![[BACK]](/icons/back.gif){kind=icon}
Return to 47.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www|
Return to 47.html CVS log | Up to [local] / www |
| version 1.20, 2010/03/08 22:25:35 | version 1.21, 2010/03/08 22:28:40 | ||
|---|---|---|---|
|
|
||
| <li>OpenSSH 5.4: | <li>OpenSSH 5.4: | ||
| <ul> | <ul> | ||
| <li>... | <li>New features: | ||
| <ul> | |||
| <li>SSH protocol 1 is disabled by default. | |||
| <li>Remove the libsectok/OpenSC-based smartcard code and add support | |||
| for PKCS#11 tokens. | |||
| <li>Add support for certificate authentication of users and hosts using | |||
| a new, minimal OpenSSH certificate format (not X.509). | |||
| <li>Added a 'netcat mode' to | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>. | |||
| <li>Add the ability to revoke keys in | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | |||
| and | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>. | |||
| <li>Rewrite the | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> | |||
| multiplexing support to support non-blocking operation of the mux | |||
| master. | |||
| <li>Add a 'read-only' mode to | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> | |||
| that disables open in write mode and all other fs-modifying | |||
| protocol methods. (bz#430) | |||
| <li>Allow setting an explicit umask on the | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a> | |||
| commandline to override whatever default the user has. (bz#1229) | |||
| <li>Many improvements to the | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> | |||
| client. | |||
| <li>New RSA keys will be generated with a public exponent of | |||
| RSA_F4 == (2**16)+1 == 65537 instead of the previous value 35. | |||
| <li>Passphrase-protected SSH protocol 2 private keys are now protected | |||
| with AES-128 instead of 3DES. | |||
| </ul> | |||
| <li>The following significant bugs have been fixed in this release: | |||
| <ul> | |||
| <li>Fixed a minor information leak of environment variables specified | |||
| in authorized_keys if an attacker happens to know the public key | |||
| in use. | |||
| <li>When using <em>ChrootDirectory</em>, make sure we test for the | |||
| existence of the user's shell inside the chroot and not outside. | |||
| (bz#1679) | |||
| <li>Cache user and group name lookups in sftp-server using | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pwcache&sektion=3">user_from_[ug]id(3)</a> | |||
| to improve performance on hosts where these operations are slow. | |||
| (bz#1495) | |||
| <li>Fix problem that prevented passphrase reading from being | |||
| interrupted in some circumstances. (bz#1590) | |||
| <li>Ignore and log any Protocol 1 keys where the claimed size is not | |||
| equal to the actual size. | |||
| <li>Make <em>HostBased</em> authentication work with a | |||
| <em>ProxyCommand</em>. (bz#1569) | |||
| <li>Avoid run-time failures when specifying hostkeys via a relative | |||
| path by prepending the current working directory in these cases. | |||
| (bz#1290) | |||
| <li>Do not prompt for a passphrase if we fail to open a keyfile, and | |||
| log the reason why the open failed to debug. (bz#1693) | |||
| <li>Document that the <em>PubkeyAuthentication</em> directive is | |||
| allowed in a | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> | |||
| <em>Match</em> block. (bz#1577) | |||
| <li>When converting keys, truncate key comments at 72 chars as per | |||
| RFC4716. (bz#1630) | |||
| <li>Do not allow logins if <em>/etc/nologin</em> exists but is not | |||
| readable by the user logging in. | |||
| <li>Output a debug log if | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | |||
| can't open an existing <em>authorized_keys</em>. (bz#1694) | |||
| <li>Quell | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tcsetattr&sektion=3">tc[gs]etattr(3)</a> | |||
| warnings when forcing a tty (ssh -tt), since we usually don't | |||
| actually have a tty to read/set. (bz#1686) | |||
| <li>Prevent | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> | |||
| from crashing when given a "-" without a command; also, allow | |||
| whitespace to follow a "-". (bz#1691) | |||
| <li>After | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | |||
| receives a SIGHUP, ignore subsequent HUPs while | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | |||
| re-execs itself; prevents two HUPs in quick succession from | |||
| resulting in | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> | |||
| dying. (bz#1692) | |||
| <li>Clarify in | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> | |||
| that <em>StrictModes</em> does not apply to | |||
| <em>ChrootDirectory</em>; permissions and ownership are always | |||
| checked when chrooting. (bz#1532) | |||
| <li>Set close-on-exec on various descriptors so they don't get leaked | |||
| to child processes. (bz#1643) | |||
| <li>Fix very rare race condition in x11/agent channel allocation | |||
| <li>Fix incorrect exit status when multiplexing and channel ID 0 is | |||
| recycled. (bz#1570) | |||
| <li>Fail with an error when an attempt is made to connect to a server | |||
| with <em>ForceCommand=internal-sftp</em> with a shell session. | |||
| (bz#1606) | |||
| <li>Warn but do not fail if | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=stat&sektion=2">stat(2)</a>ing | |||
| the subsystem binary fails. (bz#1599) | |||
| <li>Change "Connecting to host..." message to "Connected to host." | |||
| and delay it until after the sftp protocol connection has been | |||
| established. (bz#1588) | |||
| <li>Use the <em>HostKeyAlias</em> rather than the hostname specified | |||
| on the commandline when prompting for passwords. (bz#1039) | |||
| <li>Correct off-by-one in <em>percent_expand()</em>. (bz#1607) | |||
| <li>Fix passing of empty options from | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=scp&sektion=1">scp(1)</a> | |||
| and | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a> | |||
| to the underlying | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>; | |||
| also add support for the stop option "--". | |||
| <li>Fix an incorrect magic number and typo in PROTOCOL. (bz#1688) | |||
| <li>Don't escape backslashes when displaying the SSH2 banner. (bz#1533) | |||
| <li>Don't unnecessarily dup() the in and out fds for | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>. | |||
| (bz#1566) | |||
| <li>Force use of the correct hash function for random-art signature | |||
| display. (bz#1611) | |||
| <li>Do not fall back to adding keys without constraints when the agent | |||
| refuses the constrained add request. (bz#1612) | |||
| <li>Fix a race condition in | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> | |||
| that could result in a wedged or spinning agent. (bz#1633) | |||
| <li>Flush stdio before exec() to ensure that everying has made it out | |||
| before the streams go away. (bz#1596) | |||
| <li>Set <em>FD_CLOEXEC</em> on in/out sockets in | |||
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>. | |||
| (bz#1706) | |||
| </ul> | |||
| </ul> | </ul> | ||
| <p> | <p> | ||