===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/67.html,v
retrieving revision 1.67
retrieving revision 1.68
diff -c -r1.67 -r1.68
*** www/67.html 2020/05/12 09:46:23 1.67
--- www/67.html 2020/05/12 14:02:42 1.68
***************
*** 1174,1181 ****
!
OpenSSH 8.1
- New Features
- Allowed use of the IgnoreRhosts directive anywhere in an
! - OpenSSH 8.3
+ - Potentially incompatible changes.
+
+ - sftp(1):
+ reject an argument of "-1" in the same way as ssh(1) and
+ scp(1) do instead of accepting and silently ignoring it.
+
- New Features
- Allowed use of the IgnoreRhosts directive anywhere in an Added TOKEN percent expansion (i.e. userid, hostnames etc.) to ssh(1) LocalForward and
RemoteForward when used for Unix domain socket forwarding.
+
- all: allow loading public keys from the unencrypted envelope of a
+ private key file if no corresponding public key file is present.
- Gave ssh-keygen(1) the
ability to dump the contents of a binary key revocation list with
***************
*** 1232,1267 ****
user presence was tested before a security key was made.
- Added direct support for U2F/FIDO2 security keys in ssh(1).
-
- Added initial infrastructure for U2F/FIDO support in ssh(1).
-
- Notified the user via TTY or $SSH_ASKPASS when ssh(1) security keys must be
tapped/touched in order to perform a signature operation.
- Enabled ed25519 support in ssh(1).
-
-
- Bugfixes
- Detected and prevented simple ssh(1) configuration loops when
! using ProxyJump.
!
- Fixed PIN entry bugs on FIDO ssh-keygen(1).
- Fixed ssh-keygen(1) not
! displaying the authenticator touch prompt.
- Prevented a timeout in ssh(1) when the server doesn't
! immediately send a banner, such as with multiplexers like sslh.
- Adjusted on-wire signature encoding for ecdsh-sk ssh(1) keys to better match
! ec25519-sk keys.
- Fixed a potential NULL dereference for revoked hostkeys in ssh(1).
--- 1240,1312 ----
user presence was tested before a security key was made.
- Added direct support for U2F/FIDO2 security keys in ssh(1).
- Added initial infrastructure for U2F/FIDO support in ssh(1).
- Notified the user via TTY or $SSH_ASKPASS when ssh(1) security keys must be
tapped/touched in order to perform a signature operation.
- Enabled ed25519 support in ssh(1).
Bugfixes
- Detected and prevented simple ssh(1) configuration loops when
! using ProxyJump.
!
- Fixed PIN entry bugs on FIDO in ssh-keygen(1).
- Fixed ssh-keygen(1) not
! displaying the authenticator touch prompt.
- Prevented a timeout in ssh(1) when the server doesn't
! immediately send a banner, such as with multiplexers like sslh.
- Adjusted on-wire signature encoding for ecdsh-sk ssh(1) keys to better match
! ec25519-sk keys.
- Fixed a potential NULL dereference for revoked hostkeys in ssh(1).
!
- ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from
! a PKCS11Provider
!
- ssh-keygen(1): avoid NULL dereference when trying to convert an
! invalid RFC4716 private key.
!
- scp(2): when performing remote-to-remote copies using "scp -3",
! start the second ssh(1) channel with BatchMode=yes enabled to
! avoid confusing and non-deterministic ordering of prompts.
!
- ssh(1): fix incorrect error message for "too many known hosts
! files."
!
- ssh(1): make failures when establishing "Tunnel" forwarding
! terminate the connection when ExitOnForwardFailure is enabled
!
- ssh-keygen(1): fix printing of fingerprints on private keys and add
! a regression test for same.
!
- sshd(8): document order of checking AuthorizedKeysFile (first) and
! AuthorizedKeysCommand (subsequently, if the file doesn't match)
!
- sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are
! not considered for HostbasedAuthentication when the target user is
! root
!
- ssh(1), ssh-keygen(1): fix NULL dereference in private certificate
! key parsing (oss-fuzz #20074).
!
- ssh(1), sshd(8): more consistency between sets of %TOKENS are
! accepted in various configuration options.
!
- ssh(1), ssh-keygen(1): improve error messages for some common
! PKCS#11 C_Login failure cases
!
- ssh(1), sshd(8): make error messages for problems during SSH banner
! exchange consistent with other SSH transport-layer error messages
! and ensure they include the relevant IP addresses
!
- various: fix a number of spelling errors in comments and debug/error
! messages
!
- ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys
! from a token, don't prompt for a PIN until the token has told us
! that it needs one. Avoids double-prompting on devices that
! implement on-device authentication.
!
- sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
! should be an extension, not a critical option.
!
- ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message
! when trying to use a FIDO key function and SecurityKeyProvider is
! empty.
!
- ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within
! the values allowed by the wire format (u32). Prevents integer
! wraparound of the timeout values