version 1.2, 2014/03/14 17:34:09 |
version 1.3, 2014/03/15 09:15:35 |
|
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>OpenSSH 6.3: |
<li>OpenSSH 6.6 (including changes to 6.5, a feature-focused release): |
<ul> |
<ul> |
<li>New features: |
<li>Security: |
<ul> |
<ul> |
<li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
when using environment passing with a |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
|
<tt>AcceptEnv</tt> pattern with a wildcard. OpenSSH prior to 6.6 could |
|
be tricked into accepting any enviornment variable that contains the |
|
characters before the wildcard character. |
</ul> |
</ul> |
|
<li>New/changed features: |
|
<ul> |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Add support for key exchange using <i>elliptic-curve Diffie Hellman</i> |
|
in Daniel Bernstein's <i>Curve25519</i>. This key exchange method is |
|
the default when both the client and server support it. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Add support for <i>ED25519</i> as a public key type. ED25519 is |
|
a elliptic curve signature scheme that offers better security than |
|
<i>ECDSA</i> and <i>DSA</i> and good performance. It may be used for |
|
both <i>user</i> and <i>host</i> keys. |
|
<li>Add a new private key format that uses a <i>bcrypt KDF</i> to better |
|
protect keys at rest. This format is used unconditionally for |
|
ED25519 keys, but may be requested when generating or saving |
|
existing keys of other types via the <tt>-o</tt> |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> |
|
option. We intend to make the new format the default in the near |
|
future. Details of the new format are in the <tt>PROTOCOL.key</tt> |
|
file. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Add a new transport cipher "chacha20-poly1305@openssh.com" that |
|
combines Daniel Bernstein's <i>ChaCha20</i> stream cipher and |
|
<i>Poly1305 MAC</i> to build an authenticated encryption mode. Details |
|
are in the <tt>PROTOCOL.chacha20poly1305</tt> file. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Refuse <i>RSA</i> keys from old proprietary clients and servers that |
|
use the obsolete <i>RSA+MD5</i> signature scheme. It will still be |
|
possible to connect with these clients/servers but <b>only DSA keys |
|
will be accepted, and OpenSSH will refuse connection entirely in a |
|
future release</b>. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Refuse old proprietary clients and servers that use a weaker key |
|
exchange hash calculation. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Increase the size of the <i>Diffie-Hellman groups</i> requested for |
|
each symmetric key size. New values from <i>NIST Special Publication |
|
800-57</i> with the upper limit specified by <i>RFC 4419</i>. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
|
Support <i>PKCS#11</i> tokens that only provide <i>X.509</i> certs |
|
instead of raw public keys. (requested as bz#1908) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Add a |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
|
<tt>Match</tt> keyword that allows conditional configuration to be |
|
applied by matching on <i>hostname</i>, <i>user</i> and <i>result of |
|
arbitrary commands</i>. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Add support for <i>client-side hostname canonicalisation</i> using a |
|
set of <i>DNS suffixes</i> and rules in |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>. |
|
This allows unqualified names to be canonicalised to fully-qualified |
|
domain names to eliminate ambiguity when looking up keys in |
|
<tt>known_hosts</tt> or checking host certificate names. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>: |
|
Add the ability to whitelist and/or blacklist sftp protocol requests by |
|
name. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8">sftp-server(8)</a>: |
|
Add a sftp "fsync@openssh.com" to support calling |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fsync&sektion=2">fsync(2)</a> |
|
on an open file handle. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Add a |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
|
<tt>PermitTTY</tt> to disallow <i>TTY</i> allocation, mirroring the |
|
longstanding <tt>no-pty</tt> <tt>authorized_keys</tt> option. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Add a |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
|
<tt>ProxyUseFDPass</tt> option that supports the use of |
|
<tt>ProxyCommands</tt> that establish a connection and then pass a |
|
connected file descriptor back to |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>. |
|
This allows the <tt>ProxyCommand</tt> to exit rather than staying |
|
around to transfer data. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
this release removes the <i>J-PAKE</i> authentication code. This code |
|
was experimental, never enabled and had been unmaintained for some |
|
time. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
when processing <tt>Match</tt> blocks, skip '<tt>exec</tt>' clauses |
|
other clauses predicates failed to match. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
if hostname canonicalisation is enabled and results in the destination |
|
hostname being changed, then re-parse |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
|
files using the new destination hostname. This gives '<tt>Host</tt>' |
|
and '<tt>Match</tt>' directives that use the expanded hostname a chance |
|
to be applied. |
|
</ul> |
<li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
<ul> |
<ul> |
<li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Fix potential stack exhaustion caused by nested certificates. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
make <tt>BindAddress</tt> work with <tt>UsePrivilegedPort</tt>. |
|
(bz#1211) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
|
fix the progress meter for resumed transfer. (bz#2137) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a>: |
|
do not request smartcard PIN when removing keys from |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>. |
|
(bz#2187) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix re-exec fallback when original |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> |
|
binary cannot be executed. (bz#2139) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
Make relative-specified certificate expiry times relative to current |
|
time and not the validity start time. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix <tt>AuthorizedKeysCommand</tt> inside a <tt>Match</tt> block. |
|
(bz#2161) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
|
symlinking a file would incorrectly canonicalise the target path. |
|
(bz#2129) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
|
fix a use-after-free in the PKCS#11 agent helper executable. |
|
(bz#2175) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Improve logging of sessions to include the <i>user name</i>, <i>remote |
|
host</i> and <i>port</i>, the <i>session type</i> (shell, command, |
|
etc.) and <i>allocated TTY</i> (if any). |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
tell the client (via a debug message) when their preferred listen |
|
address has been overridden by the server's <tt>GatewayPorts</tt> |
|
setting. (bz#1297) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
include report port in bad protocol banner message. (bz#2162) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
|
fix memory leak in error path in <i>do_readdir()</i>. (bz#2163) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
|
don't leak file descriptor on error. (bz#2171) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
include the <i>local address</i> and <i>port</i> in "<tt>Connection |
|
from ...</tt>" message. (only shown at <i>loglevel>=verbose</i>) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
avoid spurious "<tt>getsockname failed: Bad file descriptor</tt>" in |
|
<tt>ssh -W</tt>. (bz#2200, debian#738692) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
allow the |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=shutdown&sektion=2">shutdown(2)</a> |
|
syscall in seccomp-bpf and systrace sandbox modes, as it is reachable |
|
if the connection is terminated during the pre-auth phase. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix unsigned overflow that in <i>SSH protocol 1 bignum parsing</i>. |
|
Minimum key length checks render this bug unexploitable to compromise |
|
SSH 1 sessions. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
|
clarify behaviour of a keyword that appears in multiple matching |
|
<tt>Match</tt> blocks. (bz#2184) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
avoid unnecessary hostname lookups when canonicalisation is disabled. |
|
(bz#2205) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
avoid sandbox violation crashes in GSSAPI code by caching the supported |
|
list of GSSAPI mechanism OIDs before entering the sandbox. (bz#2107) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
fix possible crashes in SOCKS4 parsing caused by assumption that the |
|
SOCKS username is nul-terminated. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
fix regression for <tt>UsePrivilegedPort=yes</tt> when |
|
<tt>BindAddress</tt> is not specified. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix memory leak in ECDSA signature verification. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
fix matching of '<tt>Host</tt>' directives in |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
|
files to be case-insensitive again. (regression in 6.5) |
</ul> |
</ul> |
</ul> |
</ul> |
<p> |
<p> |