| version 1.2, 2014/03/14 17:34:09 |
version 1.3, 2014/03/15 09:15:35 |
|
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>OpenSSH 6.3: |
<li>OpenSSH 6.6 (including changes to 6.5, a feature-focused release): |
| <ul> |
<ul> |
| <li>New features: |
<li>Security: |
| <ul> |
<ul> |
| <li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
when using environment passing with a |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
| |
<tt>AcceptEnv</tt> pattern with a wildcard. OpenSSH prior to 6.6 could |
| |
be tricked into accepting any enviornment variable that contains the |
| |
characters before the wildcard character. |
| </ul> |
</ul> |
| |
<li>New/changed features: |
| |
<ul> |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Add support for key exchange using <i>elliptic-curve Diffie Hellman</i> |
| |
in Daniel Bernstein's <i>Curve25519</i>. This key exchange method is |
| |
the default when both the client and server support it. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Add support for <i>ED25519</i> as a public key type. ED25519 is |
| |
a elliptic curve signature scheme that offers better security than |
| |
<i>ECDSA</i> and <i>DSA</i> and good performance. It may be used for |
| |
both <i>user</i> and <i>host</i> keys. |
| |
<li>Add a new private key format that uses a <i>bcrypt KDF</i> to better |
| |
protect keys at rest. This format is used unconditionally for |
| |
ED25519 keys, but may be requested when generating or saving |
| |
existing keys of other types via the <tt>-o</tt> |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> |
| |
option. We intend to make the new format the default in the near |
| |
future. Details of the new format are in the <tt>PROTOCOL.key</tt> |
| |
file. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Add a new transport cipher "chacha20-poly1305@openssh.com" that |
| |
combines Daniel Bernstein's <i>ChaCha20</i> stream cipher and |
| |
<i>Poly1305 MAC</i> to build an authenticated encryption mode. Details |
| |
are in the <tt>PROTOCOL.chacha20poly1305</tt> file. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Refuse <i>RSA</i> keys from old proprietary clients and servers that |
| |
use the obsolete <i>RSA+MD5</i> signature scheme. It will still be |
| |
possible to connect with these clients/servers but <b>only DSA keys |
| |
will be accepted, and OpenSSH will refuse connection entirely in a |
| |
future release</b>. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Refuse old proprietary clients and servers that use a weaker key |
| |
exchange hash calculation. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Increase the size of the <i>Diffie-Hellman groups</i> requested for |
| |
each symmetric key size. New values from <i>NIST Special Publication |
| |
800-57</i> with the upper limit specified by <i>RFC 4419</i>. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
| |
Support <i>PKCS#11</i> tokens that only provide <i>X.509</i> certs |
| |
instead of raw public keys. (requested as bz#1908) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Add a |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
| |
<tt>Match</tt> keyword that allows conditional configuration to be |
| |
applied by matching on <i>hostname</i>, <i>user</i> and <i>result of |
| |
arbitrary commands</i>. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Add support for <i>client-side hostname canonicalisation</i> using a |
| |
set of <i>DNS suffixes</i> and rules in |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>. |
| |
This allows unqualified names to be canonicalised to fully-qualified |
| |
domain names to eliminate ambiguity when looking up keys in |
| |
<tt>known_hosts</tt> or checking host certificate names. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>: |
| |
Add the ability to whitelist and/or blacklist sftp protocol requests by |
| |
name. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>: |
| |
Add a sftp "fsync@openssh.com" to support calling |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fsync&sektion=2">fsync(2)</a> |
| |
on an open file handle. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Add a |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
| |
<tt>PermitTTY</tt> to disallow <i>TTY</i> allocation, mirroring the |
| |
longstanding <tt>no-pty</tt> <tt>authorized_keys</tt> option. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Add a |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
| |
<tt>ProxyUseFDPass</tt> option that supports the use of |
| |
<tt>ProxyCommands</tt> that establish a connection and then pass a |
| |
connected file descriptor back to |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>. |
| |
This allows the <tt>ProxyCommand</tt> to exit rather than staying |
| |
around to transfer data. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
this release removes the <i>J-PAKE</i> authentication code. This code |
| |
