| version 1.44, 2016/02/25 16:08:18 |
version 1.45, 2016/02/28 01:54:57 |
|
|
| <tt>PermitRootLogin=prohibit-password/without-password</tt> that could, |
<tt>PermitRootLogin=prohibit-password/without-password</tt> that could, |
| depending on compile-time configuration, permit password authentication |
depending on compile-time configuration, permit password authentication |
| to root while preventing other forms of authentication. |
to root while preventing other forms of authentication. |
| <li>Eliminate the fallback from untrusted X11-forwarding to trusted |
|
| forwarding for cases when the X server disables the <tt>SECURITY</tt> |
|
| extension. |
|
| <li>Fix an out of-bound read access in the packet handling code. |
<li>Fix an out of-bound read access in the packet handling code. |
| <li>Further use of |
<li>Further use of |
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bzero&sektion=3">explicit_bzero(3)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bzero&sektion=3">explicit_bzero(3)</a> |
| has been added in various buffer handling code paths to guard against |
has been added in various buffer handling code paths to guard against |
| compilers aggressively doing dead-store removal. |
compilers aggressively doing dead-store removal. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
remove unfinished and unused roaming code. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
eliminate fallback from untrusted X11 forwarding to trusted forwarding |
| |
when the X server disables the <tt>SECURITY</tt> extension. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
increase the minimum modulus size supported for |
| |
<tt>diffie-hellman-group-exchange</tt> to 2048 bits. |
| </ul> |
</ul> |
| |
<li>Potentially-incompatible changes: |
| |
<ul> |
| |
<li>This release disables a number of legacy cryptographic algorithms |
| |
by default in |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
<ul> |
| |
<li>Several ciphers: <tt>blowfish-cbc</tt>, <tt>cast128-cbc</tt>, |
| |
all <tt>arcfour</tt> variants and the <tt>rijndael-cbc</tt> aliases |
| |
for AES. |
| |
<li>MD5-based and truncated HMAC algorithms. |
| |
</ul> |
| |
</ul> |
| |
<li>New/changed features: |
| |
<ul> |
| |
<li>all: add support for RSA signatures using SHA-256/512 hash algorithms |
| |
based on <tt>draft-rsa-dsa-sha2-256-03.txt</tt> and |
| |
<tt>draft-ssh-ext-info-04.txt</tt>. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
Add an <tt>AddKeysToAgent</tt> client option which can be set to |
| |
<tt>yes</tt>, <tt>no</tt>, <tt>ask</tt>, or <tt>confirm</tt>, and |
| |
defaults to <tt>no</tt>. When enabled, a private key that is used |
| |
during authentication will be added to |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a> |
| |
if it is running (with confirmation enabled if set to <tt>confirm</tt>). |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
add a new <tt>authorized_keys</tt> option <tt>restrict</tt> that |
| |
includes all current and future key restrictions |
| |
(<tt>no-*-forwarding</tt>, etc.). |
| |
Also add permissive versions of the existing restrictions, e.g. |
| |
<tt>no-pty</tt> -> <tt>pty</tt>. This simplifies the task of setting up |
| |
restricted keys and ensures they are maximally-restricted, |
| |
regardless of any permissions we might implement in the future. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
add |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a> |
| |
CertificateFile option to explicitly list certificates. (bz#2436) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
allow |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a> |
| |
to change the key comment for all supported formats. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
allow fingerprinting from standard input, e.g. "ssh-keygen -lf -". |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
allow fingerprinting multiple public keys in a file, e.g. |
| |
<tt>ssh-keygen -lf ~/.ssh/authorized_keys</tt>. (bz#1319) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
support <tt>none</tt> as an argument for |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a> |
| |
<tt>Foreground</tt> and <tt>ChrootDirectory</tt>. Useful inside |
| |
<tt>Match</tt> blocks to override a global default. (bz#2486) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
support multiple certificates (one per line) and reading from standard |
| |
input (using "<tt>-f -</tt>") for <tt>ssh-keygen -L</tt>. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a>: |
| |
add <tt>ssh-keyscan -c ...</tt> flag to allow fetching certificates |
| |
instead of plain keys. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
better handle anchored FQDNs (e.g. <tt>cvs.openbsd.org.</tt>) in |
| |
hostname canonicalisation - treat them as already canonical and |
| |
trailing '<tt>.</tt>' before matching |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>. |
| |
</ul> |
| <li>The following significant bugs have been fixed in this release: |
<li>The following significant bugs have been fixed in this release: |
| <ul> |
<ul> |
| <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
|
|
| <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>. |
| <li>Correctly interpret the <tt>first_kex_follows</tt> option during the |
<li>Correctly interpret the <tt>first_kex_follows</tt> option during the |
