| version 1.62, 2019/04/10 15:35:17 |
version 1.63, 2019/04/10 17:21:24 |
|
|
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
| |
<li>OpenSSH 8.0 |
| |
<ul> |
| |
<li>New Features |
| |
<ul> |
| |
<li>ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in |
| |
PKCS#11 tokens. |
| |
<li>ssh(1), sshd(8): Add experimental quantum-computing resistant |
| |
key exchange method, based on a combination of Streamlined NTRU |
| |
Prime 4591^761 and X25519. |
| |
<li>ssh-keygen(1): Increase the default RSA key size to 3072 bits, |
| |
following NIST Special Publication 800-57's guidance for a |
| |
128-bit equivalent symmetric security level. |
| |
<li>ssh(1): Allow "PKCS11Provider=none" to override later instances of |
| |
the PKCS11Provider directive in ssh_config; bz#2974 |
| |
<li>sshd(8): Add a log message for situations where a connection is |
| |
dropped for attempting to run a command but a sshd_config |
| |
ForceCommand=internal-sftp restriction is in effect; bz#2960 |
| |
<li>ssh(1): When prompting whether to record a new host key, accept |
| |
the key fingerprint as a synonym for "yes". This allows the user |
| |
to paste a fingerprint obtained out of band at the prompt and |
| |
have the client do the comparison for you. |
| |
<li>ssh-keygen(1): When signing multiple certificates on a single |
| |
command-line invocation, allow automatically incrementing the |
| |
certificate serial number. |
| |
<li>scp(1), sftp(1): Accept -J option as an alias to ProxyJump on |
| |
the scp and sftp command-lines. |
| |
<li>ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" |
| |
command-line flags to increase the verbosity of output; pass |
| |
verbose flags though to subprocesses, such as ssh-pkcs11-helper |
| |
started from ssh-agent. |
| |
<li>ssh-add(1): Add a "-T" option to allowing testing whether keys in |
| |
an agent are usable by performing a signature and a verification. |
| |
<li>sftp-server(8): Add a "lsetstat@openssh.com" protocol extension |
| |
that replicates the functionality of the existing SSH2_FXP_SETSTAT |
| |
operation but does not follow symlinks. bz#2067 |
| |
<li>sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request |
| |
they do not follow symlinks. |
| |
<li>sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes |
| |
the connection 4-tuple available to PAM modules that wish to use |
| |
it in decision-making. bz#2741 |
| |
<li>sshd(8): Add a ssh_config "Match final" predicate Matches in same |
| |
pass as "Match canonical" but doesn't require hostname |
| |
canonicalisation be enabled. bz#2906 |
| |
<li>sftp(1): Support a prefix of '@' to suppress echo of sftp batch |
| |
commands; bz#2926 |
| |
<li>ssh-keygen(1): When printing certificate contents using |
| |
"ssh-keygen -Lf /path/certificate", include the algorithm that |
| |
the CA used to sign the cert. |
| |
</ul> |
| |
<li>Bugfixes |
| |
<ul> |
| |
<li>sshd(8): Fix authentication failures when sshd_config contains |
| |
"AuthenticationMethods any" inside a Match block that overrides |
| |
a more restrictive default. |
| |
<li>sshd(8): Avoid sending duplicate keepalives when ClientAliveCount |
| |
is enabled. |
| |
<li>sshd(8): Fix two race conditions related to SIGHUP daemon restart. |
| |
Remnant file descriptors in recently-forked child processes could |
| |
block the parent sshd's attempt to listen(2) to the configured |
| |
addresses. Also, the restarting parent sshd could exit before any |
| |
child processes that were awaiting their re-execution state had |
| |
completed reading it, leaving them in a fallback path. |
| |
<li>ssh(1): Fix stdout potentially being redirected to /dev/null when |
| |
ProxyCommand=- was in use. |
| |
<li>sshd(8): Avoid sending SIGPIPE to child processes if they attempt |
| |
to write to stderr after their parent processes have exited; |
| |
bz#2071 |
| |
<li>ssh(1): Fix bad interaction between the ssh_config ConnectTimeout |
| |
and ConnectionAttempts directives - connection attempts after the |
| |
first were ignoring the requested timeout; bz#2918 |
| |
<li>ssh-keyscan(1): Return a non-zero exit status if no keys were |
| |
found; bz#2903 |
| |
<li>scp(1): Sanitize scp filenames to allow UTF-8 characters without |
| |
terminal control sequences; bz#2434 |
| |
<li>sshd(8): Fix confusion between ClientAliveInterval and time-based |
| |
RekeyLimit that could cause connections to be incorrectly closed. |
| |
bz#2757 |
| |
<li>ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN |
| |
handling at initial token login. The attempt to read the PIN |
| |
could be skipped in some cases, particularly on devices with |
| |
integrated PIN readers. This would lead to an inability to |
| |
retrieve keys from these tokens. bz#2652 |
| |
<li>ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the |
| |
CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the |
| |
C_SignInit operation. bz#2638 |
| |
<li>ssh(1): Improve documentation for ProxyJump/-J, clarifying that |
| |
local configuration does not apply to jump hosts. |
| |
<li>ssh-keygen(1): Clarify manual - ssh-keygen -e only writes |
| |
public keys, not private. |
| |
<li>ssh(1), sshd(8): be more strict in processing protocol banners, |
| |
allowing \r characters only immediately before \n. |
| |
<li>Various: fix a number of memory leaks, including bz#2942 and |
| |
bz#2938 |
| |
<li>scp(1), sftp(1): fix calculation of initial bandwidth limits. |
| |
Account for bytes written before the timer starts and adjust the |
| |
schedule on which recalculations are performed. Avoids an initial |
| |
burst of traffic and yields more accurate bandwidth limits; |
| |
bz#2927 |
| |
<li>sshd(8): Only consider the ext-info-c extension during the initial |
| |
key eschange. It shouldn't be sent in subsequent ones, but if it |
| |
is present we should ignore it. This prevents sshd from sending a |
| |
SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929 |
| |
<li>ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in |
| |
authorized_keys) and -R (remove host from authorized_keys) options |
| |
may accept either a bare hostname or a [hostname]:port combo. |
| |
bz#2935 |
| |
<li>ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936 |
| |
<li>sshd(8): Silence error messages when sshd fails to load some of |
| |
the default host keys. Failure to load an explicitly-configured |
| |
hostkey is still an error, and failure to load any host key is |
| |
still fatal. pr/103 |
| |
<li>ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is |
| |
started with ControlPersist; prevents random ProxyCommand output |
| |
from interfering with session output. |
| |
<li>ssh(1): The ssh client was keeping a redundant ssh-agent socket |
| |
(leftover from authentication) around for the life of the |
| |
connection; bz#2912 |
| |
<li>sshd(8): Fix bug in HostbasedAcceptedKeyTypes and |
| |
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types |
| |
were specified, then authentication would always fail for RSA keys |
| |
as the monitor checks only the base key (not the signature |
| |
algorithm) type against *AcceptedKeyTypes. bz#2746 |
| |
<li>ssh(1): Request correct signature types from ssh-agent when |
| |
certificate keys and RSA-SHA2 signatures are in use. |
| |
</ul> |
| |
</ul> |
| |
<p> |
| |
|
| <li>Mandoc 1.14.5 |
<li>Mandoc 1.14.5 |
| <ul> |
<ul> |
| <li> |
<li> |
![[BACK]](/icons/back.gif){kind=icon}
Return to 65.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www