=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/62.html,v retrieving revision 1.55 retrieving revision 1.56 diff -c -r1.55 -r1.56 *** www/62.html 2017/10/05 15:58:43 1.55 --- www/62.html 2017/10/05 16:22:08 1.56 *************** *** 446,452 ****

Security:
- ...
New/changed features:
- sshd(8): add ExposeAuthInfo option that enables writing details of ! the authentication methods used (including public keys where ! applicable) to a file that is exposed via a $SSH_USER_AUTH ! environment variable in the subsequent session. !
- ssh(1): add support for reverse dynamic forwarding. In this mode, ! ssh will act as a SOCKS4/5 proxy and forward connections ! to destinations requested by the remote SOCKS client. This mode ! is requested using extended syntax for the -R and RemoteForward ! options and, because it is implemented solely at the client, ! does not require the server be updated to be supported. !
- sshd(8): allow LogLevel directive in sshd_config Match blocks. !
- ssh-keygen(1): allow inclusion of arbitrary string or flag ! certificate extensions and critical options.` !
- ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as ! a CA when signing certificates. !
- ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ! ToS/DSCP value and just use the operating system default. !
- ssh-add(1): added -q option to make ssh-add quiet on success. !
- ssh(1): expand the StrictHostKeyChecking option with two new ! settings. The first "accept-new" will automatically accept ! hitherto-unseen keys but will refuse connections for changed or ! invalid hostkeys. This is a safer subset of the current behaviour ! of StrictHostKeyChecking=no. The second setting "off", is a synonym ! for the current behaviour of StrictHostKeyChecking=no: accept new ! host keys, and continue connection for hosts with incorrect ! hostkeys. A future release will change the meaning of ! StrictHostKeyChecking=no to the behaviour of "accept-new". !
- ssh(1): add SyslogFacility option to ssh(1) matching the equivalent ! option in sshd(8).
The following significant bugs have been fixed in this release:
- ssh(1): use HostKeyAlias if specified instead of hostname for ! matching host certificate principal names !
- sftp(1): implement sorting for globbed ls. !
- ssh(1): add a user@host prefix to client's "Permission denied" ! messages, useful in particular when using "stacked" connections ! (e.g. ssh -J) where it's not clear which host is denying. !
- ssh(1): accept unknown EXT_INFO extension values that contain \0 ! characters. These are legal, but would previously cause fatal ! connection errors if received. !
- ssh(1)/sshd(8): repair compression statistics printed at ! connection exit. !
- sftp(1): print '?' instead of incorrect link count (that the ! protocol doesn't provide) for remote listings. !
- ssh(1): return failure rather than fatal() for more cases during ! session multiplexing negotiations. Causes the session to fall back ! to a non-mux connection if they occur. !
- ssh(1): mention that the server may send debug messages to explain ! public key authentication problems under some circumstances. !
- Translate OpenSSL error codes to better report incorrect passphrase ! errors when loading private keys. !
- sshd(8): adjust compatibility patterns for WinSCP to correctly ! identify versions that implement only the legacy DH group exchange ! scheme. !
- ssh(1): print the "Killed by signal 1" message only at LogLevel ! verbose so that it is not shown at the default level; prevents it ! from appearing during ssh -J and equivalent ProxyCommand configs. !
- ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber ! existing keys if they exist but are zero length. zero-length keys ! could previously be made if ssh-keygen failed or was interrupted part ! way through generating them. !
- ssh(1): fix pledge(2) violation in the escape sequence "~&" used to ! place the current session in the background. !
- ssh-keyscan(1): avoid double-close() on file descriptors. !
- sshd(8): avoid reliance on shared use of pointers shared between ! monitor and child sshd processes. !
- sshd_config(8): document available AuthenticationMethods. !
- ssh(1): avoid truncation in some login prompts. !
- ssh(1): make "--" before the hostname terminate argument processing ! after the hostname too. !
- ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting ! new-style private keys. Fixes problems related to private key ! handling for no-OpenSSL builds. !
- ssh(1): warn and do not attempt to use keys when the public and ! private halves do not match. !
- sftp(1): don't print verbose error message when ssh disconnects ! from under sftp. !
- sshd(8): fix keepalive scheduling problem: activity on a forwarded ! port from preventing the keepalive from being sent. !
- sshd(8): when started without root privileges, don't require the ! privilege separation user or path to exist. Makes running the ! regression tests easier without touching the filesystem. !
- Make integrity.sh regression tests more robust against timeouts. !
- ssh(1)/sshd(8): correctness fix for channels implementation: accept ! channel IDs greater than 0x7FFFFFFF.