| version 1.41, 2020/10/04 22:12:48 |
version 1.42, 2020/10/04 23:23:55 |
|
|
| <ul> |
<ul> |
| <li>Potentially incompatible changes. |
<li>Potentially incompatible changes. |
| <ul> |
<ul> |
| |
|
| <li>For FIDO/U2F support, OpenSSH recommends the use of libfido2 |
<li>For FIDO/U2F support, OpenSSH recommends the use of libfido2 |
| 1.5.0 or greater. Older libraries have limited support at the expense |
1.5.0 or greater. Older libraries have limited support at the expense |
| of disabling particular features. These include resident keys, PIN- |
of disabling particular features. These include resident keys, PIN- |
| required keys and multiple attached tokens. |
required keys and multiple attached tokens. |
| |
|
| <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| the format of the attestation information optionally recorded when a |
the format of the attestation information optionally recorded when a |
| FIDO key is generated has changed. It now includes the authenticator |
FIDO key is generated has changed. It now includes the authenticator |
| data needed to validate attestation signatures. |
data needed to validate attestation signatures. |
| |
|
| <li>The API between OpenSSH and the FIDO token middleware has |
<li>The API between OpenSSH and the FIDO token middleware has |
| changed and the SSH_SK_VERSION_MAJOR version has been incremented as a |
changed and the SSH_SK_VERSION_MAJOR version has been incremented as a |
| result. Third-party middleware libraries must support the current API |
result. Third-party middleware libraries must support the current API |
| version (7) to work with OpenSSH 8.4. |
version (7) to work with OpenSSH 8.4. |
| |
|
| <li>The portable OpenSSH distribution now requires automake to |
<li>The portable OpenSSH distribution now requires automake to |
| rebuild the configure script and supporting files. This is not |
rebuild the configure script and supporting files. This is not |
| required when simply building portable OpenSSH from a release tar |
required when simply building portable OpenSSH from a release tar |
| file. |
file. |
| |
|
| </ul> |
</ul> |
| <li>New Features |
<li>New Features |
| <ul> |
<ul> |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| href="https://man.openbsd.org/ssh-keygen">ssh-keygen">ssh-keygen(1)</a>: |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen">ssh-keygen(1)</a>: |
| support for FIDO keys that require a PIN for each use. These keys may |
support for FIDO keys that require a PIN for each use. These keys may |
| be generated using ssh-keygen using a new "verify-required" option. |
be generated using ssh-keygen using a new "verify-required" option. |
| When a PIN-required key is used, the user will be prompted for a PIN |
When a PIN-required key is used, the user will be prompted for a PIN |
| to complete the signature operation. |
to complete the signature operation. |
| |
|
| <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: |
| authorized_keys now supports a new "verify-required" option to require |
authorized_keys now supports a new "verify-required" option to require |
| FIDO signatures assert that the token verified that the user was |
FIDO signatures assert that the token verified that the user was |
| present before making the signature. The FIDO protocol supports |
present before making the signature. The FIDO protocol supports |
| multiple methods for user-verification, but currently OpenSSH only |
multiple methods for user-verification, but currently OpenSSH only |
| supports PIN verification. |
supports PIN verification. |
| |
|
| <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>, <a |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>, <a |
| href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: add |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: add |
| support for verifying FIDO webauthn signatures. Webauthn is a standard |
support for verifying FIDO webauthn signatures. Webauthn is a standard |
| for using FIDO keys in web browsers. These signatures are a slightly |
for using FIDO keys in web browsers. These signatures are a slightly |
| different format to plain FIDO signatures and thus require explicit |
different format to plain FIDO signatures and thus require explicit |
| support. |
support. |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow some |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow some |
| keywords to expand shell-style ${ENV} environment variables. The |
keywords to expand shell-style ${ENV} environment variables. The |
| supported keywords are CertificateFile, ControlPath, IdentityAgent and |
supported keywords are CertificateFile, ControlPath, IdentityAgent and |
| IdentityFile, plus LocalForward and RemoteForward when used for Unix |
IdentityFile, plus LocalForward and RemoteForward when used for Unix |
| domain socket paths. |
domain socket paths. |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: allow some |
href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: allow some |
| additional control over the use of ssh-askpass via a new |
additional control over the use of ssh-askpass via a new |
| $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling |
$SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling |
| and disabling its use. |
and disabling its use. |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow <a |
| href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>'s |
href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>'s |
| AddKeysToAgent keyword accept a time limit for keys in addition to its |
AddKeysToAgent keyword accept a time limit for keys in addition to its |
| current flag options. Time- limited keys will automatically be removed |
current flag options. Time- limited keys will automatically be removed |
| from ssh-agent after their expiry time has passed. |
from ssh-agent after their expiry time has passed. |
| |
|
| <li><a href="https://man.openbsd.org/scp">scp(1)</a>, <a |
