===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/57.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -c -r1.2 -r1.3
*** www/57.html 2015/02/24 04:28:17 1.2
--- www/57.html 2015/02/26 10:37:03 1.3
***************
*** 98,116 ****
!
OpenSSH 6.7
- Potentially-incompatible changes:
- New/changed features:
- The following significant bugs have been fixed in this release:
--- 98,227 ----
!
OpenSSH 6.8
- Potentially-incompatible changes:
! - sshd(8):
! UseDNS now defaults to 'no'. Configurations that match
! against the client host name (via
! sshd_config(5)
! or authorized_keys) may need to re-enable it or convert to
! matching against addresses.
- New/changed features:
! - Much of OpenSSH's internal code has been re-factored to be more
! library-like. These changes are mostly not user-visible, but
! have greatly improved OpenSSH's testability and internal layout.
!
- Add FingerprintHash option to
! ssh(1)
! and
! sshd(8),
! and equivalent command-line flags to the other tools to control
! algorithm used for key fingerprints. The default changes from MD5
! to SHA256 and format from hex to base64. Fingerprints now have the
! hash algorithm prepended. Please note that visual host keys will also
! be different.
!
- ssh(1),
! sshd(8):
! Host key rotation support. Add a protocol extension for a server
! to inform a client of all its available host keys after authentication
! has completed. The client may record the keys in known_hosts,
! allowing it to upgrade to better host key algorithms and a server
! to gracefully rotate its keys. The client side of this is controlled
! by a UpdateHostkeys config option (default on).
!
- ssh(1):
! Add a
! ssh_config(5)
! HostbasedKeyType option to control which host public key types
! are tried during host-based authentication.
!
- ssh(1),
! sshd(8):
! fix connection-killing host key mismatch errors when
! sshd(8)
! offers multiple ECDSA keys of different lengths.
!
- ssh(1):
! when host name canonicalisation is enabled, try to parse host names
! as addresses before looking them up for canonicalisation. Fixes
! bz#2074 and avoiding needless DNS lookups in some cases.
!
- ssh-keygen(1),
! sshd(8):
! Key Revocation Lists (KRLs) no longer require OpenSSH to be
! compiled with OpenSSL support.
!
- ssh(1),
! ssh-keysign(8):
! Make ed25519 keys work for host based authentication.
!
- sshd(8):
! SSH protocol v.1 workaround for the Meyer, et al., Bleichenbacher
! Side Channel Attack. Fake up a bignum key before RSA decryption.
!
- sshd(8):
! Remember which public keys have been used for authentication and
! refuse to accept previously-used keys. This allows
! AuthenticationMethods=publickey,publickey to require that
! users authenticate using two different public keys.
!
- sshd(8):
! add
! sshd_config(5)
! HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes
! options to allow
! sshd(8)
! to control what public key types will be accepted. Currently defaults
! to all.
!
- sshd(8):
! Don't count partial authentication success as a failure against
! MaxAuthTries.
!
- ssh(1):
! Add RevokedHostKeys option for the client to allow text-file
! or KRL-based revocation of host keys.
!
- ssh-keygen(1),
! sshd(8):
! Permit KRLs that revoke certificates by serial number or key ID without
! scoping to a particular CA.
!
- ssh(1):
! Add a "Match canonical" criteria that allows
! ssh_config(5)
! Match blocks to trigger only in the second config pass.
!
- ssh(1):
! Add a -G option to
! ssh(1)
! that causes it to parse its configuration and dump the result to
! stdout, similar to "sshd -T".
!
- ssh(1):
! Allow Match criteria to be negated
! (e.g. "Match !host").
!
- The regression test suite has been extended to cover more OpenSSH
! features. The unit tests have been expanded and now cover key
! exchange.
- The following significant bugs have been fixed in this release:
! - ssh-keyscan(1):
! ssh-keyscan(1)
! has been made much more robust again servers that hang or violate
! the SSH protocol.
!
- ssh(1),
! ssh-keygen(1):
! Fix regression bz#2306: Key path names were being lost as comment
! fields.
!
- ssh(1):
! Allow
! ssh_config(5)
! Port options set in the second config parse phase to be
! applied (they were being ignored). (bz#2286)
!
- ssh(1):
! Tweak config re-parsing with host canonicalisationmake the
! second pass through the config files always run when host name
! canonicalisation is enabled (and not whenever the host name changes).
! (bz#2267)
!
- ssh(1):
! Fix passing of wildcard forward bind addresses when connection
! multiplexing is in use. (bz#2324)
!
- ssh-keygen(1):
! Fix broken private key conversion from non-OpenSSH formats. (bz#2345)
!
- ssh-keygen(1):
! Fix KRL generation bug when multiple CAs are in use.
!
- Various fixes to manual pages. (bz#2273, bz#2288 and bz#2316)