===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/68.html,v
retrieving revision 1.13
retrieving revision 1.14
diff -c -r1.13 -r1.14
*** www/68.html 2020/10/02 16:59:46 1.13
--- www/68.html 2020/10/02 20:20:09 1.14
***************
*** 512,546 ****
!
OpenSSH 8.3 XXX
! Temporary List, replace with SSH ChangeLog:
! - Preserved group/world read permission on known_hosts files across runs of ssh-keygen(1) "-Rf /path".
!
- Restricted ssh-agent(1) from signing web challenges for FIDO keys, preventing ssh-agent forwarding on a host that has FIDO keys attached from granting the ability for the remote side to also sign challenges for web authentication using those keys.
!
- Added to ssh_config(5) a selection of keywords allowed to expand shell-style ${ENV} environment variables on the client side.
!
- Added ssh(1) support for fido(4) WebAuthn (verification only).
!
- Allowed sshd_config(5) longer than 256k.
!
- Allowed ssh-add(1) "-d -" to read keys to be deleted from stdin.
!
- Prevented ssh(1) port forwarding clients from keeping a connection alive when it should be terminated.
!
- Allowed additional control over the use of ssh-askpass(1) in ssh-add(1), including force-enable/disable.
!
- Added %-TOKEN, environment variable and tilde expansion to UserKnownHostsFile in ssh_config(5).
!
- Added a "%k" TOKEN to ssh_config(5) that expands to the effective HostKey of the destination.
!
- Allowed scp(1) and sftp(1) -A option to explicitly enable agent forwarding.
!
- Added optional time limits for the AddKeysToAgent keyword in ssh_config(5).
!
- Added support for requiring user-verified FIDO keys in sshd(8).
!
- Capped ssh(1) channel input buffer size at 16MB, avoiding high memory use when a peer advertises a large window but is slow to consume sent data.
!
- Potentially incompatible changes.
!
- New Features
!
- Bugfixes
!
Ports and packages:
--- 512,722 ----
! OpenSSH 8.4
- Potentially incompatible changes.
!
!
! - For FIDO/U2F support, OpenSSH recommends the use of libfido2
! 1.5.0 or greater. Older libraries have limited support at the expense
! of disabling particular features. These include resident keys, PIN-
! required keys and multiple attached tokens.
!
!
- ssh-keygen(1):
! the format of the attestation information optionally recorded when a
! FIDO key is generated has changed. It now includes the authenticator
! data needed to validate attestation signatures.
!
!
- The API between OpenSSH and the FIDO token middleware has
! changed and the SSH_SK_VERSION_MAJOR version has been incremented as a
! result. Third-party middleware libraries must support the current API
! version (7) to work with OpenSSH 8.4.
!
!
- The portable OpenSSH distribution now requires automake to
! rebuild the configure script and supporting files. This is not
! required when simply building portable OpenSSH from a release tar
! file.
!
!
- New Features
!
!
! - ssh(1), ssh-keygen">ssh-keygen(1):
! support for FIDO keys that require a PIN for each use. These keys may
! be generated using ssh-keygen using a new "verify-required" option.
! When a PIN-required key is used, the user will be prompted for a PIN
! to complete the signature operation.
!
!
- sshd(8):
! authorized_keys now supports a new "verify-required" option to require
! FIDO signatures assert that the token verified that the user was
! present before making the signature. The FIDO protocol supports
! multiple methods for user-verification, but currently OpenSSH only
! supports PIN verification.
!
!
- sshd(8), ssh-keygen(1): add
! support for verifying FIDO webauthn signatures. Webauthn is a standard
! for using FIDO keys in web browsers. These signatures are a slightly
! different format to plain FIDO signatures and thus require explicit
! support.
!
!
- ssh(1): allow some
! keywords to expand shell-style ${ENV} environment variables. The
! supported keywords are CertificateFile, ControlPath, IdentityAgent and
! IdentityFile, plus LocalForward and RemoteForward when used for Unix
! domain socket paths.
!
!
- ssh(1), ssh-agent(1): allow some
! additional control over the use of ssh-askpass via a new
! $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling
! and disabling its use.
!
!
- ssh(1): allow ssh_config(5)'s
! AddKeysToAgent keyword accept a time limit for keys in addition to its
! current flag options. Time- limited keys will automatically be removed
! from ssh-agent after their expiry time has passed.
!
!