| initial key exchange. |
initial key exchange. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1">sftp(1)</a>: |
| |
existing destination directories should not terminate recursive uploads |
| |
(regression in openssh 6.8). (bz#2528) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
correctly send back <tt>SSH2_MSG_UNIMPLEMENTED</tt> replies to |
| |
unexpected messages during key exchange. (bz#2949) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
refuse attempts to set <tt>ConnectionAttempts=0</tt>, which does not |
| |
make sense and would cause ssh to print an uninitialised stack |
| |
variable. (bz#2500) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
fix errors when attempting to connect to scoped IPv6 addresses with |
| |
hostname canonicalisation enabled. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>: |
| |
list a couple more options usable in <tt>Match</tt> blocks. (bz#2489) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix <tt>PubkeyAcceptedKeyTypes +...</tt> inside a <tt>Match</tt> block. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
expand tilde characters in filenames passed to <tt>-i</tt> options |
| |
before checking whether or not the identity file exists. Avoids |
| |
confusion for cases where shell doesn't expand (e.g. |
| |
<tt>-i ~/file</tt> vs. <tt>-i~/file</tt>). (bz#2481) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
do not prepend "exec" to the shell command run by <tt>Match exec</tt> |
| |
in a config file, which could cause some commands to fail in certain |
| |
environments. (bz#2471) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keyscan&sektion=1">ssh-keyscan(1)</a>: |
| |
fix output for multiple hosts/addrs on one line when host hashing or |
| |
a non standard port is in use. (bz#2479) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
skip "Could not chdir to home directory" message when |
| |
<tt>ChrootDirectory</tt> is active. (bz#2485) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
include <tt>PubkeyAcceptedKeyTypes</tt> in <tt>ssh -G</tt> config dump. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
avoid changing <tt>TunnelForwarding</tt> device flags if they are |
| |
already what is needed; makes it possible to use |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tun&sektion=4">tun(4)</a>/ |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tap&sektion=4">tap(4)</a> |
| |
networking as non-root user if device permissions and interface flags |
| |
are pre-established. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
<tt>RekeyLimits</tt> could be exceeded by one packet. (bz#2521) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
fix multiplexing master failure to notice client exit. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>: |
| |
avoid <tt>fatal()</tt> for PKCS11 tokens that present empty key IDs. |
| |
(bz#1773) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
avoid |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=printf&sektion=3">printf(3)</a> |
| |
of NULL argument. (bz#2535) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
allow <tt>RekeyLimits</tt> larger than 4GB. (bz#2521) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix several bugs in (unused) KRL signature support. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix connections with peers that use the key exchange guess feature of |
| |
the protocol. (bz#2515) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
include remote port number in log messages. (bz#2503) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
don't try to load SSHv1 private key when compiled without SSHv1 |
| |
support. (bz#2505) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
fix incorrect error messages during key loading and signing errors. |
| |
(bz#2507) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>: |
| |
don't leave empty temporary files when performing <tt>known_hosts</tt> |
| |
file edits when <tt>known_hosts</tt> doesn't exist. |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
correct packet format for tcpip-forward replies for requests that |
| |
don't allocate a port. (bz#2509) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix possible hang on closed output. (bz#2469) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
expand <tt>%i</tt> in <tt>ControlPath</tt> to UID. (bz#2449) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix return type of <tt>openssh_RSA_verify</tt>. (bz#2460) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>, |
| |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>: |
| |
fix some option parsing memory leaks. (bz#2182) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
add a some debug output before DNS resolution; it's a place where |
| |
ssh could previously silently stall in cases of unresponsive DNS |
| |
servers. (bz#2433) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
remove spurious newline in visual hostkey. (bz#2686) |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
fix printing (<tt>ssh -G ...</tt>) of <tt>HostKeyAlgorithms=+...</tt> |
| |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>: |
| |
fix expansion of <tt>HostkeyAlgorithms=+...</tt> |
| </ul> |
</ul> |
| </ul> |
</ul> |
| <p> |
<p> |
![[BACK]](/icons/back.gif){kind=icon}
Return to 59.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www