<li><a href="https://man.openbsd.org/scp">scp(1)</a>, <a |
| href="https://man.openbsd.org/sftp">sftp(1)</a>: allow the -A flag to |
href="https://man.openbsd.org/sftp">sftp(1)</a>: allow the -A flag to |
| explicitly enable agent forwarding in scp and sftp. The default |
explicitly enable agent forwarding in scp and sftp. The default |
| remains to not forward an agent, even when ssh_config enables it. |
remains to not forward an agent, even when ssh_config enables it. |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: add a '%k' |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: add a '%k' |
| TOKEN that expands to the effective HostKey of the destination. This |
TOKEN that expands to the effective HostKey of the destination. This |
| allows, e.g., keeping host keys in individual files using |
allows, e.g., keeping host keys in individual files using |
| "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". |
"UserKnownHostsFile ~/.ssh/known_hosts.d/%k". |
| |
|
| <li><a href="https://man.openbsd.org/ssh(1): add %-TOKEN, |
<li><a href="https://man.openbsd.org/ssh(1): add %-TOKEN, |
| environment variable and tilde expansion to the UserKnownHostsFile |
environment variable and tilde expansion to the UserKnownHostsFile |
| directive, allowing the path to be completed by the configuration. |
directive, allowing the path to be completed by the configuration. |
| |
|
| <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| allow "ssh-add -d -" to read keys to be deleted from stdin. |
allow "ssh-add -d -" to read keys to be deleted from stdin. |
| |
|
| <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: improve |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: improve |
| logging for MaxStartups connection throttling. sshd will now log when |
logging for MaxStartups connection throttling. sshd will now log when |
| it starts and stops throttling and periodically while in this state. |
it starts and stops throttling and periodically while in this state. |
| |
|
| |
|
| </ul> |
</ul> |
| <li>Bugfixes |
<li>Bugfixes |
| <ul> |
<ul> |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: better |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: better |
| support for multiple attached FIDO tokens. In cases where OpenSSH |
support for multiple attached FIDO tokens. In cases where OpenSSH |
|
|
| wrong PIN to the wrong token and incrementing the token's PIN failure |
wrong PIN to the wrong token and incrementing the token's PIN failure |
| counter (tokens effectively erase their keys after too many PIN |
counter (tokens effectively erase their keys after too many PIN |
| failures). |
failures). |
| |
|
| <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: fix Include |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: fix Include |
| before Match in <a |
before Match in <a |
| href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>. |
href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>. |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: close |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: close |
| stdin/out/error when forking after authentication completes ("ssh -f |
stdin/out/error when forking after authentication completes ("ssh -f |
| ..."). |
..."). |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| href="https://man.openbsd.org/sshd">sshd(8)</a>: limit the amount of |
href="https://man.openbsd.org/sshd">sshd(8)</a>: limit the amount of |
| channel input data buffered, avoiding peers that advertise large |
channel input data buffered, avoiding peers that advertise large |
| windows but are slow to read from causing high memory consumption. |
windows but are slow to read from causing high memory consumption. |
| |
|
| <li><a href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: |
| handle multiple requests sent in a single write() to the agent. |
handle multiple requests sent in a single write() to the agent. |
| |
|
| <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: allow <a |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: allow <a |
| href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> longer than 256k |
href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> longer than 256k |
| |
|
| <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: avoid |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: avoid |
| spurious "Unable to load host key" message when sshd load a private |
spurious "Unable to load host key" message when sshd load a private |
| key but no public counterpart |
key but no public counterpart |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: prefer the |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: prefer the |
| default hostkey algorithm list whenever we have a hostkey that matches |
default hostkey algorithm list whenever we have a hostkey that matches |
| its best-preference algorithm. |
its best-preference algorithm. |
| |
|
| <li><a href="https://man.openbsd.org/sshd">sshd(1)</a>: when |
<li><a href="https://man.openbsd.org/sshd">sshd(1)</a>: when |
| ordering the hostkey algorithms to request from a server, prefer |
ordering the hostkey algorithms to request from a server, prefer |
| certificate types if the known_hosts files contain a key marked as a |
certificate types if the known_hosts files contain a key marked as a |
| @cert-authority; |
@cert-authority; |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: perform host |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: perform host |
| key fingerprint comparisons for the "Are you sure you want to continue |
key fingerprint comparisons for the "Are you sure you want to continue |
| connecting (yes/no/[fingerprint])?" prompt with case sensitivity. |
connecting (yes/no/[fingerprint])?" prompt with case sensitivity. |
| |
|
| <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: ensure that |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: ensure that |
