===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/50.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- www/50.html 2011/10/30 16:24:42 1.4
+++ www/50.html 2011/10/31 22:14:10 1.5
@@ -236,39 +236,83 @@
-
OpenSSH 6.0:
+OpenSSH 5.9:
- New features:
- - Allow cancellation of port forwardings via the multiplexing socket
- (e.g. "ssh -O cancel -R 2222:127.0.0.1:22 user@host")
-
- Add wildcard support to PermitOpen (e.g. "PermitOpen localhost:*")
-
- A new "ssh-add -k" option to load only plain keys and not
- certificates into the agent.
-
- ssh-add now supports loading keys from stdin ("program | ssh-add -")
-
- Allow graceful shutdown of the multiplexing socket (stop listening,
- but don't interrupt existing connections), using "ssh -O stop".
-
- "ssh-keygen -A" will now automatically generate host keys of every
- supported type
-
- Deprecated GlobalKnownHostsFile2, UserKnownHostsFile2 and
- AuthorizedKeysFile2 options. Instead, the corresponding
- GlobalKnownHostsFile UserKnownHostsFile and AuthorizedKeysFile
- options now all accept multiple arguments.
-
- Add a RequestTTY option to ssh(1) to allow control over TTY
- requests similar to the -t/-tt/-T commandline options.
-
- ssh_config(5) now supports negated host matching. E.g.
- "Host *.example.org !c.example.org" will match "a.example.org",
- "b.example.org", but not "c.example.org"
-
- Add experimental systrace(4) sandboxing of pre-auth sshd(8),
- enabled using "UsePrivilegeSeparation=sandbox".
-
- Add new SHA-2 based HMAC modes for the SSH transport layer from
- http://tools.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
+
- Introduce sandboxing of the pre-auth privsep child using an optional
+ sshd_config(5)
+ "UsePrivilegeSeparation=sandbox" mode that enables mandatory
+ restrictions on the syscalls the privsep child can perform.
+
- Add new SHA256-based HMAC transport integrity modes from
+ http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
+ These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
+ and hmac-sha2-512-96, and are available by default in
+ ssh(1)
+ and
+ sshd(8).
+
- The pre-authentication
+ sshd(8)
+ privilege separation slave process now logs via a socket shared with
+ the master process, avoiding the need to maintain /dev/log inside the
+ chroot.
+
- ssh(1)
+ now warns when a server refuses X11 forwarding.
+
- sshd_config(5)'s
+ AuthorizedKeysFile now accepts multiple paths, separated by whitespace.
+ The undocumented AuthorizedKeysFile2 option is deprecated (though the
+ default for AuthorizedKeysFile includes .ssh/authorized_keys2).
+
- sshd_config(5):
+ similarly deprecate UserKnownHostsFile2 and GlobalKnownHostsFile2 by
+ making UserKnownHostsFile and GlobalKnownHostsFile accept multiple
+ options and default to include known_hosts2.
+
- sshd_config(5)'s
+ ControlPath option now expands %L to the host portion of the
+ destination host name.
+
- sshd_config(5)
+ "Host" options now support negated Host matching.
+
- sshd_config(5):
+ a new RequestTTY option provides control over when a TTY is requested
+ for a connection, similar to the existing -t/-tt/-T
+ ssh(1)
+ commandline options.
+
- ssh-keygen(1):
+ Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) for
+ which host keys do not exist, generate the host keys with the default
+ key file path, an empty passphrase, default bits for the key type, and
+ default comment. This is useful for system initialisation scripts.
+
- ssh(1):
+ Allow graceful shutdown of multiplexing: request that a mux server
+ removes its listener socket and refuse future multiplexing requests but
+ don't kill existing connections. This may be requested using
+ "ssh -O stop ...".
+
- ssh-add(1):
+ now accepts keys piped from standard input.
- The following significant bugs have been fixed in this release:
- - Fix hostbased authentication for hosts using ECDSA keys.
-
- Fix corruption of file information in sftp(1)'s ls display.
-
- Fix remote portforwarding with dynamically allocated listen ports.
+
- Retain key comments when loading v.2 keys. These will be visible in
+ "ssh-add -l" and other places. (bz#439)
+
- ssh(1)
+ and
+ sshd(8):
+ set IPv6 traffic class from IPQoS (as well as IPv4 ToS/DSCP). (bz#1855)
+
- sshd(8):
+ allow GSSAPI authentication to detect when a server-side failure causes
+ authentication failure and don't count such failures against
+ MaxAuthTries. (bz#1244)
+
- ssh-keysign(8):
+ now signs hostbased authentication challenges correctly using ECDSA
+ keys. (bz#1858)
+
- sftp(1):
+ document that sftp accepts square brackets to delimit addresses
+ (useful for IPv6). (bz#1847a)
+
- ssh(1):
+ when using session multiplexing, the master process will change its
+ process title to reflect the control path in use and when a
+ ControlPersist-ed master is waiting to close. (bz#1883 and bz#1911)
+
- Other minor bugs fixed: (bz#1849, bz#1861, bz#1862, bz#1869, bz#1875,
+ bz#1878, bz#1879, bz#1892, bz#1900, bz#1905, and bz#1913)
@@ -725,7 +769,7 @@
alt="OpenBSD">
www@openbsd.org
-$OpenBSD: 50.html,v 1.4 2011/10/30 16:24:42 nick Exp $
+$OpenBSD: 50.html,v 1.5 2011/10/31 22:14:10 djm Exp $