===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/65.html,v
retrieving revision 1.62
retrieving revision 1.63
diff -u -r1.62 -r1.63
--- www/65.html	2019/04/10 15:35:17	1.62
+++ www/65.html	2019/04/10 17:21:24	1.63
@@ -324,6 +324,134 @@
   </ul>
 <p>
 
+<li>OpenSSH 8.0
+  <ul>
+  <li>New Features
+    <ul>
+    <li>ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
+    PKCS#11 tokens.
+    <li>ssh(1), sshd(8): Add experimental quantum-computing resistant
+    key exchange method, based on a combination of Streamlined NTRU
+    Prime 4591^761 and X25519.
+    <li>ssh-keygen(1): Increase the default RSA key size to 3072 bits,
+    following NIST Special Publication 800-57's guidance for a
+    128-bit equivalent symmetric security level.
+    <li>ssh(1): Allow "PKCS11Provider=none" to override later instances of
+    the PKCS11Provider directive in ssh_config; bz#2974
+    <li>sshd(8): Add a log message for situations where a connection is
+    dropped for attempting to run a command but a sshd_config
+    ForceCommand=internal-sftp restriction is in effect; bz#2960
+    <li>ssh(1): When prompting whether to record a new host key, accept
+    the key fingerprint as a synonym for "yes". This allows the user
+    to paste a fingerprint obtained out of band at the prompt and
+    have the client do the comparison for you.
+    <li>ssh-keygen(1): When signing multiple certificates on a single
+    command-line invocation, allow automatically incrementing the
+    certificate serial number.
+    <li>scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
+    the scp and sftp command-lines.
+    <li>ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
+    command-line flags to increase the verbosity of output; pass
+    verbose flags though to subprocesses, such as ssh-pkcs11-helper
+    started from ssh-agent.
+    <li>ssh-add(1): Add a "-T" option to allowing testing whether keys in
+    an agent are usable by performing a signature and a verification.
+    <li>sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
+    that replicates the functionality of the existing SSH2_FXP_SETSTAT
+    operation but does not follow symlinks. bz#2067
+    <li>sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
+    they do not follow symlinks.
+    <li>sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
+    the connection 4-tuple available to PAM modules that wish to use
+    it in decision-making. bz#2741
+    <li>sshd(8): Add a ssh_config "Match final" predicate Matches in same
+    pass as "Match canonical" but doesn't require hostname
+    canonicalisation be enabled. bz#2906
+    <li>sftp(1): Support a prefix of '@' to suppress echo of sftp batch
+    commands; bz#2926
+    <li>ssh-keygen(1): When printing certificate contents using
+    "ssh-keygen -Lf /path/certificate", include the algorithm that
+    the CA used to sign the cert.
+    </ul>
+  <li>Bugfixes
+    <ul>
+    <li>sshd(8): Fix authentication failures when sshd_config contains
+    "AuthenticationMethods any" inside a Match block that overrides
+    a more restrictive default.
+    <li>sshd(8): Avoid sending duplicate keepalives when ClientAliveCount
+    is enabled.
+    <li>sshd(8): Fix two race conditions related to SIGHUP daemon restart.
+    Remnant file descriptors in recently-forked child processes could
+    block the parent sshd's attempt to listen(2) to the configured
+    addresses. Also, the restarting parent sshd could exit before any
+    child processes that were awaiting their re-execution state had
+    completed reading it, leaving them in a fallback path.
+    <li>ssh(1): Fix stdout potentially being redirected to /dev/null when
+    ProxyCommand=- was in use.
+    <li>sshd(8): Avoid sending SIGPIPE to child processes if they attempt
+    to write to stderr after their parent processes have exited;
+    bz#2071
+    <li>ssh(1): Fix bad interaction between the ssh_config ConnectTimeout
+    and ConnectionAttempts directives - connection attempts after the
+    first were ignoring the requested timeout; bz#2918
+    <li>ssh-keyscan(1): Return a non-zero exit status if no keys were
+    found; bz#2903
+    <li>scp(1): Sanitize scp filenames to allow UTF-8 characters without
+    terminal control sequences;  bz#2434
+    <li>sshd(8): Fix confusion between ClientAliveInterval and time-based
+    RekeyLimit that could cause connections to be incorrectly closed.
+    bz#2757
+    <li>ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN
+    handling at initial token login. The attempt to read the PIN
+    could be skipped in some cases, particularly on devices with
+    integrated PIN readers. This would lead to an inability to
+    retrieve keys from these tokens. bz#2652
+    <li>ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the
+    CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the
+    C_SignInit operation. bz#2638
+    <li>ssh(1): Improve documentation for ProxyJump/-J, clarifying that
+    local configuration does not apply to jump hosts.
+    <li>ssh-keygen(1): Clarify manual - ssh-keygen -e only writes
+    public keys, not private.
+    <li>ssh(1), sshd(8): be more strict in processing protocol banners,
+    allowing \r characters only immediately before \n.
+    <li>Various: fix a number of memory leaks, including bz#2942 and
+    bz#2938
+    <li>scp(1), sftp(1): fix calculation of initial bandwidth limits.
+    Account for bytes written before the timer starts and adjust the
+    schedule on which recalculations are performed. Avoids an initial
+    burst of traffic and yields more accurate bandwidth limits;
+    bz#2927
+    <li>sshd(8): Only consider the ext-info-c extension during the initial
+    key eschange. It shouldn't be sent in subsequent ones, but if it
+    is present we should ignore it. This prevents sshd from sending a
+    SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929
+    <li>ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in 
+    authorized_keys) and -R (remove host from authorized_keys) options
+    may accept either a bare hostname or a [hostname]:port combo.
+    bz#2935
+    <li>ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936
+    <li>sshd(8): Silence error messages when sshd fails to load some of
+    the default host keys. Failure to load an explicitly-configured
+    hostkey is still an error, and failure to load any host key is
+    still fatal. pr/103
+    <li>ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
+    started with ControlPersist; prevents random ProxyCommand output
+    from interfering with session output.
+    <li>ssh(1): The ssh client was keeping a redundant ssh-agent socket
+    (leftover from authentication) around for the life of the
+    connection; bz#2912
+    <li>sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
+    PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types
+    were specified, then authentication would always fail for RSA keys
+    as the monitor checks only the base key (not the signature
+    algorithm) type against *AcceptedKeyTypes. bz#2746
+    <li>ssh(1): Request correct signature types from ssh-agent when
+    certificate keys and RSA-SHA2 signatures are in use.
+    </ul>
+  </ul>
+<p>
+
 <li>Mandoc 1.14.5
   <ul>
     <li>
