===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/66.html,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -r1.51 -r1.52
--- www/66.html 2019/10/08 19:23:22 1.51
+++ www/66.html 2019/10/09 20:50:35 1.52
@@ -672,39 +672,131 @@
-
OpenSSH 8.X
+OpenSSH 8.1
- New Features
- - Added sshsig, a lightweight signature and verification
- ability for OpenSSH,
- to ssh-keygen(1).
- Signatures can be made and verified using
ssh-keygen
- -Y sign|verify
.
- - Included SHA2-variant RSA key algorithms in KEX proposal,
- allowing ssh-keyscan(1)
- to harvest keys from servers that disable SHA1 ssh-rsa.
-
- Encrypted
- private ssh(1)
- keys that are not in use as protection against speculation
- and memory sidechannel attacks like Spectre, Meltdown,
- Rowhammer and Rambleed.
-
- Adjusted ssh(1)
- to default to using the rsa-sha2-512 signature algorithm when
- signing certificates with an RSA key. This will render these
- certificates incompatible with OpenSSH 7.1 and earlier,
- unless the default is overridden by use of the
- ssh-keygen(1)
- -t flag.
-
- Added logging
- of ssh(1)
- PermitOpen and PermitListen violations.
-
- Allowed prepending a list of algorithms to the default set in ssh(1) by
- starting the list with the ^ character.
+
- ssh(1): Allow %n to be
+ expanded in ProxyCommand strings
+
- ssh(1),
+ sshd(8): Allow
+ prepending a list of algorithms to the default set by
+ starting the list with the '^' character, E.g.
+ "HostKeyAlgorithms ^ssh-ed25519"
+
- ssh-keygen(1):
+ add an experimental lightweight signature and verification
+ ability. Signatures may be made using regular ssh keys held
+ on disk or stored in a ssh-agent and verified against an
+ authorized_keys-like list of allowed keys. Signatures embed
+ a namespace that prevents confusion and attacks between
+ different usage domains (e.g. files vs email).
+
- ssh-keygen(1):
+ print key comment when extracting public key from a private
+ key. bz#3052
+
- ssh-keygen(1):
+ accept the verbose flag when searching for host keys in
+ known hosts (i.e. "ssh-keygen -vF host") to print the
+ matching host's random-art signature
+ too. bz#3003
+
- All: support PKCS8 as an optional format for storage of
+ private keys to disk. The OpenSSH native key format remains
+ the default, but PKCS8 is a superior format to PEM if
+ interoperability with non-OpenSSH software is required, as
+ it may use a less insecure key derivation function than
+ PEM's.
- Bugfixes
- -
+
- ssh(1): if a
+ PKCS#11 token returns no keys then try to login and
+ refetch them. Based on patch from Jakub
+ Jelen; bz#2430
+
- ssh(1):
+ produce a useful error message if the user's shell is set
+ incorrectly during "match exec"
+ processing. bz#2791
+
- sftp(1):
+ allow the maximum uint32 value for the argument passed to
+ -b which allows better error messages from later
+ validation.
+ bz#3050
+
- ssh(1):
+ avoid pledge sandbox violations in some combinations of
+ remote forwarding, connection multiplexing and
+ ControlMaster.
+
- ssh-keyscan(1):
+ include SHA2-variant RSA key algorithms in KEX proposal;
+ allows ssh-keyscan to harvest keys from servers that
+ disable old SHA1
+ ssh-rsa. bz#3029
+
- sftp(1):
+ print explicit "not modified" message if a file was
+ requested for resumed download but was considered already
+ complete.
+ bz#2978
+
- sftp(1):
+ fix a typo and make <esc><right> move right to the
+ closest end of a word just like <esc><left> moves
+ left to the closest beginning of a word.
+
- sshd(8):
+ cap the number of permitopen/permitlisten directives
+ allowed to appear on a single authorized_keys line.
+
- All: fix a number of memory leaks (one-off or on exit paths).
+
- Regression tests: a number of fixes and improvements,
+ including fixes to the interop tests, adding the ability
+ to run most tests on builds that disable OpenSSL support,
+ better support for running tests under Valgrind and a
+ number of bug-fixes.
+
- ssh(1),
+ sshd(8):
+ check for convtime() refusing to accept times that resolve
+ to LONG_MAX Reported by Kirk Wolf bz2977
+
- ssh(1):
+ slightly more instructive error message when the user
+ specifies multiple -J options on the command-line. bz3015
+
- ssh-agent(1):
+ process agent requests for RSA certificate private keys
+ using correct signature algorithm when requested. bz3016
+
- sftp(1):
+ check for user@host when parsing sftp target. This allows
+ user@[1.2.3.4] to work without a
+ path. bz#2999
+
- sshd(8):
+ enlarge format buffer size for certificate serial number
+ so the log message can record any 64-bit integer without
+ truncation. bz#3012
+
- sshd(8):
+ for PermitOpen violations add the remote host and port to
+ be able to more easily ascertain the source of the
+ request. Add the same logging for PermitListen violations
+ which where not previously logged at all.
+
- scp(1),
+ sftp(1):
+ use the correct POSIX format style for left justification
+ for the transfer progress
+ meter. bz#3002
+
- sshd(8)
+ when examining a configuration using sshd -T, assume any
+ attribute not provided by -C does not match, which allows
+ it to work when sshd_config contains a Match directive
+ with or without -C.
+ bz#2858
+
- ssh(1),
+ ssh-keygen(1):
+ downgrade PKCS#11 "provider returned no slots" warning
+ from log level error to debug. This is common when
+ attempting to enumerate keys on smartcard readers with no
+ cards plugged
+ in. bz#3058
+
- ssh(1),
+ ssh-keygen(1):
+ do not unconditionally log in to PKCS#11 tokens. Avoids
+ spurious PIN prompts for keys not selected for
+ authentication
+ in ssh(1) and
+ when listing public keys available in a token
+ using ssh-keygen(1).
+ bz#3006
Mandoc XXX