===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/57.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- www/57.html 2015/02/24 04:28:17 1.2
+++ www/57.html 2015/02/26 10:37:03 1.3
@@ -98,19 +98,130 @@
-
OpenSSH 6.7
+OpenSSH 6.8
- Potentially-incompatible changes:
- - ...
+
- sshd(8):
+ UseDNS now defaults to 'no'. Configurations that match
+ against the client host name (via
+ sshd_config(5)
+ or authorized_keys) may need to re-enable it or convert to
+ matching against addresses.
- New/changed features:
- - ...
+
- Much of OpenSSH's internal code has been re-factored to be more
+ library-like. These changes are mostly not user-visible, but
+ have greatly improved OpenSSH's testability and internal layout.
+
- Add FingerprintHash option to
+ ssh(1)
+ and
+ sshd(8),
+ and equivalent command-line flags to the other tools to control
+ algorithm used for key fingerprints. The default changes from MD5
+ to SHA256 and format from hex to base64. Fingerprints now have the
+ hash algorithm prepended. Please note that visual host keys will also
+ be different.
+
- ssh(1),
+ sshd(8):
+ Host key rotation support. Add a protocol extension for a server
+ to inform a client of all its available host keys after authentication
+ has completed. The client may record the keys in known_hosts,
+ allowing it to upgrade to better host key algorithms and a server
+ to gracefully rotate its keys. The client side of this is controlled
+ by a UpdateHostkeys config option (default on).
+
- ssh(1):
+ Add a
+ ssh_config(5)
+ HostbasedKeyType option to control which host public key types
+ are tried during host-based authentication.
+
- ssh(1),
+ sshd(8):
+ fix connection-killing host key mismatch errors when
+ sshd(8)
+ offers multiple ECDSA keys of different lengths.
+
- ssh(1):
+ when host name canonicalisation is enabled, try to parse host names
+ as addresses before looking them up for canonicalisation. Fixes
+ bz#2074 and avoiding needless DNS lookups in some cases.
+
- ssh-keygen(1),
+ sshd(8):
+ Key Revocation Lists (KRLs) no longer require OpenSSH to be
+ compiled with OpenSSL support.
+
- ssh(1),
+ ssh-keysign(8):
+ Make ed25519 keys work for host based authentication.
+
- sshd(8):
+ SSH protocol v.1 workaround for the Meyer, et al., Bleichenbacher
+ Side Channel Attack. Fake up a bignum key before RSA decryption.
+
- sshd(8):
+ Remember which public keys have been used for authentication and
+ refuse to accept previously-used keys. This allows
+ AuthenticationMethods=publickey,publickey to require that
+ users authenticate using two different public keys.
+
- sshd(8):
+ add
+ sshd_config(5)
+ HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes
+ options to allow
+ sshd(8)
+ to control what public key types will be accepted. Currently defaults
+ to all.
+
- sshd(8):
+ Don't count partial authentication success as a failure against
+ MaxAuthTries.
+
- ssh(1):
+ Add RevokedHostKeys option for the client to allow text-file
+ or KRL-based revocation of host keys.
+
- ssh-keygen(1),
+ sshd(8):
+ Permit KRLs that revoke certificates by serial number or key ID without
+ scoping to a particular CA.
+
- ssh(1):
+ Add a "Match canonical" criteria that allows
+ ssh_config(5)
+ Match blocks to trigger only in the second config pass.
+
- ssh(1):
+ Add a -G option to
+ ssh(1)
+ that causes it to parse its configuration and dump the result to
+ stdout, similar to "sshd -T".
+
- ssh(1):
+ Allow Match criteria to be negated
+ (e.g. "Match !host").
+
- The regression test suite has been extended to cover more OpenSSH
+ features. The unit tests have been expanded and now cover key
+ exchange.
- The following significant bugs have been fixed in this release:
- - ...
+
- ssh-keyscan(1):
+ ssh-keyscan(1)
+ has been made much more robust again servers that hang or violate
+ the SSH protocol.
+
- ssh(1),
+ ssh-keygen(1):
+ Fix regression bz#2306: Key path names were being lost as comment
+ fields.
+
- ssh(1):
+ Allow
+ ssh_config(5)
+ Port options set in the second config parse phase to be
+ applied (they were being ignored). (bz#2286)
+
- ssh(1):
+ Tweak config re-parsing with host canonicalisationmake the
+ second pass through the config files always run when host name
+ canonicalisation is enabled (and not whenever the host name changes).
+ (bz#2267)
+
- ssh(1):
+ Fix passing of wildcard forward bind addresses when connection
+ multiplexing is in use. (bz#2324)
+
- ssh-keygen(1):
+ Fix broken private key conversion from non-OpenSSH formats. (bz#2345)
+
- ssh-keygen(1):
+ Fix KRL generation bug when multiple CAs are in use.
+
- Various fixes to manual pages. (bz#2273, bz#2288 and bz#2316)