version 1.13, 2020/10/02 16:59:46 |
version 1.14, 2020/10/02 20:20:09 |
|
|
</ul> |
</ul> |
</ul> |
</ul> |
|
|
<li>OpenSSH 8.3 XXX |
<li>OpenSSH 8.4 |
<ul><span style="color:red;">Temporary List, replace with SSH ChangeLog:</span> |
|
<li>Preserved group/world read permission on known_hosts files across runs of <a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> "-Rf /path". |
|
<li>Restricted <a href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a> from signing web challenges for FIDO keys, preventing ssh-agent forwarding on a host that has FIDO keys attached from granting the ability for the remote side to also sign challenges for web authentication using those keys. |
|
<li>Added to <a href="https://man.openbsd.org/ssh_config">ssh_config(5)</a> a selection of keywords allowed to expand shell-style ${ENV} environment variables on the client side. |
|
<li>Added <a href="https://man.openbsd.org/ssh">ssh(1)</a> support for <a href="https://man.openbsd.org/fido">fido(4)</a> WebAuthn (verification only). |
|
<li>Allowed <a href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> longer than 256k. |
|
<li>Allowed <a href="https://man.openbsd.org/ssh-add">ssh-add(1)</a> "-d -" to read keys to be deleted from stdin. |
|
<li>Prevented <a href="https://man.openbsd.org/ssh">ssh(1)</a> port forwarding clients from keeping a connection alive when it should be terminated. |
|
<li>Allowed additional control over the use of <a href="https://man.openbsd.org/ssh-askpass">ssh-askpass(1)</a> in <a href="https://man.openbsd.org/ssh-add">ssh-add(1)</a>, including force-enable/disable. |
|
<li>Added %-TOKEN, environment variable and tilde expansion to UserKnownHostsFile in <a href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>. |
|
<li>Added a "%k" TOKEN to <a href="https://man.openbsd.org/ssh_config">ssh_config(5)</a> that expands to the effective HostKey of the destination. |
|
<li>Allowed <a href="https://man.openbsd.org/scp">scp(1)</a> and <a href="https://man.openbsd.org/sftp">sftp(1)</a> -A option to explicitly enable agent forwarding. |
|
<li>Added optional time limits for the AddKeysToAgent keyword in <a href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>. |
|
<li>Added support for requiring user-verified FIDO keys in <a href="https://man.openbsd.org/sshd">sshd(8)</a>. |
|
<li>Capped <a href="https://man.openbsd.org/ssh">ssh(1)</a> channel input buffer size at 16MB, avoiding high memory use when a peer advertises a large window but is slow to consume sent data. |
|
</ul> |
|
<ul> |
<ul> |
<li>Potentially incompatible changes. |
<li>Potentially incompatible changes. |
<ul> |
<ul> |
<li> </ul> |
|
|
<li>For FIDO/U2F support, OpenSSH recommends the use of libfido2 |
|
1.5.0 or greater. Older libraries have limited support at the expense |
|
of disabling particular features. These include resident keys, PIN- |
|
required keys and multiple attached tokens. |
|
|
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
|
the format of the attestation information optionally recorded when a |
|
FIDO key is generated has changed. It now includes the authenticator |
|
data needed to validate attestation signatures. |
|
|
|
<li>The API between OpenSSH and the FIDO token middleware has |
|
changed and the SSH_SK_VERSION_MAJOR version has been incremented as a |
|
result. Third-party middleware libraries must support the current API |
|
version (7) to work with OpenSSH 8.4. |
|
|
|
<li>The portable OpenSSH distribution now requires automake to |
|
rebuild the configure script and supporting files. This is not |
|
required when simply building portable OpenSSH from a release tar |
|
file. |
|
|
|
</ul> |
<li>New Features |
<li>New Features |
<ul> |
<ul> |
<li>... |
|
</ul> |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
|
href="https://man.openbsd.org/ssh-keygen">ssh-keygen">ssh-keygen(1)</a>: |
|
support for FIDO keys that require a PIN for each use. These keys may |
|
be generated using ssh-keygen using a new "verify-required" option. |
|
When a PIN-required key is used, the user will be prompted for a PIN |
|
to complete the signature operation. |
|
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: |
|
authorized_keys now supports a new "verify-required" option to require |
|
FIDO signatures assert that the token verified that the user was |
|
present before making the signature. The FIDO protocol supports |
|
multiple methods for user-verification, but currently OpenSSH only |
|
supports PIN verification. |
|
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>, <a |
|
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: add |
|
support for verifying FIDO webauthn signatures. Webauthn is a standard |
|
for using FIDO keys in web browsers. These signatures are a slightly |
|
different format to plain FIDO signatures and thus require explicit |
|
support. |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow some |
|
keywords to expand shell-style ${ENV} environment variables. The |
|
supported keywords are CertificateFile, ControlPath, IdentityAgent and |
|
IdentityFile, plus LocalForward and RemoteForward when used for Unix |
|
domain socket paths. |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
|
href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: allow some |
|
additional control over the use of ssh-askpass via a new |
|
$SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling |
|
and disabling its use. |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow <a |
|
href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>'s |
|
AddKeysToAgent keyword accept a time limit for keys in addition to its |
|
current flag options. Time- limited keys will automatically be removed |
|
from ssh-agent after their expiry time has passed. |
|
|
|
<li><a href="https://man.openbsd.org/scp">scp(1)</a>, <a |
|
href="https://man.openbsd.org/sftp">sftp(1)</a>: allow the -A flag to |
|
explicitly enable agent forwarding in scp and sftp. The default |
|
remains to not forward an agent, even when ssh_config enables it. |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: add a '%k' |
|
