version 1.44, 2016/02/25 16:08:18 |
version 1.45, 2016/02/28 01:54:57 |
|
|
<tt>PermitRootLogin=prohibit-password/without-password</tt> that could, |
<tt>PermitRootLogin=prohibit-password/without-password</tt> that could, |
depending on compile-time configuration, permit password authentication |
depending on compile-time configuration, permit password authentication |
to root while preventing other forms of authentication. |
to root while preventing other forms of authentication. |
<li>Eliminate the fallback from untrusted X11-forwarding to trusted |
|
forwarding for cases when the X server disables the <tt>SECURITY</tt> |
|
extension. |
|
<li>Fix an out of-bound read access in the packet handling code. |
<li>Fix an out of-bound read access in the packet handling code. |
<li>Further use of |
<li>Further use of |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bzero&sektion=3">explicit_bzero(3)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bzero&sektion=3">explicit_bzero(3)</a> |
has been added in various buffer handling code paths to guard against |
has been added in various buffer handling code paths to guard against |
compilers aggressively doing dead-store removal. |
compilers aggressively doing dead-store removal. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
remove unfinished and unused roaming code. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
eliminate fallback from untrusted X11 forwarding to trusted forwarding |
|
when the X server disables the <tt>SECURITY</tt> extension. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
increase the minimum modulus size supported for |
|
<tt>diffie-hellman-group-exchange</tt> to 2048 bits. |
</ul> |
</ul> |
|
<li>Potentially-incompatible changes: |
|
<ul> |
|
<li>This release disables a number of legacy cryptographic algorithms |
|
by default in |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
<ul> |
|
<li>Several ciphers: <tt>blowfish-cbc</tt>, <tt>cast128-cbc</tt>, |
|
all <tt>arcfour</tt> variants and the <tt>rijndael-cbc</tt> aliases |
|
for AES. |
|
<li>MD5-based and truncated HMAC algorithms. |
|
</ul> |
|
</ul> |
|
<li>New/changed features: |
|
<ul> |
|
<li>all: add support for RSA signatures using SHA-256/512 hash algorithms |
|
based on <tt>draft-rsa-dsa-sha2-256-03.txt</tt> and |
|
<tt>draft-ssh-ext-info-04.txt</tt>. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
Add an <tt>AddKeysToAgent</tt> client option which can be set to |
|
<tt>yes</tt>, <tt>no</tt>, <tt>ask</tt>, or <tt>confirm</tt>, and |
|
defaults to <tt>no</tt>. When enabled, a private key that is used |
|
during authentication will be added to |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> |
|
if it is running (with confirmation enabled if set to <tt>confirm</tt>). |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
add a new <tt>authorized_keys</tt> option <tt>restrict</tt> that |
|
includes all current and future key restrictions |
|
(<tt>no-*-forwarding</tt>, etc.). |
|
Also add permissive versions of the existing restrictions, e.g. |
|
<tt>no-pty</tt> -> <tt>pty</tt>. This simplifies the task of setting up |
|
restricted keys and ensures they are maximally-restricted, |
|
regardless of any permissions we might implement in the future. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
add |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
|
CertificateFile option to explicitly list certificates. (bz#2436) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
allow |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> |
|
to change the key comment for all supported formats. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
allow fingerprinting from standard input, e.g. "ssh-keygen -lf -". |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
allow fingerprinting multiple public keys in a file, e.g. |
|
<tt>ssh-keygen -lf ~/.ssh/authorized_keys</tt>. (bz#1319) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
support <tt>none</tt> as an argument for |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
|
<tt>Foreground</tt> and <tt>ChrootDirectory</tt>. Useful inside |
|
<tt>Match</tt> blocks to override a global default. (bz#2486) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
support multiple certificates (one per line) and reading from standard |
|
input (using "<tt>-f -</tt>") for <tt>ssh-keygen -L</tt>. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a>: |
|
add <tt>ssh-keyscan -c ...</tt> flag to allow fetching certificates |
|
instead of plain keys. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
better handle anchored FQDNs (e.g. <tt>cvs.openbsd.org.</tt>) in |
|
hostname canonicalisation - treat them as already canonical and |
|
trailing '<tt>.</tt>' before matching |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>. |
|
</ul> |
<li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
<ul> |
<ul> |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>. |
<li>Correctly interpret the <tt>first_kex_follows</tt> option during the |
<li>Correctly interpret the <tt>first_kex_follows</tt> option during the |
