OpenSSH 6.0p1 was released a little while back; this weekend I belatedly got round to uploading packages of it to Debian unstable and Ubuntu quantal.
I was a bit delayed by needing to put together an improvement to privsep
sandbox selection that
particularly matters in the context of distributions. One of the experts on
seccomp_filter has commented favourably on it, but I haven’t yet had a
comment from upstream themselves, so I may need to refine this depending on
what they say.
(This is a good example of how it matters that software is often not built on the system that it’s going to run on, and in particular that the kernel version is rather likely to be different. Where possible it’s always best to detect kernel capabilities at run-time rather than at build-time.)
I didn’t make it very clear in the changelog, but using the new
seccomp_filter sandbox currently requires
sshd_config as well as a capable kernel. I won’t change the default
here in advance of upstream, who still consider privsep sandboxing experimental.