| version 1.14, 2015/08/06 10:41:35 |
version 1.15, 2015/08/06 11:23:31 |
|
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| <li>OpenSSH X.X |
<li>OpenSSH 7.0 |
| <ul> |
<ul> |
| |
<li>Security: |
| |
<ul> |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable. |
| |
Local attackers may be able to write arbitrary messages to logged-in |
| |
users, including terminal escape sequences. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix circumvention of <tt>MaxAuthTries</tt> using keyboard-interactive |
| |
authentication. By specifying a long, repeating keyboard-interactive |
| |
"devices" string, an attacker could request the same authentication |
| |
method be tried thousands of times in a single pass. The |
| |
<tt>LoginGraceTime</tt> timeout in |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a> |
| |
and any authentication failure delays implemented by the authentication |
| |
mechanism itself were still applied. |
| |
</ul> |
| <li>Potentially-incompatible changes: |
<li>Potentially-incompatible changes: |
| <ul> |
<ul> |
| <li>... |
<li>Support for the legacy <i>SSH version 1 protocol</i> is disabled by |
| |
default at compile time. |
| |
<li>Support for the 1024-bit diffie-hellman-group1-sha1 key exchange |
| |
is disabled by default at run-time. It may be re-enabled using |
| |
the instructions at <tt>http://www.openssh.com/legacy.html</tt>. |
| |
<li>Support for <tt>ssh-dss</tt>, <tt>ssh-dss-cert-*</tt> <i>host</i> |
| |
and <i>user</i> keys is disabled by default at run-time. These may |
| |
be re-enabled using the instructions at |
| |
<tt>http://www.openssh.com/legacy.html</tt>. |
| |
<li>Support for the legacy <i>v00 cert format</i> has been removed. |
| |
<li>The default for the |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
| |
<tt>PermitRootLogin</tt> option has changed from "yes" to |
| |
"without-password". |
| </ul> |
</ul> |
| <li>New/changed features: |
<li>New/changed features: |
| <ul> |
<ul> |
| <li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
| |
add <tt>PubkeyAcceptedKeyTypes</tt> option to control which public |
| |
key types are available for user authentication. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>: |
| |
add <tt>HostKeyAlgorithms</tt> option to control which public key |
| |
types are offered for host authentications. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
extend <tt>Ciphers</tt>, <tt>MACs</tt>, <tt>KexAlgorithms</tt>, |
| |
<tt>HostKeyAlgorithms</tt>, <tt>PubkeyAcceptedKeyTypes</tt> and |
| |
<tt>HostbasedKeyTypes</tt> options to allow appending to the default |
| |
set of algorithms instead of replacing it. Options may now be |
| |
prefixed with a <tt>+</tt> to append to the default, e.g. |
| |
"<tt>HostKeyAlgorithms=+ssh-dss</tt>". |
| </ul> |
</ul> |
| <li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
| <ul> |
<ul> |
| <li>... |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
add compatability workarounds for Cisco and more PuTTY versions. |
| |
(bz#2424) |
| |
<li>Fix some omissions and errors in the <tt>PROTOCOL</tt> and |
| |
<tt>PROTCOL.mux</tt> documentation relating to <i>Unix domain |
| |
socket</i> forwarding. (bz#2421, bz#2422) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Improve the |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a> |
| |
manual page to include a better desciption of Unix domain socket |
| |
forwarding. (bz#2423) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
| |
skip uninitialised PKCS#11 slots, fixing failures to load keys when |
| |
they are present. (bz#2427) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
| |
do not ignore PKCS#11 hosted keys that wth empty <tt>CKA_ID</tt>. |
| |
(bz#2429) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
clarify documentation for <tt>UseDNS</tt> option. (bz#2045) |
| </ul> |
</ul> |
| </ul> |
</ul> |
| <p> |
<p> |
![[BACK]](/icons/back.gif){kind=icon}
Return to 58.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www