- scp(1), sftp(1): allow the -A flag to
! explicitly enable agent forwarding in scp and sftp. The default
! remains to not forward an agent, even when ssh_config enables it.
!
!
- ssh(1): add a '%k'
! TOKEN that expands to the effective HostKey of the destination. This
! allows, e.g., keeping host keys in individual files using
! "UserKnownHostsFile ~/.ssh/known_hosts.d/%k".
!
!
- ssh-keygen(1):
! allow "ssh-add -d -" to read keys to be deleted from stdin.
!
!
- sshd(8): improve
! logging for MaxStartups connection throttling. sshd will now log when
! it starts and stops throttling and periodically while in this state.
!
!
!
- Bugfixes
!
!
! - ssh(1), ssh-keygen(1): better
! support for multiple attached FIDO tokens. In cases where OpenSSH
! cannot unambiguously determine which token to direct a request to, the
! user is now required to select a token by touching it. In cases of
! operations that require a PIN to be verified, this avoids sending the
! wrong PIN to the wrong token and incrementing the token's PIN failure
! counter (tokens effectively erase their keys after too many PIN
! failures).
!
!
- sshd(8): fix Include
! before Match in sshd_config(5).
!
!
- ssh(1): close
! stdin/out/error when forking after authentication completes ("ssh -f
! ...").
!
!
- ssh(1), sshd(8): limit the amount of
! channel input data buffered, avoiding peers that advertise large
! windows but are slow to read from causing high memory consumption.
!
!
- ssh-agent(1):
! handle multiple requests sent in a single write() to the agent.
!
!
- sshd(8): allow sshd_config(5) longer than 256k
!
!
- sshd(8): avoid
! spurious "Unable to load host key" message when sshd load a private
! key but no public counterpart
!
!
- ssh(1): prefer the
! default hostkey algorithm list whenever we have a hostkey that matches
! its best-preference algorithm.
!
!
- sshd(1): when
! ordering the hostkey algorithms to request from a server, prefer
! certificate types if the known_hosts files contain a key marked as a
! @cert-authority;
!
!
- ssh(1): perform host
! key fingerprint comparisons for the "Are you sure you want to continue
! connecting (yes/no/[fingerprint])?" prompt with case sensitivity.
!
!
- sshd(8): ensure that
! address/masklen mismatches in sshd_config yield fatal errors at daemon
! start time rather than later when they are evaluated.
!
!
- ssh-keygen(1):
! ensure that certificate extensions are lexically sorted. Previously if
! the user specified a custom extension then the everything would be in
! order except the custom ones.
!
!
- ssh(1): also compare
! username when checking for JumpHost loops.
!
!
- ssh-keygen(1):
! preserve group/world read permission on known_hosts files across runs
! of "ssh-keygen -Rf /path". The old behaviour was to remove all rights
! for group/other.
!
!
- ssh-keygen(1):
! Mention the [-a rounds] flag in the ssh-keygen manual page and
! usage().
!
!
- sshd(8): explicitly construct path to ~/.ssh/rc rather than
! relying on it being relative to the current directory, so that it
! can still be found if the shell startup changes its directory.
!
!
- sshd(8): when
! redirecting sshd's log output to a file, undo this redirection after
! the session child process is forked(). Fixes missing log messages when
! using this feature under some circumstances.
!
!
- sshd(8): start
! ClientAliveInterval bookkeeping before first pass through select()
! loop; fixed theoretical case where busy sshd may ignore timeouts from
! client.
!
!
- ssh(1): only reset the
! ServerAliveInterval check when we receive traffic from the server and
! ignore traffic from a port forwarding client, preventing a client from
! keeping a connection alive when it should be terminated.
!
!
- ssh-keygen(1):
! avoid spurious error message when ssh-keygen creates files outside
! ~/.ssh
!
!
- sftp-client(1): fix
! off-by-one error that caused sftp downloads to make one more
! concurrent request that desired. This prevented using sftp(1) in unpipelined
! request/response mode, which is useful when debugging.
!
!
- ssh(1), sshd(8): handle EINTR in
! waitfd() and timeout_connect() helpers.
!
!
- ssh(1), ssh-keygen(1): defer
! creation of ~/.ssh until we attempt to write to it so we don't leave
! an empty .ssh directory when it's not needed.
!
!
- ssh(1), sshd(8): fix multiplier when
! parsing time specifications when handling seconds after other units.
!
!
Ports and packages: