| version 1.13, 2020/10/02 16:59:46 |
version 1.14, 2020/10/02 20:20:09 |
|
|
| </ul> |
</ul> |
| </ul> |
</ul> |
| |
|
| <li>OpenSSH 8.3 XXX |
<li>OpenSSH 8.4 |
| <ul><span style="color:red;">Temporary List, replace with SSH ChangeLog:</span> |
|
| <li>Preserved group/world read permission on known_hosts files across runs of <a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> "-Rf /path". |
|
| <li>Restricted <a href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a> from signing web challenges for FIDO keys, preventing ssh-agent forwarding on a host that has FIDO keys attached from granting the ability for the remote side to also sign challenges for web authentication using those keys. |
|
| <li>Added to <a href="https://man.openbsd.org/ssh_config">ssh_config(5)</a> a selection of keywords allowed to expand shell-style ${ENV} environment variables on the client side. |
|
| <li>Added <a href="https://man.openbsd.org/ssh">ssh(1)</a> support for <a href="https://man.openbsd.org/fido">fido(4)</a> WebAuthn (verification only). |
|
| <li>Allowed <a href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> longer than 256k. |
|
| <li>Allowed <a href="https://man.openbsd.org/ssh-add">ssh-add(1)</a> "-d -" to read keys to be deleted from stdin. |
|
| <li>Prevented <a href="https://man.openbsd.org/ssh">ssh(1)</a> port forwarding clients from keeping a connection alive when it should be terminated. |
|
| <li>Allowed additional control over the use of <a href="https://man.openbsd.org/ssh-askpass">ssh-askpass(1)</a> in <a href="https://man.openbsd.org/ssh-add">ssh-add(1)</a>, including force-enable/disable. |
|
| <li>Added %-TOKEN, environment variable and tilde expansion to UserKnownHostsFile in <a href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>. |
|
| <li>Added a "%k" TOKEN to <a href="https://man.openbsd.org/ssh_config">ssh_config(5)</a> that expands to the effective HostKey of the destination. |
|
| <li>Allowed <a href="https://man.openbsd.org/scp">scp(1)</a> and <a href="https://man.openbsd.org/sftp">sftp(1)</a> -A option to explicitly enable agent forwarding. |
|
| <li>Added optional time limits for the AddKeysToAgent keyword in <a href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>. |
|
| <li>Added support for requiring user-verified FIDO keys in <a href="https://man.openbsd.org/sshd">sshd(8)</a>. |
|
| <li>Capped <a href="https://man.openbsd.org/ssh">ssh(1)</a> channel input buffer size at 16MB, avoiding high memory use when a peer advertises a large window but is slow to consume sent data. |
|
| </ul> |
|
| <ul> |
<ul> |
| <li>Potentially incompatible changes. |
<li>Potentially incompatible changes. |
| <ul> |
<ul> |
| <li> </ul> |
|
| |
<li>For FIDO/U2F support, OpenSSH recommends the use of libfido2 |
| |
1.5.0 or greater. Older libraries have limited support at the expense |
| |
of disabling particular features. These include resident keys, PIN- |
| |
required keys and multiple attached tokens. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| |
the format of the attestation information optionally recorded when a |
| |
FIDO key is generated has changed. It now includes the authenticator |
| |
data needed to validate attestation signatures. |
| |
|
| |
<li>The API between OpenSSH and the FIDO token middleware has |
| |
changed and the SSH_SK_VERSION_MAJOR version has been incremented as a |
| |
result. Third-party middleware libraries must support the current API |
| |
version (7) to work with OpenSSH 8.4. |
| |
|
| |
<li>The portable OpenSSH distribution now requires automake to |
| |
rebuild the configure script and supporting files. This is not |
| |
required when simply building portable OpenSSH from a release tar |
| |
file. |
| |
|
| |
</ul> |
| <li>New Features |
<li>New Features |
| <ul> |
<ul> |
| <li>... |
|
| </ul> |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen">ssh-keygen(1)</a>: |
| |
support for FIDO keys that require a PIN for each use. These keys may |
| |
be generated using ssh-keygen using a new "verify-required" option. |
| |
When a PIN-required key is used, the user will be prompted for a PIN |
| |
to complete the signature operation. |
| |
|
| |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: |
| |
authorized_keys now supports a new "verify-required" option to require |
| |
FIDO signatures assert that the token verified that the user was |
| |
present before making the signature. The FIDO protocol supports |
| |
multiple methods for user-verification, but currently OpenSSH only |
| |
supports PIN verification. |
| |
|
| |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>, <a |
| |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: add |
| |
support for verifying FIDO webauthn signatures. Webauthn is a standard |
| |
for using FIDO keys in web browsers. These signatures are a slightly |
| |
different format to plain FIDO signatures and thus require explicit |
| |
support. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow some |
| |
keywords to expand shell-style ${ENV} environment variables. The |
| |
supported keywords are CertificateFile, ControlPath, IdentityAgent and |
| |
IdentityFile, plus LocalForward and RemoteForward when used for Unix |
| |
domain socket paths. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| |
href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: allow some |
| |
additional control over the use of ssh-askpass via a new |
| |
$SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling |
| |
and disabling its use. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow <a |
| |
href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>'s |
| |
AddKeysToAgent keyword accept a time limit for keys in addition to its |
| |
current flag options. Time- limited keys will automatically be removed |
| |
from ssh-agent after their expiry time has passed. |
| |
|
| |
<li><a href="https://man.openbsd.org/scp">scp(1)</a>, <a |
| |
href="https://man.openbsd.org/sftp">sftp(1)</a>: allow the -A flag to |
| |
explicitly enable agent forwarding in scp and sftp. The default |
| |
remains to not forward an agent, even when ssh_config enables it. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: add a '%k' |
| |
