===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/65.html,v
retrieving revision 1.62
retrieving revision 1.63
diff -u -r1.62 -r1.63
--- www/65.html 2019/04/10 15:35:17 1.62
+++ www/65.html 2019/04/10 17:21:24 1.63
@@ -324,6 +324,134 @@
+
OpenSSH 8.0
+
+ - New Features
+
+ - ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
+ PKCS#11 tokens.
+
- ssh(1), sshd(8): Add experimental quantum-computing resistant
+ key exchange method, based on a combination of Streamlined NTRU
+ Prime 4591^761 and X25519.
+
- ssh-keygen(1): Increase the default RSA key size to 3072 bits,
+ following NIST Special Publication 800-57's guidance for a
+ 128-bit equivalent symmetric security level.
+
- ssh(1): Allow "PKCS11Provider=none" to override later instances of
+ the PKCS11Provider directive in ssh_config; bz#2974
+
- sshd(8): Add a log message for situations where a connection is
+ dropped for attempting to run a command but a sshd_config
+ ForceCommand=internal-sftp restriction is in effect; bz#2960
+
- ssh(1): When prompting whether to record a new host key, accept
+ the key fingerprint as a synonym for "yes". This allows the user
+ to paste a fingerprint obtained out of band at the prompt and
+ have the client do the comparison for you.
+
- ssh-keygen(1): When signing multiple certificates on a single
+ command-line invocation, allow automatically incrementing the
+ certificate serial number.
+
- scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
+ the scp and sftp command-lines.
+
- ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
+ command-line flags to increase the verbosity of output; pass
+ verbose flags though to subprocesses, such as ssh-pkcs11-helper
+ started from ssh-agent.
+
- ssh-add(1): Add a "-T" option to allowing testing whether keys in
+ an agent are usable by performing a signature and a verification.
+
- sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
+ that replicates the functionality of the existing SSH2_FXP_SETSTAT
+ operation but does not follow symlinks. bz#2067
+
- sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
+ they do not follow symlinks.
+
- sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
+ the connection 4-tuple available to PAM modules that wish to use
+ it in decision-making. bz#2741
+
- sshd(8): Add a ssh_config "Match final" predicate Matches in same
+ pass as "Match canonical" but doesn't require hostname
+ canonicalisation be enabled. bz#2906
+
- sftp(1): Support a prefix of '@' to suppress echo of sftp batch
+ commands; bz#2926
+
- ssh-keygen(1): When printing certificate contents using
+ "ssh-keygen -Lf /path/certificate", include the algorithm that
+ the CA used to sign the cert.
+
+ - Bugfixes
+
+ - sshd(8): Fix authentication failures when sshd_config contains
+ "AuthenticationMethods any" inside a Match block that overrides
+ a more restrictive default.
+
- sshd(8): Avoid sending duplicate keepalives when ClientAliveCount
+ is enabled.
+
- sshd(8): Fix two race conditions related to SIGHUP daemon restart.
+ Remnant file descriptors in recently-forked child processes could
+ block the parent sshd's attempt to listen(2) to the configured
+ addresses. Also, the restarting parent sshd could exit before any
+ child processes that were awaiting their re-execution state had
+ completed reading it, leaving them in a fallback path.
+
- ssh(1): Fix stdout potentially being redirected to /dev/null when
+ ProxyCommand=- was in use.
+
- sshd(8): Avoid sending SIGPIPE to child processes if they attempt
+ to write to stderr after their parent processes have exited;
+ bz#2071
+
- ssh(1): Fix bad interaction between the ssh_config ConnectTimeout
+ and ConnectionAttempts directives - connection attempts after the
+ first were ignoring the requested timeout; bz#2918
+
- ssh-keyscan(1): Return a non-zero exit status if no keys were
+ found; bz#2903
+
- scp(1): Sanitize scp filenames to allow UTF-8 characters without
+ terminal control sequences; bz#2434
+
- sshd(8): Fix confusion between ClientAliveInterval and time-based
+ RekeyLimit that could cause connections to be incorrectly closed.
+ bz#2757
+
- ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN
+ handling at initial token login. The attempt to read the PIN
+ could be skipped in some cases, particularly on devices with
+ integrated PIN readers. This would lead to an inability to
+ retrieve keys from these tokens. bz#2652
+
- ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the
+ CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the
+ C_SignInit operation. bz#2638
+
- ssh(1): Improve documentation for ProxyJump/-J, clarifying that
+ local configuration does not apply to jump hosts.
+
- ssh-keygen(1): Clarify manual - ssh-keygen -e only writes
+ public keys, not private.
+
- ssh(1), sshd(8): be more strict in processing protocol banners,
+ allowing \r characters only immediately before \n.
+
- Various: fix a number of memory leaks, including bz#2942 and
+ bz#2938
+
- scp(1), sftp(1): fix calculation of initial bandwidth limits.
+ Account for bytes written before the timer starts and adjust the
+ schedule on which recalculations are performed. Avoids an initial
+ burst of traffic and yields more accurate bandwidth limits;
+ bz#2927
+
- sshd(8): Only consider the ext-info-c extension during the initial
+ key eschange. It shouldn't be sent in subsequent ones, but if it
+ is present we should ignore it. This prevents sshd from sending a
+ SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929
+
- ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in
+ authorized_keys) and -R (remove host from authorized_keys) options
+ may accept either a bare hostname or a [hostname]:port combo.
+ bz#2935
+
- ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936
+
- sshd(8): Silence error messages when sshd fails to load some of
+ the default host keys. Failure to load an explicitly-configured
+ hostkey is still an error, and failure to load any host key is
+ still fatal. pr/103
+
- ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
+ started with ControlPersist; prevents random ProxyCommand output
+ from interfering with session output.
+
- ssh(1): The ssh client was keeping a redundant ssh-agent socket
+ (leftover from authentication) around for the life of the
+ connection; bz#2912
+
- sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
+ PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types
+ were specified, then authentication would always fail for RSA keys
+ as the monitor checks only the base key (not the signature
+ algorithm) type against *AcceptedKeyTypes. bz#2746
+
- ssh(1): Request correct signature types from ssh-agent when
+ certificate keys and RSA-SHA2 signatures are in use.
+
+
+
+
Mandoc 1.14.5