=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/67.html,v retrieving revision 1.67 retrieving revision 1.68 diff -c -r1.67 -r1.68 *** www/67.html 2020/05/12 09:46:23 1.67 --- www/67.html 2020/05/12 14:02:42 1.68 *************** *** 1174,1181 **** !

OpenSSH 8.1

New Features
- Allowed use of the IgnoreRhosts directive anywhere in an
!
OpenSSH 8.3
- Potentially incompatible changes. +
  - sftp(1): + reject an argument of "-1" in the same way as ssh(1) and + scp(1) do instead of accepting and silently ignoring it. +
- New Features
  - Allowed use of the IgnoreRhosts directive anywhere in an Added TOKEN percent expansion (i.e. userid, hostnames etc.) to ssh(1) LocalForward and RemoteForward when used for Unix domain socket forwarding. +
  - all: allow loading public keys from the unencrypted envelope of a + private key file if no corresponding public key file is present.
  - Gave ssh-keygen(1) the ability to dump the contents of a binary key revocation list with *************** *** 1232,1267 **** user presence was tested before a security key was made.
  - Added direct support for U2F/FIDO2 security keys in ssh(1). -
  - Added initial infrastructure for U2F/FIDO support in ssh(1). -
  - Notified the user via TTY or $SSH_ASKPASS when ssh(1) security keys must be tapped/touched in order to perform a signature operation.
  - Enabled ed25519 support in ssh(1). - -
- Bugfixes
  - Detected and prevented simple ssh(1) configuration loops when ! using ProxyJump. !
  - Fixed PIN entry bugs on FIDO ssh-keygen(1).
  - Fixed ssh-keygen(1) not ! displaying the authenticator touch prompt.
  - Prevented a timeout in ssh(1) when the server doesn't ! immediately send a banner, such as with multiplexers like sslh.
  - Adjusted on-wire signature encoding for ecdsh-sk ssh(1) keys to better match ! ec25519-sk keys.
  - Fixed a potential NULL dereference for revoked hostkeys in ssh(1).
--- 1240,1312 ---- user presence was tested before a security key was made.
Added direct support for U2F/FIDO2 security keys in ssh(1).
Added initial infrastructure for U2F/FIDO support in ssh(1).
Notified the user via TTY or $SSH_ASKPASS when ssh(1) security keys must be tapped/touched in order to perform a signature operation.
Enabled ed25519 support in ssh(1).

Bugfixes

Detected and prevented simple ssh(1) configuration loops when ! using ProxyJump. !
Fixed PIN entry bugs on FIDO in ssh-keygen(1).
Fixed ssh-keygen(1) not ! displaying the authenticator touch prompt.
Prevented a timeout in ssh(1) when the server doesn't ! immediately send a banner, such as with multiplexers like sslh.
Adjusted on-wire signature encoding for ecdsh-sk ssh(1) keys to better match ! ec25519-sk keys.
Fixed a potential NULL dereference for revoked hostkeys in ssh(1). !
ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from ! a PKCS11Provider !
ssh-keygen(1): avoid NULL dereference when trying to convert an ! invalid RFC4716 private key. !
scp(2): when performing remote-to-remote copies using "scp -3", ! start the second ssh(1) channel with BatchMode=yes enabled to ! avoid confusing and non-deterministic ordering of prompts. !
ssh(1): fix incorrect error message for "too many known hosts ! files." !
ssh(1): make failures when establishing "Tunnel" forwarding ! terminate the connection when ExitOnForwardFailure is enabled !
ssh-keygen(1): fix printing of fingerprints on private keys and add ! a regression test for same. !
sshd(8): document order of checking AuthorizedKeysFile (first) and ! AuthorizedKeysCommand (subsequently, if the file doesn't match) !
sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are ! not considered for HostbasedAuthentication when the target user is ! root !
ssh(1), ssh-keygen(1): fix NULL dereference in private certificate ! key parsing (oss-fuzz #20074). !
ssh(1), sshd(8): more consistency between sets of %TOKENS are ! accepted in various configuration options. !
ssh(1), ssh-keygen(1): improve error messages for some common ! PKCS#11 C_Login failure cases !
ssh(1), sshd(8): make error messages for problems during SSH banner ! exchange consistent with other SSH transport-layer error messages ! and ensure they include the relevant IP addresses !
various: fix a number of spelling errors in comments and debug/error ! messages !
ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys ! from a token, don't prompt for a PIN until the token has told us ! that it needs one. Avoids double-prompting on devices that ! implement on-device authentication. !
sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option ! should be an extension, not a critical option. !
ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message ! when trying to use a FIDO key function and SecurityKeyProvider is ! empty. !
ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within ! the values allowed by the wire format (u32). Prevents integer ! wraparound of the timeout values