| version 1.67, 2020/05/12 09:46:23 |
version 1.68, 2020/05/12 14:02:42 |
|
|
| </ul> |
</ul> |
| </ul> |
</ul> |
| |
|
| <li>OpenSSH 8.1 |
<li>OpenSSH 8.3 |
| <ul> |
<ul> |
| |
<li>Potentially incompatible changes. |
| |
<ul> |
| |
<li><a href="https://man.openbsd.org/sftp">sftp(1)</a>: |
| |
reject an argument of "-1" in the same way as ssh(1) and |
| |
scp(1) do instead of accepting and silently ignoring it. |
| |
</ul> |
| <li>New Features |
<li>New Features |
| <ul> |
<ul> |
| <li>Allowed use of the IgnoreRhosts directive anywhere in an <a |
<li>Allowed use of the IgnoreRhosts directive anywhere in an <a |
|
|
| <li>Added TOKEN percent expansion (i.e. userid, hostnames etc.) to <a |
<li>Added TOKEN percent expansion (i.e. userid, hostnames etc.) to <a |
| href="https://man.openbsd.org/ssh">ssh(1)</a> LocalForward and |
href="https://man.openbsd.org/ssh">ssh(1)</a> LocalForward and |
| RemoteForward when used for Unix domain socket forwarding. |
RemoteForward when used for Unix domain socket forwarding. |
| |
<li>all: allow loading public keys from the unencrypted envelope of a |
| |
private key file if no corresponding public key file is present. |
| <li>Gave <a |
<li>Gave <a |
| href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> the |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> the |
| ability to dump the contents of a binary key revocation list with |
ability to dump the contents of a binary key revocation list with |
|
|
| user presence was tested before a security key was made. |
user presence was tested before a security key was made. |
| <li>Added direct support for U2F/FIDO2 security keys in <a |
<li>Added direct support for U2F/FIDO2 security keys in <a |
| href="https://man.openbsd.org/ssh">ssh(1)</a>. |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
| |
|
| <li>Added initial infrastructure for U2F/FIDO support in <a |
<li>Added initial infrastructure for U2F/FIDO support in <a |
| href="https://man.openbsd.org/ssh">ssh(1)</a>. |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
| |
|
| <li>Notified the user via TTY or $SSH_ASKPASS when <a |
<li>Notified the user via TTY or $SSH_ASKPASS when <a |
| href="https://man.openbsd.org/ssh">ssh(1)</a> security keys must be |
href="https://man.openbsd.org/ssh">ssh(1)</a> security keys must be |
| tapped/touched in order to perform a signature operation. |
tapped/touched in order to perform a signature operation. |
| <li>Enabled ed25519 support in <a |
<li>Enabled ed25519 support in <a |
| href="https://man.openbsd.org/ssh">ssh(1)</a>. |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
| |
|
| |
|
| </ul> |
</ul> |
| <li>Bugfixes |
<li>Bugfixes |
| <ul> |
<ul> |
| <li>Detected and prevented simple <a |
<li>Detected and prevented simple <a |
| href="https://man.openbsd.org/ssh">ssh(1)</a> configuration loops when |
href="https://man.openbsd.org/ssh">ssh(1)</a> configuration loops when |
| using ProxyJump. |
using ProxyJump. |
| <li>Fixed PIN entry bugs on FIDO <a |
<li>Fixed PIN entry bugs on FIDO in <a |
| href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>. |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>. |
| <li>Fixed <a |
<li>Fixed <a |
| href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> not |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> not |
| displaying the authenticator touch prompt. |
displaying the authenticator touch prompt. |
| <li>Prevented a timeout in <a |
<li>Prevented a timeout in <a |
| href="https://man.openbsd.org/ssh">ssh(1)</a> when the server doesn't |
href="https://man.openbsd.org/ssh">ssh(1)</a> when the server doesn't |
| immediately send a banner, such as with multiplexers like sslh. |
immediately send a banner, such as with multiplexers like sslh. |
| <li>Adjusted on-wire signature encoding for ecdsh-sk <a |
<li>Adjusted on-wire signature encoding for ecdsh-sk <a |
| href="https://man.openbsd.org/ssh">ssh(1)</a> keys to better match |
href="https://man.openbsd.org/ssh">ssh(1)</a> keys to better match |
| ec25519-sk keys. |
ec25519-sk keys. |
| <li>Fixed a potential NULL dereference for revoked hostkeys in <a |
<li>Fixed a potential NULL dereference for revoked hostkeys in <a |
| href="https://man.openbsd.org/ssh">ssh(1)</a>. |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
| |
<li>ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from |
| |
a PKCS11Provider |
| |
<li>ssh-keygen(1): avoid NULL dereference when trying to convert an |
| |
invalid RFC4716 private key. |
| |
<li>scp(2): when performing remote-to-remote copies using "scp -3", |
| |
start the second ssh(1) channel with BatchMode=yes enabled to |
| |
avoid confusing and non-deterministic ordering of prompts. |
| |
<li>ssh(1): fix incorrect error message for "too many known hosts |
| |
files." |
| |
<li>ssh(1): make failures when establishing "Tunnel" forwarding |
| |
terminate the connection when ExitOnForwardFailure is enabled |
| |
<li>ssh-keygen(1): fix printing of fingerprints on private keys and add |
| |
a regression test for same. |
| |
<li>sshd(8): document order of checking AuthorizedKeysFile (first) and |
| |
AuthorizedKeysCommand (subsequently, if the file doesn't match) |
| |
<li>sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are |
| |
not considered for HostbasedAuthentication when the target user is |
| |
root |
| |
<li>ssh(1), ssh-keygen(1): fix NULL dereference in private certificate |
| |
key parsing (oss-fuzz #20074). |
| |
<li>ssh(1), sshd(8): more consistency between sets of %TOKENS are |
| |
accepted in various configuration options. |
| |
<li>ssh(1), ssh-keygen(1): improve error messages for some common |
| |
PKCS#11 C_Login failure cases |
| |
<li>ssh(1), sshd(8): make error messages for problems during SSH banner |
| |
exchange consistent with other SSH transport-layer error messages |
| |
and ensure they include the relevant IP addresses |
| |
<li>various: fix a number of spelling errors in comments and debug/error |
| |
messages |
| |
<li>ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys |
| |
from a token, don't prompt for a PIN until the token has told us |
| |
that it needs one. Avoids double-prompting on devices that |
| |
implement on-device authentication. |
| |
<li>sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option |
| |
should be an extension, not a critical option. |
| |
<li>ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message |
| |
when trying to use a FIDO key function and SecurityKeyProvider is |
| |
empty. |
| |
<li>ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within |
| |
the values allowed by the wire format (u32). Prevents integer |
| |
wraparound of the timeout values |
| </ul> |
</ul> |
| </ul> |
</ul> |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to 67.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www