version 1.51, 2019/10/08 19:23:22 |
version 1.52, 2019/10/09 20:50:35 |
|
|
</ul> |
</ul> |
</ul> |
</ul> |
|
|
<li>OpenSSH 8.X |
<li>OpenSSH 8.1 |
<ul> |
<ul> |
<li>New Features |
<li>New Features |
<ul> |
<ul> |
<li>Added sshsig, a lightweight signature and verification |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: Allow %n to be |
ability for OpenSSH, |
expanded in ProxyCommand strings |
to <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>. |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, |
Signatures can be made and verified using <code>ssh-keygen |
<a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: Allow |
-Y sign|verify</code>. |
prepending a list of algorithms to the default set by |
<li>Included SHA2-variant RSA key algorithms in KEX proposal, |
starting the list with the '^' character, E.g. |
allowing <a href="https://man.openbsd.org/ssh-keyscan.1">ssh-keyscan(1)</a> |
"HostKeyAlgorithms ^ssh-ed25519" |
to harvest keys from servers that disable SHA1 ssh-rsa. |
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
<li>Encrypted |
add an experimental lightweight signature and verification |
private <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> |
ability. Signatures may be made using regular ssh keys held |
keys that are not in use as protection against speculation |
on disk or stored in a ssh-agent and verified against an |
and memory sidechannel attacks like Spectre, Meltdown, |
authorized_keys-like list of allowed keys. Signatures embed |
Rowhammer and Rambleed. |
a namespace that prevents confusion and attacks between |
<li>Adjusted <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> |
different usage domains (e.g. files vs email). |
to default to using the rsa-sha2-512 signature algorithm when |
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
signing certificates with an RSA key. This will render these |
print key comment when extracting public key from a private |
certificates incompatible with OpenSSH 7.1 and earlier, |
key. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3052'>bz#3052</a> |
unless the default is overridden by use of the |
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> |
accept the verbose flag when searching for host keys in |
-t flag. |
known hosts (i.e. "ssh-keygen -vF host") to print the |
<li>Added logging |
matching host's random-art signature |
of <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> |
too. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3003'>bz#3003</a> |
PermitOpen and PermitListen violations. |
<li>All: support PKCS8 as an optional format for storage of |
<li>Allowed prepending a list of algorithms to the default set in ssh(1) by |
private keys to disk. The OpenSSH native key format remains |
starting the list with the ^ character. |
the default, but PKCS8 is a superior format to PEM if |
|
interoperability with non-OpenSSH software is required, as |
|
it may use a less insecure key derivation function than |
|
PEM's. |
</ul> |
</ul> |
<li>Bugfixes |
<li>Bugfixes |
<ul> |
<ul> |
<li> |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: if a |
|
PKCS#11 token returns no keys then try to login and |
|
refetch them. Based on patch from Jakub |
|
Jelen; <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=2430'>bz#2430</a> |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: |
|
produce a useful error message if the user's shell is set |
|
incorrectly during "match exec" |
|
processing. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=2791'>bz#2791</a> |
|
<li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>: |
|
allow the maximum uint32 value for the argument passed to |
|
-b which allows better error messages from later |
|
validation. |
|
<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3050'>bz#3050</a> |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: |
|
avoid pledge sandbox violations in some combinations of |
|
remote forwarding, connection multiplexing and |
|
ControlMaster. |
|
<li><a href='https://man.openbsd.org/ssh-keyscan.1'>ssh-keyscan(1)</a>: |
|
include SHA2-variant RSA key algorithms in KEX proposal; |
|
allows ssh-keyscan to harvest keys from servers that |
|
disable old SHA1 |
|
ssh-rsa. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3029'>bz#3029</a> |
|
<li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>: |
|
print explicit "not modified" message if a file was |
|
requested for resumed download but was considered already |
|
complete. |
|
<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=2978'>bz#2978</a> |
|
<li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>: |
|
fix a typo and make <esc><right> move right to the |
|
closest end of a word just like <esc><left> moves |
|
left to the closest beginning of a word. |
|
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: |
|
cap the number of permitopen/permitlisten directives |
|
allowed to appear on a single authorized_keys line. |
|
<li>All: fix a number of memory leaks (one-off or on exit paths). |
|
<li>Regression tests: a number of fixes and improvements, |
|
including fixes to the interop tests, adding the ability |
|
to run most tests on builds that disable OpenSSL support, |
|
better support for running tests under Valgrind and a |
|
number of bug-fixes. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, |
|
<a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: |
|
check for convtime() refusing to accept times that resolve |
|
to LONG_MAX Reported by Kirk Wolf bz2977 |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: |
|
slightly more instructive error message when the user |
|
specifies multiple -J options on the command-line. bz3015 |
|
<li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: |
|
process agent requests for RSA certificate private keys |
|
using correct signature algorithm when requested. bz3016 |
|
<li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>: |
|
check for user@host when parsing sftp target. This allows |
|
user@[1.2.3.4] to work without a |
|
path. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=2999'>bz#2999</a> |
|
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: |
|
enlarge format buffer size for certificate serial number |
|
so the log message can record any 64-bit integer without |
|
truncation. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3012'>bz#3012</a> |
|
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: |
|
for PermitOpen violations add the remote host and port to |
|
be able to more easily ascertain the source of the |
|
request. Add the same logging for PermitListen violations |
|
which where not previously logged at all. |
|
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>, |
|
<a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>: |
|
use the correct POSIX format style for left justification |
|
for the transfer progress |
|
meter. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3002'>bz#3002</a> |
|
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a> |
|
when examining a configuration using sshd -T, assume any |
|
attribute not provided by -C does not match, which allows |
|
it to work when sshd_config contains a Match directive |
|
with or without -C. |
|
<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=2858'>bz#2858</a> |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, |
|
<a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
|
downgrade PKCS#11 "provider returned no slots" warning |
|
from log level error to debug. This is common when |
|
attempting to enumerate keys on smartcard readers with no |
|
cards plugged |
|
in. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3058'>bz#3058</a> |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, |
|
<a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
|
do not unconditionally log in to PKCS#11 tokens. Avoids |
|
spurious PIN prompts for keys not selected for |
|
authentication |
|
in <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> and |
|
when listing public keys available in a token |
|
using <a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>. |
|
<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3006'>bz#3006</a> |
</ul> |
</ul> |
</ul> |
</ul> |
<li>Mandoc XXX |
<li>Mandoc XXX |