when users run "slogin" they will no longer start the one from the new OpenSSH but instead the shell finds the old one from the operating system and starts that one. Although the old SSH from the operating system might be secure because it gets patches from the vendor, but usually it's an old version and lacks a lot of new features (functionaly + security). So users running "slogin" will not get the best protection possible. For people who used rlogin/rsh/rcp back in the old days, it's quite common to use slogin/ssh/scp in the same way (and the developers supported that behaviour by linking slogin to ssh). Now silently removing that historic link is a big issue. Yes, sure, it's mentioned in the "ChangeLog", but honestly, that should to be included in the main release notes. (IMHO, there should be a dummy script for "slogin" that warns users that they no longer get what they expect; it's better to break things instead of silently compromising security.) Greetings, Andreas _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
