version 1.67, 2020/05/12 09:46:23 |
version 1.68, 2020/05/12 14:02:42 |
|
|
</ul> |
</ul> |
</ul> |
</ul> |
|
|
<li>OpenSSH 8.1 |
<li>OpenSSH 8.3 |
<ul> |
<ul> |
|
<li>Potentially incompatible changes. |
|
<ul> |
|
<li><a href="https://man.openbsd.org/sftp">sftp(1)</a>: |
|
reject an argument of "-1" in the same way as ssh(1) and |
|
scp(1) do instead of accepting and silently ignoring it. |
|
</ul> |
<li>New Features |
<li>New Features |
<ul> |
<ul> |
<li>Allowed use of the IgnoreRhosts directive anywhere in an <a |
<li>Allowed use of the IgnoreRhosts directive anywhere in an <a |
|
|
<li>Added TOKEN percent expansion (i.e. userid, hostnames etc.) to <a |
<li>Added TOKEN percent expansion (i.e. userid, hostnames etc.) to <a |
href="https://man.openbsd.org/ssh">ssh(1)</a> LocalForward and |
href="https://man.openbsd.org/ssh">ssh(1)</a> LocalForward and |
RemoteForward when used for Unix domain socket forwarding. |
RemoteForward when used for Unix domain socket forwarding. |
|
<li>all: allow loading public keys from the unencrypted envelope of a |
|
private key file if no corresponding public key file is present. |
<li>Gave <a |
<li>Gave <a |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> the |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> the |
ability to dump the contents of a binary key revocation list with |
ability to dump the contents of a binary key revocation list with |
|
|
user presence was tested before a security key was made. |
user presence was tested before a security key was made. |
<li>Added direct support for U2F/FIDO2 security keys in <a |
<li>Added direct support for U2F/FIDO2 security keys in <a |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
|
|
<li>Added initial infrastructure for U2F/FIDO support in <a |
<li>Added initial infrastructure for U2F/FIDO support in <a |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
|
|
<li>Notified the user via TTY or $SSH_ASKPASS when <a |
<li>Notified the user via TTY or $SSH_ASKPASS when <a |
href="https://man.openbsd.org/ssh">ssh(1)</a> security keys must be |
href="https://man.openbsd.org/ssh">ssh(1)</a> security keys must be |
tapped/touched in order to perform a signature operation. |
tapped/touched in order to perform a signature operation. |
<li>Enabled ed25519 support in <a |
<li>Enabled ed25519 support in <a |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
|
|
|
|
</ul> |
</ul> |
<li>Bugfixes |
<li>Bugfixes |
<ul> |
<ul> |
<li>Detected and prevented simple <a |
<li>Detected and prevented simple <a |
href="https://man.openbsd.org/ssh">ssh(1)</a> configuration loops when |
href="https://man.openbsd.org/ssh">ssh(1)</a> configuration loops when |
using ProxyJump. |
using ProxyJump. |
<li>Fixed PIN entry bugs on FIDO <a |
<li>Fixed PIN entry bugs on FIDO in <a |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>. |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>. |
<li>Fixed <a |
<li>Fixed <a |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> not |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> not |
displaying the authenticator touch prompt. |
displaying the authenticator touch prompt. |
<li>Prevented a timeout in <a |
<li>Prevented a timeout in <a |
href="https://man.openbsd.org/ssh">ssh(1)</a> when the server doesn't |
href="https://man.openbsd.org/ssh">ssh(1)</a> when the server doesn't |
immediately send a banner, such as with multiplexers like sslh. |
immediately send a banner, such as with multiplexers like sslh. |
<li>Adjusted on-wire signature encoding for ecdsh-sk <a |
<li>Adjusted on-wire signature encoding for ecdsh-sk <a |
href="https://man.openbsd.org/ssh">ssh(1)</a> keys to better match |
href="https://man.openbsd.org/ssh">ssh(1)</a> keys to better match |
ec25519-sk keys. |
ec25519-sk keys. |
<li>Fixed a potential NULL dereference for revoked hostkeys in <a |
<li>Fixed a potential NULL dereference for revoked hostkeys in <a |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
href="https://man.openbsd.org/ssh">ssh(1)</a>. |
|
<li>ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from |
|
a PKCS11Provider |
|
<li>ssh-keygen(1): avoid NULL dereference when trying to convert an |
|
invalid RFC4716 private key. |
|
<li>scp(2): when performing remote-to-remote copies using "scp -3", |
|
start the second ssh(1) channel with BatchMode=yes enabled to |
|
avoid confusing and non-deterministic ordering of prompts. |
|
<li>ssh(1): fix incorrect error message for "too many known hosts |
|
files." |
|
<li>ssh(1): make failures when establishing "Tunnel" forwarding |
|
terminate the connection when ExitOnForwardFailure is enabled |
|
<li>ssh-keygen(1): fix printing of fingerprints on private keys and add |
|
a regression test for same. |
|
<li>sshd(8): document order of checking AuthorizedKeysFile (first) and |
|
AuthorizedKeysCommand (subsequently, if the file doesn't match) |
|
<li>sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are |
|
not considered for HostbasedAuthentication when the target user is |
|
root |
|
<li>ssh(1), ssh-keygen(1): fix NULL dereference in private certificate |
|
key parsing (oss-fuzz #20074). |
|
<li>ssh(1), sshd(8): more consistency between sets of %TOKENS are |
|
accepted in various configuration options. |
|
<li>ssh(1), ssh-keygen(1): improve error messages for some common |
|
PKCS#11 C_Login failure cases |
|
<li>ssh(1), sshd(8): make error messages for problems during SSH banner |
|
exchange consistent with other SSH transport-layer error messages |
|
and ensure they include the relevant IP addresses |
|
<li>various: fix a number of spelling errors in comments and debug/error |
|
messages |
|
<li>ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys |
|
from a token, don't prompt for a PIN until the token has told us |
|
that it needs one. Avoids double-prompting on devices that |
|
implement on-device authentication. |
|
<li>sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option |
|
should be an extension, not a critical option. |
|
<li>ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message |
|
when trying to use a FIDO key function and SecurityKeyProvider is |
|
empty. |
|
<li>ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within |
|
the values allowed by the wire format (u32). Prevents integer |
|
wraparound of the timeout values |
</ul> |
</ul> |
</ul> |
</ul> |
|
|