version 1.14, 2015/08/06 10:41:35 |
version 1.15, 2015/08/06 11:23:31 |
|
|
</ul> |
</ul> |
<p> |
<p> |
|
|
<li>OpenSSH X.X |
<li>OpenSSH 7.0 |
<ul> |
<ul> |
|
<li>Security: |
|
<ul> |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. |
|
Local attackers may be able to write arbitrary messages to logged-in |
|
users, including terminal escape sequences. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix circumvention of <tt>MaxAuthTries</tt> using keyboard-interactive |
|
authentication. By specifying a long, repeating keyboard-interactive |
|
"devices" string, an attacker could request the same authentication |
|
method be tried thousands of times in a single pass. The |
|
<tt>LoginGraceTime</tt> timeout in |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> |
|
and any authentication failure delays implemented by the authentication |
|
mechanism itself were still applied. |
|
</ul> |
<li>Potentially-incompatible changes: |
<li>Potentially-incompatible changes: |
<ul> |
<ul> |
<li>... |
<li>Support for the legacy <i>SSH version 1 protocol</i> is disabled by |
|
default at compile time. |
|
<li>Support for the 1024-bit diffie-hellman-group1-sha1 key exchange |
|
is disabled by default at run-time. It may be re-enabled using |
|
the instructions at <tt>http://www.openssh.com/legacy.html</tt>. |
|
<li>Support for <tt>ssh-dss</tt>, <tt>ssh-dss-cert-*</tt> <i>host</i> |
|
and <i>user</i> keys is disabled by default at run-time. These may |
|
be re-enabled using the instructions at |
|
<tt>http://www.openssh.com/legacy.html</tt>. |
|
<li>Support for the legacy <i>v00 cert format</i> has been removed. |
|
<li>The default for the |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
|
<tt>PermitRootLogin</tt> option has changed from "yes" to |
|
"without-password". |
</ul> |
</ul> |
<li>New/changed features: |
<li>New/changed features: |
<ul> |
<ul> |
<li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
|
add <tt>PubkeyAcceptedKeyTypes</tt> option to control which public |
|
key types are available for user authentication. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>: |
|
add <tt>HostKeyAlgorithms</tt> option to control which public key |
|
types are offered for host authentications. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
extend <tt>Ciphers</tt>, <tt>MACs</tt>, <tt>KexAlgorithms</tt>, |
|
<tt>HostKeyAlgorithms</tt>, <tt>PubkeyAcceptedKeyTypes</tt> and |
|
<tt>HostbasedKeyTypes</tt> options to allow appending to the default |
|
set of algorithms instead of replacing it. Options may now be |
|
prefixed with a <tt>+</tt> to append to the default, e.g. |
|
"<tt>HostKeyAlgorithms=+ssh-dss</tt>". |
</ul> |
</ul> |
<li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
<ul> |
<ul> |
<li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
add compatability workarounds for Cisco and more PuTTY versions. |
|
(bz#2424) |
|
<li>Fix some omissions and errors in the <tt>PROTOCOL</tt> and |
|
<tt>PROTCOL.mux</tt> documentation relating to <i>Unix domain |
|
socket</i> forwarding. (bz#2421, bz#2422) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Improve the |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
|
manual page to include a better desciption of Unix domain socket |
|
forwarding. (bz#2423) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
|
skip uninitialised PKCS#11 slots, fixing failures to load keys when |
|
they are present. (bz#2427) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
|
do not ignore PKCS#11 hosted keys that wth empty <tt>CKA_ID</tt>. |
|
(bz#2429) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
clarify documentation for <tt>UseDNS</tt> option. (bz#2045) |
</ul> |
</ul> |
</ul> |
</ul> |
<p> |
<p> |