===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/62.html,v
retrieving revision 1.55
retrieving revision 1.56
diff -u -r1.55 -r1.56
--- www/62.html 2017/10/05 15:58:43 1.55
+++ www/62.html 2017/10/05 16:22:08 1.56
@@ -446,7 +446,8 @@
- Security:
- - ...
+
- sftp-server(8): in read-only mode, sftp-server was incorrectly
+ permitting creation of zero-length files.
- New/changed features:
@@ -455,11 +456,92 @@
config file instead of giving it on the client's command
line.
The feature allows to automate tasks using ssh config.
- - ...
+
- sshd(8): add ExposeAuthInfo option that enables writing details of
+ the authentication methods used (including public keys where
+ applicable) to a file that is exposed via a $SSH_USER_AUTH
+ environment variable in the subsequent session.
+
- ssh(1): add support for reverse dynamic forwarding. In this mode,
+ ssh will act as a SOCKS4/5 proxy and forward connections
+ to destinations requested by the remote SOCKS client. This mode
+ is requested using extended syntax for the -R and RemoteForward
+ options and, because it is implemented solely at the client,
+ does not require the server be updated to be supported.
+
- sshd(8): allow LogLevel directive in sshd_config Match blocks.
+
- ssh-keygen(1): allow inclusion of arbitrary string or flag
+ certificate extensions and critical options.`
+
- ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as
+ a CA when signing certificates.
+
- ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit
+ ToS/DSCP value and just use the operating system default.
+
- ssh-add(1): added -q option to make ssh-add quiet on success.
+
- ssh(1): expand the StrictHostKeyChecking option with two new
+ settings. The first "accept-new" will automatically accept
+ hitherto-unseen keys but will refuse connections for changed or
+ invalid hostkeys. This is a safer subset of the current behaviour
+ of StrictHostKeyChecking=no. The second setting "off", is a synonym
+ for the current behaviour of StrictHostKeyChecking=no: accept new
+ host keys, and continue connection for hosts with incorrect
+ hostkeys. A future release will change the meaning of
+ StrictHostKeyChecking=no to the behaviour of "accept-new".
+
- ssh(1): add SyslogFacility option to ssh(1) matching the equivalent
+ option in sshd(8).
- The following significant bugs have been fixed in this release:
- - ...
+
- ssh(1): use HostKeyAlias if specified instead of hostname for
+ matching host certificate principal names
+
- sftp(1): implement sorting for globbed ls.
+
- ssh(1): add a user@host prefix to client's "Permission denied"
+ messages, useful in particular when using "stacked" connections
+ (e.g. ssh -J) where it's not clear which host is denying.
+
- ssh(1): accept unknown EXT_INFO extension values that contain \0
+ characters. These are legal, but would previously cause fatal
+ connection errors if received.
+
- ssh(1)/sshd(8): repair compression statistics printed at
+ connection exit.
+
- sftp(1): print '?' instead of incorrect link count (that the
+ protocol doesn't provide) for remote listings.
+
- ssh(1): return failure rather than fatal() for more cases during
+ session multiplexing negotiations. Causes the session to fall back
+ to a non-mux connection if they occur.
+
- ssh(1): mention that the server may send debug messages to explain
+ public key authentication problems under some circumstances.
+
- Translate OpenSSL error codes to better report incorrect passphrase
+ errors when loading private keys.
+
- sshd(8): adjust compatibility patterns for WinSCP to correctly
+ identify versions that implement only the legacy DH group exchange
+ scheme.
+
- ssh(1): print the "Killed by signal 1" message only at LogLevel
+ verbose so that it is not shown at the default level; prevents it
+ from appearing during ssh -J and equivalent ProxyCommand configs.
+
- ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber
+ existing keys if they exist but are zero length. zero-length keys
+ could previously be made if ssh-keygen failed or was interrupted part
+ way through generating them.
+
- ssh(1): fix pledge(2) violation in the escape sequence "~&" used to
+ place the current session in the background.
+
- ssh-keyscan(1): avoid double-close() on file descriptors.
+
- sshd(8): avoid reliance on shared use of pointers shared between
+ monitor and child sshd processes.
+
- sshd_config(8): document available AuthenticationMethods.
+
- ssh(1): avoid truncation in some login prompts.
+
- ssh(1): make "--" before the hostname terminate argument processing
+ after the hostname too.
+
- ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting
+ new-style private keys. Fixes problems related to private key
+ handling for no-OpenSSL builds.
+
- ssh(1): warn and do not attempt to use keys when the public and
+ private halves do not match.
+
- sftp(1): don't print verbose error message when ssh disconnects
+ from under sftp.
+
- sshd(8): fix keepalive scheduling problem: activity on a forwarded
+ port from preventing the keepalive from being sent.
+
- sshd(8): when started without root privileges, don't require the
+ privilege separation user or path to exist. Makes running the
+ regression tests easier without touching the filesystem.
+
- Make integrity.sh regression tests more robust against timeouts.
+
- ssh(1)/sshd(8): correctness fix for channels implementation: accept
+ channel IDs greater than 0x7FFFFFFF.