TOKEN that expands to the effective HostKey of the destination. This |
| |
allows, e.g., keeping host keys in individual files using |
| |
"UserKnownHostsFile ~/.ssh/known_hosts.d/%k". |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh(1): add %-TOKEN, |
| |
environment variable and tilde expansion to the UserKnownHostsFile |
| |
directive, allowing the path to be completed by the configuration. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| |
allow "ssh-add -d -" to read keys to be deleted from stdin. |
| |
|
| |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: improve |
| |
logging for MaxStartups connection throttling. sshd will now log when |
| |
it starts and stops throttling and periodically while in this state. |
| |
|
| |
|
| |
</ul> |
| <li>Bugfixes |
<li>Bugfixes |
| <ul> |
<ul> |
| <li>... |
|
| </ul> |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: better |
| |
support for multiple attached FIDO tokens. In cases where OpenSSH |
| |
cannot unambiguously determine which token to direct a request to, the |
| |
user is now required to select a token by touching it. In cases of |
| |
operations that require a PIN to be verified, this avoids sending the |
| |
wrong PIN to the wrong token and incrementing the token's PIN failure |
| |
counter (tokens effectively erase their keys after too many PIN |
| |
failures). |
| |
|
| |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: fix Include |
| |
before Match in <a |
| |
href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: close |
| |
stdin/out/error when forking after authentication completes ("ssh -f |
| |
..."). |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| |
href="https://man.openbsd.org/sshd">sshd(8)</a>: limit the amount of |
| |
channel input data buffered, avoiding peers that advertise large |
| |
windows but are slow to read from causing high memory consumption. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: |
| |
handle multiple requests sent in a single write() to the agent. |
| |
|
| |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: allow <a |
| |
href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> longer than 256k |
| |
|
| |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: avoid |
| |
spurious "Unable to load host key" message when sshd load a private |
| |
key but no public counterpart |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: prefer the |
| |
default hostkey algorithm list whenever we have a hostkey that matches |
| |
its best-preference algorithm. |
| |
|
| |
<li><a href="https://man.openbsd.org/sshd">sshd(1)</a>: when |
| |
ordering the hostkey algorithms to request from a server, prefer |
| |
certificate types if the known_hosts files contain a key marked as a |
| |
@cert-authority; |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: perform host |
| |
key fingerprint comparisons for the "Are you sure you want to continue |
| |
connecting (yes/no/[fingerprint])?" prompt with case sensitivity. |
| |
|
| |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: ensure that |
| |
address/masklen mismatches in sshd_config yield fatal errors at daemon |
| |
start time rather than later when they are evaluated. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| |
ensure that certificate extensions are lexically sorted. Previously if |
| |
the user specified a custom extension then the everything would be in |
| |
order except the custom ones. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: also compare |
| |
username when checking for JumpHost loops. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| |
preserve group/world read permission on known_hosts files across runs |
| |
of "ssh-keygen -Rf /path". The old behaviour was to remove all rights |
| |
for group/other. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| |
Mention the [-a rounds] flag in the ssh-keygen manual page and |
| |
usage(). |
| |
|
| |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: explicitly construct path to ~/.ssh/rc rather than |
| |
relying on it being relative to the current directory, so that it |
| |
can still be found if the shell startup changes its directory. |
| |
|
| |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: when |
| |
redirecting sshd's log output to a file, undo this redirection after |
| |
the session child process is forked(). Fixes missing log messages when |
| |
using this feature under some circumstances. |
| |
|
| |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: start |
| |
ClientAliveInterval bookkeeping before first pass through select() |
| |
loop; fixed theoretical case where busy sshd may ignore timeouts from |
| |
client. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: only reset the |
| |
ServerAliveInterval check when we receive traffic from the server and |
| |
ignore traffic from a port forwarding client, preventing a client from |
| |
keeping a connection alive when it should be terminated. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| |
avoid spurious error message when ssh-keygen creates files outside |
| |
~/.ssh |
| |
|
| |
<li><a |
| |
href="https://man.openbsd.org/sftp-client">sftp-client(1)</a>: fix |
| |
off-by-one error that caused sftp downloads to make one more |
| |
concurrent request that desired. This prevented using <a |
| |
href="https://man.openbsd.org/sftp">sftp(1)</a> in unpipelined |
| |
request/response mode, which is useful when debugging. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| |
href="https://man.openbsd.org/sshd">sshd(8)</a>: handle EINTR in |
| |
waitfd() and timeout_connect() helpers. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: defer |
| |
creation of ~/.ssh until we attempt to write to it so we don't leave |
| |
an empty .ssh directory when it's not needed. |
| |
|
| |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| |
href="https://man.openbsd.org/sshd">sshd(8)</a>: fix multiplier when |
| |
parsing time specifications when handling seconds after other units. |
| |
|
| |
</ul> |
| </ul> |
</ul> |
| |
|
| <li>Ports and packages: |
<li>Ports and packages: |
![[BACK]](/icons/back.gif){kind=icon}
Return to 68.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www