=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/66.html,v retrieving revision 1.51 retrieving revision 1.52 diff -c -r1.51 -r1.52 *** www/66.html 2019/10/08 19:23:22 1.51 --- www/66.html 2019/10/09 20:50:35 1.52 *************** *** 672,710 **** !

OpenSSH 8.X

New Features
- Added sshsig, a lightweight signature and verification ! ability for OpenSSH, ! to ssh-keygen(1). ! Signatures can be made and verified using ssh-keygen ! -Y sign|verify. !
- Included SHA2-variant RSA key algorithms in KEX proposal, ! allowing ssh-keyscan(1) ! to harvest keys from servers that disable SHA1 ssh-rsa. !
- Encrypted ! private ssh(1) ! keys that are not in use as protection against speculation ! and memory sidechannel attacks like Spectre, Meltdown, ! Rowhammer and Rambleed. !
- Adjusted ssh(1) ! to default to using the rsa-sha2-512 signature algorithm when ! signing certificates with an RSA key. This will render these ! certificates incompatible with OpenSSH 7.1 and earlier, ! unless the default is overridden by use of the ! ssh-keygen(1) ! -t flag. !
- Added logging ! of ssh(1) ! PermitOpen and PermitListen violations. !
- Allowed prepending a list of algorithms to the default set in ssh(1) by ! starting the list with the ^ character.
Bugfixes

Mandoc XXX --- 672,802 ---- !

OpenSSH 8.1

New Features
- ssh(1): Allow %n to be ! expanded in ProxyCommand strings !
- ssh(1), ! sshd(8): Allow ! prepending a list of algorithms to the default set by ! starting the list with the '^' character, E.g. ! "HostKeyAlgorithms ^ssh-ed25519" !
- ssh-keygen(1): ! add an experimental lightweight signature and verification ! ability. Signatures may be made using regular ssh keys held ! on disk or stored in a ssh-agent and verified against an ! authorized_keys-like list of allowed keys. Signatures embed ! a namespace that prevents confusion and attacks between ! different usage domains (e.g. files vs email). !
- ssh-keygen(1): ! print key comment when extracting public key from a private ! key. bz#3052 !
- ssh-keygen(1): ! accept the verbose flag when searching for host keys in ! known hosts (i.e. "ssh-keygen -vF host") to print the ! matching host's random-art signature ! too. bz#3003 !
- All: support PKCS8 as an optional format for storage of ! private keys to disk. The OpenSSH native key format remains ! the default, but PKCS8 is a superior format to PEM if ! interoperability with non-OpenSSH software is required, as ! it may use a less insecure key derivation function than ! PEM's.
Bugfixes
- ssh(1): if a ! PKCS#11 token returns no keys then try to login and ! refetch them. Based on patch from Jakub ! Jelen; bz#2430 !
- ssh(1): ! produce a useful error message if the user's shell is set ! incorrectly during "match exec" ! processing. bz#2791 !
- sftp(1): ! allow the maximum uint32 value for the argument passed to ! -b which allows better error messages from later ! validation. ! bz#3050 !
- ssh(1): ! avoid pledge sandbox violations in some combinations of ! remote forwarding, connection multiplexing and ! ControlMaster. !
- ssh-keyscan(1): ! include SHA2-variant RSA key algorithms in KEX proposal; ! allows ssh-keyscan to harvest keys from servers that ! disable old SHA1 ! ssh-rsa. bz#3029 !
- sftp(1): ! print explicit "not modified" message if a file was ! requested for resumed download but was considered already ! complete. ! bz#2978 !
- sftp(1): ! fix a typo and make <esc><right> move right to the ! closest end of a word just like <esc><left> moves ! left to the closest beginning of a word. !
- sshd(8): ! cap the number of permitopen/permitlisten directives ! allowed to appear on a single authorized_keys line. !
- All: fix a number of memory leaks (one-off or on exit paths). !
- Regression tests: a number of fixes and improvements, ! including fixes to the interop tests, adding the ability ! to run most tests on builds that disable OpenSSL support, ! better support for running tests under Valgrind and a ! number of bug-fixes. !
- ssh(1), ! sshd(8): ! check for convtime() refusing to accept times that resolve ! to LONG_MAX Reported by Kirk Wolf bz2977 !
- ssh(1): ! slightly more instructive error message when the user ! specifies multiple -J options on the command-line. bz3015 !
- ssh-agent(1): ! process agent requests for RSA certificate private keys ! using correct signature algorithm when requested. bz3016 !
- sftp(1): ! check for user@host when parsing sftp target. This allows ! user@[1.2.3.4] to work without a ! path. bz#2999 !
- sshd(8): ! enlarge format buffer size for certificate serial number ! so the log message can record any 64-bit integer without ! truncation. bz#3012 !
- sshd(8): ! for PermitOpen violations add the remote host and port to ! be able to more easily ascertain the source of the ! request. Add the same logging for PermitListen violations ! which where not previously logged at all. !
- scp(1), ! sftp(1): ! use the correct POSIX format style for left justification ! for the transfer progress ! meter. bz#3002 !
- sshd(8) ! when examining a configuration using sshd -T, assume any ! attribute not provided by -C does not match, which allows ! it to work when sshd_config contains a Match directive ! with or without -C. ! bz#2858 !
- ssh(1), ! ssh-keygen(1): ! downgrade PKCS#11 "provider returned no slots" warning ! from log level error to debug. This is common when ! attempting to enumerate keys on smartcard readers with no ! cards plugged ! in. bz#3058 !
- ssh(1), ! ssh-keygen(1): ! do not unconditionally log in to PKCS#11 tokens. Avoids ! spurious PIN prompts for keys not selected for ! authentication ! in ssh(1) and ! when listing public keys available in a token ! using ssh-keygen(1). ! bz#3006

Mandoc XXX