| version 1.2, 2015/02/24 04:28:17 |
version 1.3, 2015/02/26 10:37:03 |
|
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>OpenSSH 6.7 |
<li>OpenSSH 6.8 |
| <ul> |
<ul> |
| <li>Potentially-incompatible changes: |
<li>Potentially-incompatible changes: |
| <ul> |
<ul> |
| <li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
<tt>UseDNS</tt> now defaults to 'no'. Configurations that match |
| |
against the client host name (via |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
| |
or <tt>authorized_keys</tt>) may need to re-enable it or convert to |
| |
matching against addresses. |
| </ul> |
</ul> |
| <li>New/changed features: |
<li>New/changed features: |
| <ul> |
<ul> |
| <li>... |
<li>Much of OpenSSH's internal code has been re-factored to be more |
| |
library-like. These changes are mostly not user-visible, but |
| |
have greatly improved OpenSSH's testability and internal layout. |
| |
<li>Add <tt>FingerprintHash</tt> option to |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
| |
and |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>, |
| |
and equivalent command-line flags to the other tools to control |
| |
algorithm used for key fingerprints. The default changes from MD5 |
| |
to SHA256 and format from hex to base64. Fingerprints now have the |
| |
hash algorithm prepended. Please note that visual host keys will also |
| |
be different. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Host key rotation support. Add a protocol extension for a server |
| |
to inform a client of all its available host keys after authentication |
| |
has completed. The client may record the keys in <tt>known_hosts</tt>, |
| |
allowing it to upgrade to better host key algorithms and a server |
| |
to gracefully rotate its keys. The client side of this is controlled |
| |
by a <tt>UpdateHostkeys</tt> config option (default on). |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Add a |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
| |
<tt>HostbasedKeyType</tt> option to control which host public key types |
| |
are tried during host-based authentication. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix connection-killing host key mismatch errors when |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> |
| |
offers multiple ECDSA keys of different lengths. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
when host name canonicalisation is enabled, try to parse host names |
| |
as addresses before looking them up for canonicalisation. Fixes |
| |
bz#2074 and avoiding needless DNS lookups in some cases. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
<i>Key Revocation Lists</i> (KRLs) no longer require OpenSSH to be |
| |
compiled with OpenSSL support. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&sektion=8">ssh-keysign(8)</a>: |
| |
Make ed25519 keys work for host based authentication. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
SSH protocol v.1 workaround for the Meyer, et al., <i>Bleichenbacher |
| |
Side Channel Attack</i>. Fake up a bignum key before RSA decryption. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Remember which public keys have been used for authentication and |
| |
refuse to accept previously-used keys. This allows |
| |
<tt>AuthenticationMethods=publickey,publickey</tt> to require that |
| |
users authenticate using two <i>different</i> public keys. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
add |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
| |
<tt>HostbasedAcceptedKeyTypes</tt> and <tt>PubkeyAcceptedKeyTypes</tt> |
| |
options to allow |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> |
| |
to control what public key types will be accepted. Currently defaults |
| |
to all. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Don't count partial authentication success as a failure against |
| |
<tt>MaxAuthTries</tt>. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Add <tt>RevokedHostKeys</tt> option for the client to allow text-file |
| |
or KRL-based revocation of host keys. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
Permit KRLs that revoke certificates by serial number or key ID without |
| |
scoping to a particular CA. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Add a "Match canonical" criteria that allows |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
| |
<tt>Match</tt> blocks to trigger only in the second config pass. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Add a <tt>-G</tt> option to |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
| |
that causes it to parse its configuration and dump the result to |
| |
stdout, similar to "<tt>sshd -T</tt>". |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Allow <tt>Match</tt> criteria to be negated |
| |
(e.g. "<tt>Match !host</tt>"). |
| |
<li>The regression test suite has been extended to cover more OpenSSH |
| |
features. The unit tests have been expanded and now cover key |
| |
exchange. |
| </ul> |
</ul> |
| <li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
| <ul> |
<ul> |
| <li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a>: |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a> |
| |
has been made much more robust again servers that hang or violate |
| |
the SSH protocol. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
Fix regression bz#2306: Key path names were being lost as comment |
| |
fields. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Allow |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
| |
<tt>Port</tt> options set in the second config parse phase to be |
| |
applied (they were being ignored). (bz#2286) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Tweak config re-parsing with host canonicalisation—make the |
| |
second pass through the config files always run when host name |
| |
canonicalisation is enabled (and not whenever the host name changes). |
| |
(bz#2267) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Fix passing of wildcard forward bind addresses when connection |
| |
multiplexing is in use. (bz#2324) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
Fix broken private key conversion from non-OpenSSH formats. (bz#2345) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
Fix KRL generation bug when multiple CAs are in use. |
| |
<li>Various fixes to manual pages. (bz#2273, bz#2288 and bz#2316) |
| </ul> |
</ul> |
| </ul> |
</ul> |
| <p> |
<p> |
![[BACK]](/icons/back.gif){kind=icon}
Return to 57.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www