===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/67.html,v
retrieving revision 1.67
retrieving revision 1.68
diff -u -r1.67 -r1.68
--- www/67.html 2020/05/12 09:46:23 1.67
+++ www/67.html 2020/05/12 14:02:42 1.68
@@ -1174,8 +1174,14 @@
-
OpenSSH 8.1
+OpenSSH 8.3
+ - Potentially incompatible changes.
+
+ - sftp(1):
+ reject an argument of "-1" in the same way as ssh(1) and
+ scp(1) do instead of accepting and silently ignoring it.
+
- New Features
- Allowed use of the IgnoreRhosts directive anywhere in an Added TOKEN percent expansion (i.e. userid, hostnames etc.) to ssh(1) LocalForward and
RemoteForward when used for Unix domain socket forwarding.
+
- all: allow loading public keys from the unencrypted envelope of a
+ private key file if no corresponding public key file is present.
- Gave ssh-keygen(1) the
ability to dump the contents of a binary key revocation list with
@@ -1232,36 +1240,73 @@
user presence was tested before a security key was made.
- Added direct support for U2F/FIDO2 security keys in ssh(1).
-
- Added initial infrastructure for U2F/FIDO support in ssh(1).
-
- Notified the user via TTY or $SSH_ASKPASS when ssh(1) security keys must be
tapped/touched in order to perform a signature operation.
- Enabled ed25519 support in ssh(1).
-
-
- Bugfixes
- Detected and prevented simple ssh(1) configuration loops when
- using ProxyJump.
-
- Fixed PIN entry bugs on FIDO ssh-keygen(1).
+ href="https://man.openbsd.org/ssh">ssh(1) configuration loops when
+ using ProxyJump.
+
- Fixed PIN entry bugs on FIDO in ssh-keygen(1).
- Fixed ssh-keygen(1) not
- displaying the authenticator touch prompt.
+ href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1) not
+ displaying the authenticator touch prompt.
- Prevented a timeout in ssh(1) when the server doesn't
- immediately send a banner, such as with multiplexers like sslh.
+ href="https://man.openbsd.org/ssh">ssh(1) when the server doesn't
+ immediately send a banner, such as with multiplexers like sslh.
- Adjusted on-wire signature encoding for ecdsh-sk ssh(1) keys to better match
- ec25519-sk keys.
+ href="https://man.openbsd.org/ssh">ssh(1) keys to better match
+ ec25519-sk keys.
- Fixed a potential NULL dereference for revoked hostkeys in ssh(1).
+ href="https://man.openbsd.org/ssh">ssh(1).
+
- ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from
+ a PKCS11Provider
+
- ssh-keygen(1): avoid NULL dereference when trying to convert an
+ invalid RFC4716 private key.
+
- scp(2): when performing remote-to-remote copies using "scp -3",
+ start the second ssh(1) channel with BatchMode=yes enabled to
+ avoid confusing and non-deterministic ordering of prompts.
+
- ssh(1): fix incorrect error message for "too many known hosts
+ files."
+
- ssh(1): make failures when establishing "Tunnel" forwarding
+ terminate the connection when ExitOnForwardFailure is enabled
+
- ssh-keygen(1): fix printing of fingerprints on private keys and add
+ a regression test for same.
+
- sshd(8): document order of checking AuthorizedKeysFile (first) and
+ AuthorizedKeysCommand (subsequently, if the file doesn't match)
+
- sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are
+ not considered for HostbasedAuthentication when the target user is
+ root
+
- ssh(1), ssh-keygen(1): fix NULL dereference in private certificate
+ key parsing (oss-fuzz #20074).
+
- ssh(1), sshd(8): more consistency between sets of %TOKENS are
+ accepted in various configuration options.
+
- ssh(1), ssh-keygen(1): improve error messages for some common
+ PKCS#11 C_Login failure cases
+
- ssh(1), sshd(8): make error messages for problems during SSH banner
+ exchange consistent with other SSH transport-layer error messages
+ and ensure they include the relevant IP addresses
+
- various: fix a number of spelling errors in comments and debug/error
+ messages
+
- ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys
+ from a token, don't prompt for a PIN until the token has told us
+ that it needs one. Avoids double-prompting on devices that
+ implement on-device authentication.
+
- sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
+ should be an extension, not a critical option.
+
- ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message
+ when trying to use a FIDO key function and SecurityKeyProvider is
+ empty.
+
- ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within
+ the values allowed by the wire format (u32). Prevents integer
+ wraparound of the timeout values