Return to 47.html CVS log | Up to [local] / www |
version 1.20, 2010/03/08 22:25:35 | version 1.21, 2010/03/08 22:28:40 | ||
---|---|---|---|
|
|
||
<li>OpenSSH 5.4: | <li>OpenSSH 5.4: | ||
<ul> | <ul> | ||
<li>... | <li>New features: | ||
<ul> | |||
<li>SSH protocol 1 is disabled by default. | |||
<li>Remove the libsectok/OpenSC-based smartcard code and add support | |||
for PKCS#11 tokens. | |||
<li>Add support for certificate authentication of users and hosts using | |||
a new, minimal OpenSSH certificate format (not X.509). | |||
<li>Added a 'netcat mode' to | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>. | |||
<li>Add the ability to revoke keys in | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | |||
and | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>. | |||
<li>Rewrite the | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> | |||
multiplexing support to support non-blocking operation of the mux | |||
master. | |||
<li>Add a 'read-only' mode to | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> | |||
that disables open in write mode and all other fs-modifying | |||
protocol methods. (bz#430) | |||
<li>Allow setting an explicit umask on the | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> | |||
commandline to override whatever default the user has. (bz#1229) | |||
<li>Many improvements to the | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> | |||
client. | |||
<li>New RSA keys will be generated with a public exponent of | |||
RSA_F4 == (2**16)+1 == 65537 instead of the previous value 35. | |||
<li>Passphrase-protected SSH protocol 2 private keys are now protected | |||
with AES-128 instead of 3DES. | |||
</ul> | |||
<li>The following significant bugs have been fixed in this release: | |||
<ul> | |||
<li>Fixed a minor information leak of environment variables specified | |||
in authorized_keys if an attacker happens to know the public key | |||
in use. | |||
<li>When using <em>ChrootDirectory</em>, make sure we test for the | |||
existence of the user's shell inside the chroot and not outside. | |||
(bz#1679) | |||
<li>Cache user and group name lookups in sftp-server using | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pwcache&sektion=3">user_from_[ug]id(3)</a> | |||
to improve performance on hosts where these operations are slow. | |||
(bz#1495) | |||
<li>Fix problem that prevented passphrase reading from being | |||
interrupted in some circumstances. (bz#1590) | |||
<li>Ignore and log any Protocol 1 keys where the claimed size is not | |||
equal to the actual size. | |||
<li>Make <em>HostBased</em> authentication work with a | |||
<em>ProxyCommand</em>. (bz#1569) | |||
<li>Avoid run-time failures when specifying hostkeys via a relative | |||
path by prepending the current working directory in these cases. | |||
(bz#1290) | |||
<li>Do not prompt for a passphrase if we fail to open a keyfile, and | |||
log the reason why the open failed to debug. (bz#1693) | |||
<li>Document that the <em>PubkeyAuthentication</em> directive is | |||
allowed in a | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> | |||
<em>Match</em> block. (bz#1577) | |||
<li>When converting keys, truncate key comments at 72 chars as per | |||
RFC4716. (bz#1630) | |||
<li>Do not allow logins if <em>/etc/nologin</em> exists but is not | |||
readable by the user logging in. | |||
<li>Output a debug log if | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | |||
can't open an existing <em>authorized_keys</em>. (bz#1694) | |||
<li>Quell | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcsetattr&sektion=3">tc[gs]etattr(3)</a> | |||
warnings when forcing a tty (ssh -tt), since we usually don't | |||
actually have a tty to read/set. (bz#1686) | |||
<li>Prevent | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> | |||
from crashing when given a "-" without a command; also, allow | |||
whitespace to follow a "-". (bz#1691) | |||
<li>After | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | |||
receives a SIGHUP, ignore subsequent HUPs while | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | |||
re-execs itself; prevents two HUPs in quick succession from | |||
resulting in | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | |||
dying. (bz#1692) | |||
<li>Clarify in | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> | |||
that <em>StrictModes</em> does not apply to | |||
<em>ChrootDirectory</em>; permissions and ownership are always | |||
checked when chrooting. (bz#1532) | |||
<li>Set close-on-exec on various descriptors so they don't get leaked | |||
to child processes. (bz#1643) | |||
<li>Fix very rare race condition in x11/agent channel allocation | |||
<li>Fix incorrect exit status when multiplexing and channel ID 0 is | |||
recycled. (bz#1570) | |||
<li>Fail with an error when an attempt is made to connect to a server | |||
with <em>ForceCommand=internal-sftp</em> with a shell session. | |||
(bz#1606) | |||
<li>Warn but do not fail if | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=stat&sektion=2">stat(2)</a>ing | |||
the subsystem binary fails. (bz#1599) | |||
<li>Change "Connecting to host..." message to "Connected to host." | |||
and delay it until after the sftp protocol connection has been | |||
established. (bz#1588) | |||
<li>Use the <em>HostKeyAlias</em> rather than the hostname specified | |||
on the commandline when prompting for passwords. (bz#1039) | |||
<li>Correct off-by-one in <em>percent_expand()</em>. (bz#1607) | |||
<li>Fix passing of empty options from | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> | |||
and | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> | |||
to the underlying | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>; | |||
also add support for the stop option "--". | |||
<li>Fix an incorrect magic number and typo in PROTOCOL. (bz#1688) | |||
<li>Don't escape backslashes when displaying the SSH2 banner. (bz#1533) | |||
<li>Don't unnecessarily dup() the in and out fds for | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>. | |||
(bz#1566) | |||
<li>Force use of the correct hash function for random-art signature | |||
display. (bz#1611) | |||
<li>Do not fall back to adding keys without constraints when the agent | |||
refuses the constrained add request. (bz#1612) | |||
<li>Fix a race condition in | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> | |||
that could result in a wedged or spinning agent. (bz#1633) | |||
<li>Flush stdio before exec() to ensure that everying has made it out | |||
before the streams go away. (bz#1596) | |||
<li>Set <em>FD_CLOEXEC</em> on in/out sockets in | |||
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>. | |||
(bz#1706) | |||
</ul> | |||
</ul> | </ul> | ||
<p> | <p> | ||