www/66.html - diff

Return to 66.html CVS log

Up to [local] / www

Diff for /www/66.html between version 1.51 and 1.52

-version 1.51, 2019/10/08 19:23:22
+version 1.52, 2019/10/09 20:50:35
 Line 672
 Line 672
 Line 672
      </ul>
    </ul>
- <li>OpenSSH 8.X
+ <li>OpenSSH 8.1
    <ul>
      <li>New Features
        <ul>
-         <li>Added sshsig, a lightweight signature and verification
+         <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: Allow %n to be
-           ability for OpenSSH,
+           expanded in ProxyCommand strings
-           to <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>.
+         <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>,
-           Signatures can be made and verified using <code>ssh-keygen
+           <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: Allow
-           -Y sign|verify</code>.
+           prepending a list of algorithms to the default set by
-         <li>Included SHA2-variant RSA key algorithms in KEX proposal,
+           starting the list with the '^' character, E.g.
-           allowing <a href="https://man.openbsd.org/ssh-keyscan.1">ssh-keyscan(1)</a>
+           "HostKeyAlgorithms ^ssh-ed25519"
-           to harvest keys from servers that disable SHA1 ssh-rsa.
+         <li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
-         <li>Encrypted
+           add an experimental lightweight signature and verification
-           private <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
+           ability.  Signatures may be made using regular ssh keys held
-           keys that are not in use as protection against speculation
+           on disk or stored in a ssh-agent and verified against an
-           and memory sidechannel attacks like Spectre, Meltdown,
+           authorized_keys-like list of allowed keys. Signatures embed
-           Rowhammer and Rambleed.
+           a namespace that prevents confusion and attacks between
-         <li>Adjusted <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
+           different usage domains (e.g. files vs email).
-           to default to using the rsa-sha2-512 signature algorithm when
+         <li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
-           signing certificates with an RSA key. This will render these
+           print key comment when extracting public key from a private
-           certificates incompatible with OpenSSH 7.1 and earlier,
+           key.  <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3052'>bz#3052</a>
-           unless the default is overridden by use of the
+         <li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
-           <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>
+           accept the verbose flag when searching for host keys in
-           -t flag.
+           known hosts (i.e. "ssh-keygen -vF host") to print the
-         <li>Added logging
+           matching host's random-art signature
-         of <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
+           too. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3003'>bz#3003</a>
-         PermitOpen and PermitListen violations.
+         <li>All: support PKCS8 as an optional format for storage of
-         <li>Allowed prepending a list of algorithms to the default set in ssh(1) by
+           private keys to disk.  The OpenSSH native key format remains
-           starting the list with the ^ character.
+           the default, but PKCS8 is a superior format to PEM if
+           interoperability with non-OpenSSH software is required, as
+           it may use a less insecure key derivation function than
+           PEM's.
        </ul>
        <li>Bugfixes
          <ul>
-           <li>
+           <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: if a
+             PKCS#11 token returns no keys then try to login and
+             refetch them. Based on patch from Jakub
+             Jelen; <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=2430'>bz#2430</a>
+           <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>:
+             produce a useful error message if the user's shell is set
+             incorrectly during "match exec"
+             processing. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=2791'>bz#2791</a>
+           <li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>:
+             allow the maximum uint32 value for the argument passed to
+             -b which allows better error messages from later
+             validation.
+             <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3050'>bz#3050</a>
+           <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>:
+             avoid pledge sandbox violations in some combinations of
+             remote forwarding, connection multiplexing and
+             ControlMaster.
+           <li><a href='https://man.openbsd.org/ssh-keyscan.1'>ssh-keyscan(1)</a>:
+             include SHA2-variant RSA key algorithms in KEX proposal;
+             allows ssh-keyscan to harvest keys from servers that
+             disable old SHA1
+             ssh-rsa. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3029'>bz#3029</a>
+           <li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>:
+             print explicit "not modified" message if a file was
+             requested for resumed download but was considered already
+             complete.
+             <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=2978'>bz#2978</a>
+           <li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>:
+             fix a typo and make &lt;esc>&lt;right> move right to the
+             closest end of a word just like &lt;esc>&lt;left> moves
+             left to the closest beginning of a word.
+           <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>:
+             cap the number of permitopen/permitlisten directives
+             allowed to appear on a single authorized_keys line.
+           <li>All: fix a number of memory leaks (one-off or on exit paths).
+           <li>Regression tests: a number of fixes and improvements,
+             including fixes to the interop tests, adding the ability
+             to run most tests on builds that disable OpenSSL support,
+             better support for running tests under Valgrind and a
+             number of bug-fixes.
+           <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>,
+             <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>:
+             check for convtime() refusing to accept times that resolve
+             to LONG_MAX Reported by Kirk Wolf bz2977
+           <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>:
+             slightly more instructive error message when the user
+             specifies multiple -J options on the command-line. bz3015
+           <li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>:
+             process agent requests for RSA certificate private keys
+             using correct signature algorithm when requested. bz3016
+           <li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>:
+             check for user@host when parsing sftp target. This allows
+             user@[1.2.3.4] to work without a
+             path.  <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=2999'>bz#2999</a>
+           <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>:
+             enlarge format buffer size for certificate serial number
+             so the log message can record any 64-bit integer without
+             truncation. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3012'>bz#3012</a>
+           <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>:
+             for PermitOpen violations add the remote host and port to
+             be able to more easily ascertain the source of the
+             request. Add the same logging for PermitListen violations
+             which where not previously logged at all.
+           <li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>,
+             <a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>:
+             use the correct POSIX format style for left justification
+             for the transfer progress
+             meter. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3002'>bz#3002</a>
+           <li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>
+             when examining a configuration using sshd -T, assume any
+             attribute not provided by -C does not match, which allows
+             it to work when sshd_config contains a Match directive
+             with or without -C.
+             <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=2858'>bz#2858</a>
+           <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>,
+             <a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
+             downgrade PKCS#11 "provider returned no slots" warning
+             from log level error to debug. This is common when
+             attempting to enumerate keys on smartcard readers with no
+             cards plugged
+             in. <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3058'>bz#3058</a>
+           <li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>,
+             <a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
+             do not unconditionally log in to PKCS#11 tokens. Avoids
+             spurious PIN prompts for keys not selected for
+             authentication
+             in <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> and
+             when listing public keys available in a token
+             using <a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>.
+             <a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3006'>bz#3006</a>
          </ul>
    </ul>
  <li>Mandoc XXX