===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/66.html,v
retrieving revision 1.51
retrieving revision 1.52
diff -c -r1.51 -r1.52
*** www/66.html 2019/10/08 19:23:22 1.51
--- www/66.html 2019/10/09 20:50:35 1.52
***************
*** 672,710 ****
!
OpenSSH 8.X
- New Features
! - Added sshsig, a lightweight signature and verification
! ability for OpenSSH,
! to ssh-keygen(1).
! Signatures can be made and verified using
ssh-keygen
! -Y sign|verify
.
! - Included SHA2-variant RSA key algorithms in KEX proposal,
! allowing ssh-keyscan(1)
! to harvest keys from servers that disable SHA1 ssh-rsa.
!
- Encrypted
! private ssh(1)
! keys that are not in use as protection against speculation
! and memory sidechannel attacks like Spectre, Meltdown,
! Rowhammer and Rambleed.
!
- Adjusted ssh(1)
! to default to using the rsa-sha2-512 signature algorithm when
! signing certificates with an RSA key. This will render these
! certificates incompatible with OpenSSH 7.1 and earlier,
! unless the default is overridden by use of the
! ssh-keygen(1)
! -t flag.
!
- Added logging
! of ssh(1)
! PermitOpen and PermitListen violations.
!
- Allowed prepending a list of algorithms to the default set in ssh(1) by
! starting the list with the ^ character.
- Bugfixes
Mandoc XXX
--- 672,802 ----
! OpenSSH 8.1
- New Features
! - ssh(1): Allow %n to be
! expanded in ProxyCommand strings
!
- ssh(1),
! sshd(8): Allow
! prepending a list of algorithms to the default set by
! starting the list with the '^' character, E.g.
! "HostKeyAlgorithms ^ssh-ed25519"
!
- ssh-keygen(1):
! add an experimental lightweight signature and verification
! ability. Signatures may be made using regular ssh keys held
! on disk or stored in a ssh-agent and verified against an
! authorized_keys-like list of allowed keys. Signatures embed
! a namespace that prevents confusion and attacks between
! different usage domains (e.g. files vs email).
!
- ssh-keygen(1):
! print key comment when extracting public key from a private
! key. bz#3052
!
- ssh-keygen(1):
! accept the verbose flag when searching for host keys in
! known hosts (i.e. "ssh-keygen -vF host") to print the
! matching host's random-art signature
! too. bz#3003
!
- All: support PKCS8 as an optional format for storage of
! private keys to disk. The OpenSSH native key format remains
! the default, but PKCS8 is a superior format to PEM if
! interoperability with non-OpenSSH software is required, as
! it may use a less insecure key derivation function than
! PEM's.
- Bugfixes
! - ssh(1): if a
! PKCS#11 token returns no keys then try to login and
! refetch them. Based on patch from Jakub
! Jelen; bz#2430
!
- ssh(1):
! produce a useful error message if the user's shell is set
! incorrectly during "match exec"
! processing. bz#2791
!
- sftp(1):
! allow the maximum uint32 value for the argument passed to
! -b which allows better error messages from later
! validation.
! bz#3050
!
- ssh(1):
! avoid pledge sandbox violations in some combinations of
! remote forwarding, connection multiplexing and
! ControlMaster.
!
- ssh-keyscan(1):
! include SHA2-variant RSA key algorithms in KEX proposal;
! allows ssh-keyscan to harvest keys from servers that
! disable old SHA1
! ssh-rsa. bz#3029
!
- sftp(1):
! print explicit "not modified" message if a file was
! requested for resumed download but was considered already
! complete.
! bz#2978
!
- sftp(1):
! fix a typo and make <esc><right> move right to the
! closest end of a word just like <esc><left> moves
! left to the closest beginning of a word.
!
- sshd(8):
! cap the number of permitopen/permitlisten directives
! allowed to appear on a single authorized_keys line.
!
- All: fix a number of memory leaks (one-off or on exit paths).
!
- Regression tests: a number of fixes and improvements,
! including fixes to the interop tests, adding the ability
! to run most tests on builds that disable OpenSSL support,
! better support for running tests under Valgrind and a
! number of bug-fixes.
!
- ssh(1),
! sshd(8):
! check for convtime() refusing to accept times that resolve
! to LONG_MAX Reported by Kirk Wolf bz2977
!
- ssh(1):
! slightly more instructive error message when the user
! specifies multiple -J options on the command-line. bz3015
!
- ssh-agent(1):
! process agent requests for RSA certificate private keys
! using correct signature algorithm when requested. bz3016
!
- sftp(1):
! check for user@host when parsing sftp target. This allows
! user@[1.2.3.4] to work without a
! path. bz#2999
!
- sshd(8):
! enlarge format buffer size for certificate serial number
! so the log message can record any 64-bit integer without
! truncation. bz#3012
!
- sshd(8):
! for PermitOpen violations add the remote host and port to
! be able to more easily ascertain the source of the
! request. Add the same logging for PermitListen violations
! which where not previously logged at all.
!
- scp(1),
! sftp(1):
! use the correct POSIX format style for left justification
! for the transfer progress
! meter. bz#3002
!
- sshd(8)
! when examining a configuration using sshd -T, assume any
! attribute not provided by -C does not match, which allows
! it to work when sshd_config contains a Match directive
! with or without -C.
! bz#2858
!
- ssh(1),
! ssh-keygen(1):
! downgrade PKCS#11 "provider returned no slots" warning
! from log level error to debug. This is common when
! attempting to enumerate keys on smartcard readers with no
! cards plugged
! in. bz#3058
!
- ssh(1),
! ssh-keygen(1):
! do not unconditionally log in to PKCS#11 tokens. Avoids
! spurious PIN prompts for keys not selected for
! authentication
! in ssh(1) and
! when listing public keys available in a token
! using ssh-keygen(1).
! bz#3006
Mandoc XXX