version 1.2, 2015/02/24 04:28:17 |
version 1.3, 2015/02/26 10:37:03 |
|
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>OpenSSH 6.7 |
<li>OpenSSH 6.8 |
<ul> |
<ul> |
<li>Potentially-incompatible changes: |
<li>Potentially-incompatible changes: |
<ul> |
<ul> |
<li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
<tt>UseDNS</tt> now defaults to 'no'. Configurations that match |
|
against the client host name (via |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
|
or <tt>authorized_keys</tt>) may need to re-enable it or convert to |
|
matching against addresses. |
</ul> |
</ul> |
<li>New/changed features: |
<li>New/changed features: |
<ul> |
<ul> |
<li>... |
<li>Much of OpenSSH's internal code has been re-factored to be more |
|
library-like. These changes are mostly not user-visible, but |
|
have greatly improved OpenSSH's testability and internal layout. |
|
<li>Add <tt>FingerprintHash</tt> option to |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
|
and |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>, |
|
and equivalent command-line flags to the other tools to control |
|
algorithm used for key fingerprints. The default changes from MD5 |
|
to SHA256 and format from hex to base64. Fingerprints now have the |
|
hash algorithm prepended. Please note that visual host keys will also |
|
be different. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Host key rotation support. Add a protocol extension for a server |
|
to inform a client of all its available host keys after authentication |
|
has completed. The client may record the keys in <tt>known_hosts</tt>, |
|
allowing it to upgrade to better host key algorithms and a server |
|
to gracefully rotate its keys. The client side of this is controlled |
|
by a <tt>UpdateHostkeys</tt> config option (default on). |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Add a |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
|
<tt>HostbasedKeyType</tt> option to control which host public key types |
|
are tried during host-based authentication. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix connection-killing host key mismatch errors when |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> |
|
offers multiple ECDSA keys of different lengths. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
when host name canonicalisation is enabled, try to parse host names |
|
as addresses before looking them up for canonicalisation. Fixes |
|
bz#2074 and avoiding needless DNS lookups in some cases. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
<i>Key Revocation Lists</i> (KRLs) no longer require OpenSSH to be |
|
compiled with OpenSSL support. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keysign&sektion=8">ssh-keysign(8)</a>: |
|
Make ed25519 keys work for host based authentication. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
SSH protocol v.1 workaround for the Meyer, et al., <i>Bleichenbacher |
|
Side Channel Attack</i>. Fake up a bignum key before RSA decryption. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Remember which public keys have been used for authentication and |
|
refuse to accept previously-used keys. This allows |
|
<tt>AuthenticationMethods=publickey,publickey</tt> to require that |
|
users authenticate using two <i>different</i> public keys. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
add |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
|
<tt>HostbasedAcceptedKeyTypes</tt> and <tt>PubkeyAcceptedKeyTypes</tt> |
|
options to allow |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> |
|
to control what public key types will be accepted. Currently defaults |
|
to all. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Don't count partial authentication success as a failure against |
|
<tt>MaxAuthTries</tt>. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Add <tt>RevokedHostKeys</tt> option for the client to allow text-file |
|
or KRL-based revocation of host keys. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
Permit KRLs that revoke certificates by serial number or key ID without |
|
scoping to a particular CA. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Add a "Match canonical" criteria that allows |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
|
<tt>Match</tt> blocks to trigger only in the second config pass. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Add a <tt>-G</tt> option to |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
|
that causes it to parse its configuration and dump the result to |
|
stdout, similar to "<tt>sshd -T</tt>". |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Allow <tt>Match</tt> criteria to be negated |
|
(e.g. "<tt>Match !host</tt>"). |
|
<li>The regression test suite has been extended to cover more OpenSSH |
|
features. The unit tests have been expanded and now cover key |
|
exchange. |
</ul> |
</ul> |
<li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
<ul> |
<ul> |
<li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a>: |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a> |
|
has been made much more robust again servers that hang or violate |
|
the SSH protocol. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
Fix regression bz#2306: Key path names were being lost as comment |
|
fields. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Allow |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
|
<tt>Port</tt> options set in the second config parse phase to be |
|
applied (they were being ignored). (bz#2286) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Tweak config re-parsing with host canonicalisation—make the |
|
second pass through the config files always run when host name |
|
canonicalisation is enabled (and not whenever the host name changes). |
|
(bz#2267) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Fix passing of wildcard forward bind addresses when connection |
|
multiplexing is in use. (bz#2324) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
Fix broken private key conversion from non-OpenSSH formats. (bz#2345) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
Fix KRL generation bug when multiple CAs are in use. |
|
<li>Various fixes to manual pages. (bz#2273, bz#2288 and bz#2316) |
</ul> |
</ul> |
</ul> |
</ul> |
<p> |
<p> |