version 1.4, 2011/10/30 16:24:42 |
version 1.5, 2011/10/31 22:14:10 |
|
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>OpenSSH 6.0: |
<li>OpenSSH 5.9: |
<ul> |
<ul> |
<li>New features: |
<li>New features: |
<ul> |
<ul> |
<li>Allow cancellation of port forwardings via the multiplexing socket |
<li>Introduce sandboxing of the pre-auth privsep child using an optional |
(e.g. "ssh -O cancel -R 2222:127.0.0.1:22 user@host") |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
<li>Add wildcard support to PermitOpen (e.g. "PermitOpen localhost:*") |
"UsePrivilegeSeparation=sandbox" mode that enables mandatory |
<li>A new "ssh-add -k" option to load only plain keys and not |
restrictions on the syscalls the privsep child can perform. |
certificates into the agent. |
<li>Add new SHA256-based HMAC transport integrity modes from |
<li>ssh-add now supports loading keys from stdin ("program | ssh-add -") |
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt |
<li>Allow graceful shutdown of the multiplexing socket (stop listening, |
These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, |
but don't interrupt existing connections), using "ssh -O stop". |
and hmac-sha2-512-96, and are available by default in |
<li>"ssh-keygen -A" will now automatically generate host keys of every |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
supported type |
and |
<li>Deprecated GlobalKnownHostsFile2, UserKnownHostsFile2 and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>. |
AuthorizedKeysFile2 options. Instead, the corresponding |
<li>The pre-authentication |
GlobalKnownHostsFile UserKnownHostsFile and AuthorizedKeysFile |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> |
options now all accept multiple arguments. |
privilege separation slave process now logs via a socket shared with |
<li>Add a RequestTTY option to ssh(1) to allow control over TTY |
the master process, avoiding the need to maintain /dev/log inside the |
requests similar to the -t/-tt/-T commandline options. |
chroot. |
<li>ssh_config(5) now supports negated host matching. E.g. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
"Host *.example.org !c.example.org" will match "a.example.org", |
now warns when a server refuses X11 forwarding. |
"b.example.org", but not "c.example.org" |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>'s |
<li>Add experimental systrace(4) sandboxing of pre-auth sshd(8), |
AuthorizedKeysFile now accepts multiple paths, separated by whitespace. |
enabled using "UsePrivilegeSeparation=sandbox". |
The undocumented AuthorizedKeysFile2 option is deprecated (though the |
<li>Add new SHA-2 based HMAC modes for the SSH transport layer from |
default for AuthorizedKeysFile includes .ssh/authorized_keys2). |
http://tools.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>: |
|
similarly deprecate UserKnownHostsFile2 and GlobalKnownHostsFile2 by |
|
making UserKnownHostsFile and GlobalKnownHostsFile accept multiple |
|
options and default to include known_hosts2. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>'s |
|
ControlPath option now expands %L to the host portion of the |
|
destination host name. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
|
"Host" options now support negated Host matching. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>: |
|
a new RequestTTY option provides control over when a TTY is requested |
|
for a connection, similar to the existing -t/-tt/-T |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
|
commandline options. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) for |
|
which host keys do not exist, generate the host keys with the default |
|
key file path, an empty passphrase, default bits for the key type, and |
|
default comment. This is useful for system initialisation scripts. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Allow graceful shutdown of multiplexing: request that a mux server |
|
removes its listener socket and refuse future multiplexing requests but |
|
don't kill existing connections. This may be requested using |
|
"ssh -O stop ...". |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a>: |
|
now accepts keys piped from standard input. |
</ul> |
</ul> |
<li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
<ul> |
<ul> |
<li>Fix hostbased authentication for hosts using ECDSA keys. |
<li>Retain key comments when loading v.2 keys. These will be visible in |
<li>Fix corruption of file information in sftp(1)'s ls display. |
"ssh-add -l" and other places. (bz#439) |
<li>Fix remote portforwarding with dynamically allocated listen ports. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
|
and |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
set IPv6 traffic class from IPQoS (as well as IPv4 ToS/DSCP). (bz#1855) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
allow GSSAPI authentication to detect when a server-side failure causes |
|
authentication failure and don't count such failures against |
|
MaxAuthTries. (bz#1244) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&sektion=8">ssh-keysign(8)</a>: |
|
now signs hostbased authentication challenges correctly using ECDSA |
|
keys. (bz#1858) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
|
document that sftp accepts square brackets to delimit addresses |
|
(useful for IPv6). (bz#1847a) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
when using session multiplexing, the master process will change its |
|
process title to reflect the control path in use and when a |
|
ControlPersist-ed master is waiting to close. (bz#1883 and bz#1911) |
|
<li>Other minor bugs fixed: (bz#1849, bz#1861, bz#1862, bz#1869, bz#1875, |
|
bz#1878, bz#1879, bz#1892, bz#1900, bz#1905, and bz#1913) |
</ul> |
</ul> |
</ul> |
</ul> |
<p> |
<p> |