was experimental, never enabled and had been unmaintained for some |
| |
time. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
when processing <tt>Match</tt> blocks, skip '<tt>exec</tt>' clauses |
| |
other clauses predicates failed to match. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
if hostname canonicalisation is enabled and results in the destination |
| |
hostname being changed, then re-parse |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
| |
files using the new destination hostname. This gives '<tt>Host</tt>' |
| |
and '<tt>Match</tt>' directives that use the expanded hostname a chance |
| |
to be applied. |
| |
</ul> |
| <li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
| <ul> |
<ul> |
| <li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Fix potential stack exhaustion caused by nested certificates. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
make <tt>BindAddress</tt> work with <tt>UsePrivilegedPort</tt>. |
| |
(bz#1211) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
| |
fix the progress meter for resumed transfer. (bz#2137) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a>: |
| |
do not request smartcard PIN when removing keys from |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>. |
| |
(bz#2187) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix re-exec fallback when original |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> |
| |
binary cannot be executed. (bz#2139) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
Make relative-specified certificate expiry times relative to current |
| |
time and not the validity start time. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix <tt>AuthorizedKeysCommand</tt> inside a <tt>Match</tt> block. |
| |
(bz#2161) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
| |
symlinking a file would incorrectly canonicalise the target path. |
| |
(bz#2129) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
| |
fix a use-after-free in the PKCS#11 agent helper executable. |
| |
(bz#2175) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Improve logging of sessions to include the <i>user name</i>, <i>remote |
| |
host</i> and <i>port</i>, the <i>session type</i> (shell, command, |
| |
etc.) and <i>allocated TTY</i> (if any). |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
tell the client (via a debug message) when their preferred listen |
| |
address has been overridden by the server's <tt>GatewayPorts</tt> |
| |
setting. (bz#1297) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
include report port in bad protocol banner message. (bz#2162) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
| |
fix memory leak in error path in <i>do_readdir()</i>. (bz#2163) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
| |
don't leak file descriptor on error. (bz#2171) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
include the <i>local address</i> and <i>port</i> in "<tt>Connection |
| |
from ...</tt>" message. (only shown at <i>loglevel>=verbose</i>) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
avoid spurious "<tt>getsockname failed: Bad file descriptor</tt>" in |
| |
<tt>ssh -W</tt>. (bz#2200, debian#738692) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
allow the |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=shutdown&sektion=2">shutdown(2)</a> |
| |
syscall in seccomp-bpf and systrace sandbox modes, as it is reachable |
| |
if the connection is terminated during the pre-auth phase. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix unsigned overflow that in <i>SSH protocol 1 bignum parsing</i>. |
| |
Minimum key length checks render this bug unexploitable to compromise |
| |
SSH 1 sessions. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
| |
clarify behaviour of a keyword that appears in multiple matching |
| |
<tt>Match</tt> blocks. (bz#2184) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
avoid unnecessary hostname lookups when canonicalisation is disabled. |
| |
(bz#2205) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
avoid sandbox violation crashes in GSSAPI code by caching the supported |
| |
list of GSSAPI mechanism OIDs before entering the sandbox. (bz#2107) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
fix possible crashes in SOCKS4 parsing caused by assumption that the |
| |
SOCKS username is nul-terminated. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
fix regression for <tt>UsePrivilegedPort=yes</tt> when |
| |
<tt>BindAddress</tt> is not specified. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix memory leak in ECDSA signature verification. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
fix matching of '<tt>Host</tt>' directives in |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
| |
files to be case-insensitive again. (regression in 6.5) |
| </ul> |
</ul> |
| </ul> |
</ul> |
| <p> |
<p> |
![[BACK]](/icons/back.gif){kind=icon}
Return to 55.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www