===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/47.html,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- www/47.html 2010/03/08 22:25:35 1.20
+++ www/47.html 2010/03/08 22:28:40 1.21
@@ -205,7 +205,135 @@
OpenSSH 5.4:
- - ...
+
- New features:
+
+ - SSH protocol 1 is disabled by default.
+
- Remove the libsectok/OpenSC-based smartcard code and add support
+ for PKCS#11 tokens.
+
- Add support for certificate authentication of users and hosts using
+ a new, minimal OpenSSH certificate format (not X.509).
+
- Added a 'netcat mode' to
+ ssh(1).
+
- Add the ability to revoke keys in
+ sshd(8)
+ and
+ ssh(1).
+
- Rewrite the
+ ssh(1)
+ multiplexing support to support non-blocking operation of the mux
+ master.
+
- Add a 'read-only' mode to
+ sftp-server(8)
+ that disables open in write mode and all other fs-modifying
+ protocol methods. (bz#430)
+
- Allow setting an explicit umask on the
+ sftp-server(8)
+ commandline to override whatever default the user has. (bz#1229)
+
- Many improvements to the
+ sftp(1)
+ client.
+
- New RSA keys will be generated with a public exponent of
+ RSA_F4 == (2**16)+1 == 65537 instead of the previous value 35.
+
- Passphrase-protected SSH protocol 2 private keys are now protected
+ with AES-128 instead of 3DES.
+
+ - The following significant bugs have been fixed in this release:
+
+ - Fixed a minor information leak of environment variables specified
+ in authorized_keys if an attacker happens to know the public key
+ in use.
+
- When using ChrootDirectory, make sure we test for the
+ existence of the user's shell inside the chroot and not outside.
+ (bz#1679)
+
- Cache user and group name lookups in sftp-server using
+ user_from_[ug]id(3)
+ to improve performance on hosts where these operations are slow.
+ (bz#1495)
+
- Fix problem that prevented passphrase reading from being
+ interrupted in some circumstances. (bz#1590)
+
- Ignore and log any Protocol 1 keys where the claimed size is not
+ equal to the actual size.
+
- Make HostBased authentication work with a
+ ProxyCommand. (bz#1569)
+
- Avoid run-time failures when specifying hostkeys via a relative
+ path by prepending the current working directory in these cases.
+ (bz#1290)
+
- Do not prompt for a passphrase if we fail to open a keyfile, and
+ log the reason why the open failed to debug. (bz#1693)
+
- Document that the PubkeyAuthentication directive is
+ allowed in a
+ sshd_config(5)
+ Match block. (bz#1577)
+
- When converting keys, truncate key comments at 72 chars as per
+ RFC4716. (bz#1630)
+
- Do not allow logins if /etc/nologin exists but is not
+ readable by the user logging in.
+
- Output a debug log if
+ sshd(8)
+ can't open an existing authorized_keys. (bz#1694)
+
- Quell
+ tc[gs]etattr(3)
+ warnings when forcing a tty (ssh -tt), since we usually don't
+ actually have a tty to read/set. (bz#1686)
+
- Prevent
+ sftp(1)
+ from crashing when given a "-" without a command; also, allow
+ whitespace to follow a "-". (bz#1691)
+
- After
+ sshd(8)
+ receives a SIGHUP, ignore subsequent HUPs while
+ sshd(8)
+ re-execs itself; prevents two HUPs in quick succession from
+ resulting in
+ sshd(8)
+ dying. (bz#1692)
+
- Clarify in
+ sshd_config(5)
+ that StrictModes does not apply to
+ ChrootDirectory; permissions and ownership are always
+ checked when chrooting. (bz#1532)
+
- Set close-on-exec on various descriptors so they don't get leaked
+ to child processes. (bz#1643)
+
- Fix very rare race condition in x11/agent channel allocation
+
- Fix incorrect exit status when multiplexing and channel ID 0 is
+ recycled. (bz#1570)
+
- Fail with an error when an attempt is made to connect to a server
+ with ForceCommand=internal-sftp with a shell session.
+ (bz#1606)
+
- Warn but do not fail if
+ stat(2)ing
+ the subsystem binary fails. (bz#1599)
+
- Change "Connecting to host..." message to "Connected to host."
+ and delay it until after the sftp protocol connection has been
+ established. (bz#1588)
+
- Use the HostKeyAlias rather than the hostname specified
+ on the commandline when prompting for passwords. (bz#1039)
+
- Correct off-by-one in percent_expand(). (bz#1607)
+
- Fix passing of empty options from
+ scp(1)
+ and
+ sftp(1)
+ to the underlying
+ ssh(1);
+ also add support for the stop option "--".
+
- Fix an incorrect magic number and typo in PROTOCOL. (bz#1688)
+
- Don't escape backslashes when displaying the SSH2 banner. (bz#1533)
+
- Don't unnecessarily dup() the in and out fds for
+ sftp-server(8).
+ (bz#1566)
+
- Force use of the correct hash function for random-art signature
+ display. (bz#1611)
+
- Do not fall back to adding keys without constraints when the agent
+ refuses the constrained add request. (bz#1612)
+
- Fix a race condition in
+ ssh-agent(1)
+ that could result in a wedged or spinning agent. (bz#1633)
+
- Flush stdio before exec() to ensure that everying has made it out
+ before the streams go away. (bz#1596)
+
- Set FD_CLOEXEC on in/out sockets in
+ sshd(8).
+ (bz#1706)
+
@@ -673,7 +801,7 @@
alt="OpenBSD">
www@openbsd.org
-$OpenBSD: 47.html,v 1.20 2010/03/08 22:25:35 jsg Exp $
+$OpenBSD: 47.html,v 1.21 2010/03/08 22:28:40 sobrado Exp $