initial key exchange. |
initial key exchange. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
|
existing destination directories should not terminate recursive uploads |
|
(regression in openssh 6.8). (bz#2528) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
correctly send back <tt>SSH2_MSG_UNIMPLEMENTED</tt> replies to |
|
unexpected messages during key exchange. (bz#2949) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
refuse attempts to set <tt>ConnectionAttempts=0</tt>, which does not |
|
make sense and would cause ssh to print an uninitialised stack |
|
variable. (bz#2500) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
fix errors when attempting to connect to scoped IPv6 addresses with |
|
hostname canonicalisation enabled. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>: |
|
list a couple more options usable in <tt>Match</tt> blocks. (bz#2489) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix <tt>PubkeyAcceptedKeyTypes +...</tt> inside a <tt>Match</tt> block. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
expand tilde characters in filenames passed to <tt>-i</tt> options |
|
before checking whether or not the identity file exists. Avoids |
|
confusion for cases where shell doesn't expand (e.g. |
|
<tt>-i ~/file</tt> vs. <tt>-i~/file</tt>). (bz#2481) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
do not prepend "exec" to the shell command run by <tt>Match exec</tt> |
|
in a config file, which could cause some commands to fail in certain |
|
environments. (bz#2471) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a>: |
|
fix output for multiple hosts/addrs on one line when host hashing or |
|
a non standard port is in use. (bz#2479) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
skip "Could not chdir to home directory" message when |
|
<tt>ChrootDirectory</tt> is active. (bz#2485) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
include <tt>PubkeyAcceptedKeyTypes</tt> in <tt>ssh -G</tt> config dump. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
avoid changing <tt>TunnelForwarding</tt> device flags if they are |
|
already what is needed; makes it possible to use |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tun&sektion=4">tun(4)</a>/ |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tap&sektion=4">tap(4)</a> |
|
networking as non-root user if device permissions and interface flags |
|
are pre-established. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
<tt>RekeyLimits</tt> could be exceeded by one packet. (bz#2521) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
fix multiplexing master failure to notice client exit. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
|
avoid <tt>fatal()</tt> for PKCS11 tokens that present empty key IDs. |
|
(bz#1773) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
avoid |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=printf&sektion=3">printf(3)</a> |
|
of NULL argument. (bz#2535) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
allow <tt>RekeyLimits</tt> larger than 4GB. (bz#2521) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix several bugs in (unused) KRL signature support. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix connections with peers that use the key exchange guess feature of |
|
the protocol. (bz#2515) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
include remote port number in log messages. (bz#2503) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
don't try to load SSHv1 private key when compiled without SSHv1 |
|
support. (bz#2505) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
fix incorrect error messages during key loading and signing errors. |
|
(bz#2507) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
|
don't leave empty temporary files when performing <tt>known_hosts</tt> |
|
file edits when <tt>known_hosts</tt> doesn't exist. |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
correct packet format for tcpip-forward replies for requests that |
|
don't allocate a port. (bz#2509) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix possible hang on closed output. (bz#2469) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
expand <tt>%i</tt> in <tt>ControlPath</tt> to UID. (bz#2449) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix return type of <tt>openssh_RSA_verify</tt>. (bz#2460) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
|
fix some option parsing memory leaks. (bz#2182) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
add a some debug output before DNS resolution; it's a place where |
|
ssh could previously silently stall in cases of unresponsive DNS |
|
servers. (bz#2433) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
remove spurious newline in visual hostkey. (bz#2686) |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
fix printing (<tt>ssh -G ...</tt>) of <tt>HostKeyAlgorithms=+...</tt> |
|
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
|
fix expansion of <tt>HostkeyAlgorithms=+...</tt> |
</ul> |
</ul> |
</ul> |
</ul> |
<p> |
<p> |