| address/masklen mismatches in sshd_config yield fatal errors at daemon |
address/masklen mismatches in sshd_config yield fatal errors at daemon |
| start time rather than later when they are evaluated. |
start time rather than later when they are evaluated. |
| |
|
| <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| ensure that certificate extensions are lexically sorted. Previously if |
ensure that certificate extensions are lexically sorted. Previously if |
| the user specified a custom extension then the everything would be in |
the user specified a custom extension then the everything would be in |
| order except the custom ones. |
order except the custom ones. |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: also compare |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: also compare |
| username when checking for JumpHost loops. |
username when checking for JumpHost loops. |
| |
|
| <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| preserve group/world read permission on known_hosts files across runs |
preserve group/world read permission on known_hosts files across runs |
| of "ssh-keygen -Rf /path". The old behaviour was to remove all rights |
of "ssh-keygen -Rf /path". The old behaviour was to remove all rights |
| for group/other. |
for group/other. |
| |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
|
| Mention the [-a rounds] flag in the ssh-keygen manual page and |
Mention the [-a rounds] flag in the ssh-keygen manual page and |
| usage(). |
usage(). |
| |
|
| <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: explicitly construct path to ~/.ssh/rc rather than |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: explicitly construct path to ~/.ssh/rc rather than |
| relying on it being relative to the current directory, so that it |
relying on it being relative to the current directory, so that it |
| can still be found if the shell startup changes its directory. |
can still be found if the shell startup changes its directory. |
| |
|
| <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: when |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: when |
| redirecting sshd's log output to a file, undo this redirection after |
redirecting sshd's log output to a file, undo this redirection after |
| the session child process is forked(). Fixes missing log messages when |
the session child process is forked(). Fixes missing log messages when |
| using this feature under some circumstances. |
using this feature under some circumstances. |
| |
|
| <li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: start |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: start |
| ClientAliveInterval bookkeeping before first pass through select() |
ClientAliveInterval bookkeeping before first pass through select() |
| loop; fixed theoretical case where busy sshd may ignore timeouts from |
loop; fixed theoretical case where busy sshd may ignore timeouts from |
| client. |
client. |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: only reset the |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: only reset the |
| ServerAliveInterval check when we receive traffic from the server and |
ServerAliveInterval check when we receive traffic from the server and |
| ignore traffic from a port forwarding client, preventing a client from |
ignore traffic from a port forwarding client, preventing a client from |
| keeping a connection alive when it should be terminated. |
keeping a connection alive when it should be terminated. |
| |
|
| <li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
| avoid spurious error message when ssh-keygen creates files outside |
avoid spurious error message when ssh-keygen creates files outside |
| ~/.ssh |
~/.ssh |
| |
|
| <li><a |
<li><a |
| href="https://man.openbsd.org/sftp-client">sftp-client(1)</a>: fix |
href="https://man.openbsd.org/sftp-client">sftp-client(1)</a>: fix |
| off-by-one error that caused sftp downloads to make one more |
off-by-one error that caused sftp downloads to make one more |
| concurrent request that desired. This prevented using <a |
concurrent request that desired. This prevented using <a |
| href="https://man.openbsd.org/sftp">sftp(1)</a> in unpipelined |
href="https://man.openbsd.org/sftp">sftp(1)</a> in unpipelined |
| request/response mode, which is useful when debugging. |
request/response mode, which is useful when debugging. |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| href="https://man.openbsd.org/sshd">sshd(8)</a>: handle EINTR in |
href="https://man.openbsd.org/sshd">sshd(8)</a>: handle EINTR in |
| waitfd() and timeout_connect() helpers. |
waitfd() and timeout_connect() helpers. |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: defer |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: defer |
| creation of ~/.ssh until we attempt to write to it so we don't leave |
creation of ~/.ssh until we attempt to write to it so we don't leave |
| an empty .ssh directory when it's not needed. |
an empty .ssh directory when it's not needed. |
| |
|
| <li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
| href="https://man.openbsd.org/sshd">sshd(8)</a>: fix multiplier when |
href="https://man.openbsd.org/sshd">sshd(8)</a>: fix multiplier when |
| parsing time specifications when handling seconds after other units. |
parsing time specifications when handling seconds after other units. |
| |
|
| </ul> |
</ul> |
| </ul> |
</ul> |
| |
|
| <li>Ports and packages: |
<li>Ports and packages: |
| <p>The package system provides an easy way to install 3rd party software. New features include: |
<p>The package system provides an easy way to install 3rd party software. New features include: |
| <ul> |
<ul> |
| <li>... |
<li><span style="color:red;">missing chunk</span>... |
| </ul> |
</ul> |
| |
|
| <p>Many pre-built packages for each architecture: |
<p>Many pre-built packages for each architecture: |
![[BACK]](/icons/back.gif){kind=icon}
Return to 68.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www