TOKEN that expands to the effective HostKey of the destination. This |
|
allows, e.g., keeping host keys in individual files using |
|
"UserKnownHostsFile ~/.ssh/known_hosts.d/%k". |
|
|
|
<li><a href="https://man.openbsd.org/ssh(1): add %-TOKEN, |
|
environment variable and tilde expansion to the UserKnownHostsFile |
|
directive, allowing the path to be completed by the configuration. |
|
|
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
|
allow "ssh-add -d -" to read keys to be deleted from stdin. |
|
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: improve |
|
logging for MaxStartups connection throttling. sshd will now log when |
|
it starts and stops throttling and periodically while in this state. |
|
|
|
|
|
</ul> |
<li>Bugfixes |
<li>Bugfixes |
<ul> |
<ul> |
<li>... |
|
</ul> |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
|
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: better |
|
support for multiple attached FIDO tokens. In cases where OpenSSH |
|
cannot unambiguously determine which token to direct a request to, the |
|
user is now required to select a token by touching it. In cases of |
|
operations that require a PIN to be verified, this avoids sending the |
|
wrong PIN to the wrong token and incrementing the token's PIN failure |
|
counter (tokens effectively erase their keys after too many PIN |
|
failures). |
|
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: fix Include |
|
before Match in <a |
|
href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>. |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: close |
|
stdin/out/error when forking after authentication completes ("ssh -f |
|
..."). |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
|
href="https://man.openbsd.org/sshd">sshd(8)</a>: limit the amount of |
|
channel input data buffered, avoiding peers that advertise large |
|
windows but are slow to read from causing high memory consumption. |
|
|
|
<li><a href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: |
|
handle multiple requests sent in a single write() to the agent. |
|
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: allow <a |
|
href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> longer than 256k |
|
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: avoid |
|
spurious "Unable to load host key" message when sshd load a private |
|
key but no public counterpart |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: prefer the |
|
default hostkey algorithm list whenever we have a hostkey that matches |
|
its best-preference algorithm. |
|
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(1)</a>: when |
|
ordering the hostkey algorithms to request from a server, prefer |
|
certificate types if the known_hosts files contain a key marked as a |
|
@cert-authority; |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: perform host |
|
key fingerprint comparisons for the "Are you sure you want to continue |
|
connecting (yes/no/[fingerprint])?" prompt with case sensitivity. |
|
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: ensure that |
|
address/masklen mismatches in sshd_config yield fatal errors at daemon |
|
start time rather than later when they are evaluated. |
|
|
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
|
ensure that certificate extensions are lexically sorted. Previously if |
|
the user specified a custom extension then the everything would be in |
|
order except the custom ones. |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: also compare |
|
username when checking for JumpHost loops. |
|
|
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
|
preserve group/world read permission on known_hosts files across runs |
|
of "ssh-keygen -Rf /path". The old behaviour was to remove all rights |
|
for group/other. |
|
|
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
|
Mention the [-a rounds] flag in the ssh-keygen manual page and |
|
usage(). |
|
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: explicitly construct path to ~/.ssh/rc rather than |
|
relying on it being relative to the current directory, so that it |
|
can still be found if the shell startup changes its directory. |
|
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: when |
|
redirecting sshd's log output to a file, undo this redirection after |
|
the session child process is forked(). Fixes missing log messages when |
|
using this feature under some circumstances. |
|
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: start |
|
ClientAliveInterval bookkeeping before first pass through select() |
|
loop; fixed theoretical case where busy sshd may ignore timeouts from |
|
client. |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: only reset the |
|
ServerAliveInterval check when we receive traffic from the server and |
|
ignore traffic from a port forwarding client, preventing a client from |
|
keeping a connection alive when it should be terminated. |
|
|
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
|
avoid spurious error message when ssh-keygen creates files outside |
|
~/.ssh |
|
|
|
<li><a |
|
href="https://man.openbsd.org/sftp-client">sftp-client(1)</a>: fix |
|
off-by-one error that caused sftp downloads to make one more |
|
concurrent request that desired. This prevented using <a |
|
href="https://man.openbsd.org/sftp">sftp(1)</a> in unpipelined |
|
request/response mode, which is useful when debugging. |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
|
href="https://man.openbsd.org/sshd">sshd(8)</a>: handle EINTR in |
|
waitfd() and timeout_connect() helpers. |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
|
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: defer |
|
creation of ~/.ssh until we attempt to write to it so we don't leave |
|
an empty .ssh directory when it's not needed. |
|
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
|
href="https://man.openbsd.org/sshd">sshd(8)</a>: fix multiplier when |
|
parsing time specifications when handling seconds after other units. |
|
|
|
</ul> |
</ul> |
</ul> |
|
|
<li>Ports and packages: |
<li>Ports and packages: |