version 1.41, 2020/10/04 22:12:48 |
version 1.42, 2020/10/04 23:23:55 |
|
|
<ul> |
<ul> |
<li>Potentially incompatible changes. |
<li>Potentially incompatible changes. |
<ul> |
<ul> |
|
|
<li>For FIDO/U2F support, OpenSSH recommends the use of libfido2 |
<li>For FIDO/U2F support, OpenSSH recommends the use of libfido2 |
1.5.0 or greater. Older libraries have limited support at the expense |
1.5.0 or greater. Older libraries have limited support at the expense |
of disabling particular features. These include resident keys, PIN- |
of disabling particular features. These include resident keys, PIN- |
required keys and multiple attached tokens. |
required keys and multiple attached tokens. |
|
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
the format of the attestation information optionally recorded when a |
the format of the attestation information optionally recorded when a |
FIDO key is generated has changed. It now includes the authenticator |
FIDO key is generated has changed. It now includes the authenticator |
data needed to validate attestation signatures. |
data needed to validate attestation signatures. |
|
|
<li>The API between OpenSSH and the FIDO token middleware has |
<li>The API between OpenSSH and the FIDO token middleware has |
changed and the SSH_SK_VERSION_MAJOR version has been incremented as a |
changed and the SSH_SK_VERSION_MAJOR version has been incremented as a |
result. Third-party middleware libraries must support the current API |
result. Third-party middleware libraries must support the current API |
version (7) to work with OpenSSH 8.4. |
version (7) to work with OpenSSH 8.4. |
|
|
<li>The portable OpenSSH distribution now requires automake to |
<li>The portable OpenSSH distribution now requires automake to |
rebuild the configure script and supporting files. This is not |
rebuild the configure script and supporting files. This is not |
required when simply building portable OpenSSH from a release tar |
required when simply building portable OpenSSH from a release tar |
file. |
file. |
|
|
</ul> |
</ul> |
<li>New Features |
<li>New Features |
<ul> |
<ul> |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen">ssh-keygen(1)</a>: |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen">ssh-keygen(1)</a>: |
support for FIDO keys that require a PIN for each use. These keys may |
support for FIDO keys that require a PIN for each use. These keys may |
be generated using ssh-keygen using a new "verify-required" option. |
be generated using ssh-keygen using a new "verify-required" option. |
When a PIN-required key is used, the user will be prompted for a PIN |
When a PIN-required key is used, the user will be prompted for a PIN |
to complete the signature operation. |
to complete the signature operation. |
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: |
authorized_keys now supports a new "verify-required" option to require |
authorized_keys now supports a new "verify-required" option to require |
FIDO signatures assert that the token verified that the user was |
FIDO signatures assert that the token verified that the user was |
present before making the signature. The FIDO protocol supports |
present before making the signature. The FIDO protocol supports |
multiple methods for user-verification, but currently OpenSSH only |
multiple methods for user-verification, but currently OpenSSH only |
supports PIN verification. |
supports PIN verification. |
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>, <a |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>, <a |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: add |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: add |
support for verifying FIDO webauthn signatures. Webauthn is a standard |
support for verifying FIDO webauthn signatures. Webauthn is a standard |
for using FIDO keys in web browsers. These signatures are a slightly |
for using FIDO keys in web browsers. These signatures are a slightly |
different format to plain FIDO signatures and thus require explicit |
different format to plain FIDO signatures and thus require explicit |
support. |
support. |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow some |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow some |
keywords to expand shell-style ${ENV} environment variables. The |
keywords to expand shell-style ${ENV} environment variables. The |
supported keywords are CertificateFile, ControlPath, IdentityAgent and |
supported keywords are CertificateFile, ControlPath, IdentityAgent and |
IdentityFile, plus LocalForward and RemoteForward when used for Unix |
IdentityFile, plus LocalForward and RemoteForward when used for Unix |
domain socket paths. |
domain socket paths. |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: allow some |
href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: allow some |
additional control over the use of ssh-askpass via a new |
additional control over the use of ssh-askpass via a new |
$SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling |
$SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling |
and disabling its use. |
and disabling its use. |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: allow <a |
href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>'s |
href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>'s |
AddKeysToAgent keyword accept a time limit for keys in addition to its |
AddKeysToAgent keyword accept a time limit for keys in addition to its |
current flag options. Time- limited keys will automatically be removed |
current flag options. Time- limited keys will automatically be removed |
from ssh-agent after their expiry time has passed. |
from ssh-agent after their expiry time has passed. |
|
|
<li><a href="https://man.openbsd.org/scp">scp(1)</a>, <a |
<li><a href="https://man.openbsd.org/scp">scp(1)</a>, <a |
href="https://man.openbsd.org/sftp">sftp(1)</a>: allow the -A flag to |
href="https://man.openbsd.org/sftp">sftp(1)</a>: allow the -A flag to |
explicitly enable agent forwarding in scp and sftp. The default |
explicitly enable agent forwarding in scp and sftp. The default |
remains to not forward an agent, even when ssh_config enables it. |
remains to not forward an agent, even when ssh_config enables it. |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: add a '%k' |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: add a '%k' |
TOKEN that expands to the effective HostKey of the destination. This |
TOKEN that expands to the effective HostKey of the destination. This |
allows, e.g., keeping host keys in individual files using |
allows, e.g., keeping host keys in individual files using |
"UserKnownHostsFile ~/.ssh/known_hosts.d/%k". |
"UserKnownHostsFile ~/.ssh/known_hosts.d/%k". |
|
|
<li><a href="https://man.openbsd.org/ssh(1): add %-TOKEN, |
<li><a href="https://man.openbsd.org/ssh(1): add %-TOKEN, |
environment variable and tilde expansion to the UserKnownHostsFile |
environment variable and tilde expansion to the UserKnownHostsFile |
directive, allowing the path to be completed by the configuration. |
directive, allowing the path to be completed by the configuration. |
|
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
allow "ssh-add -d -" to read keys to be deleted from stdin. |
allow "ssh-add -d -" to read keys to be deleted from stdin. |
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: improve |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: improve |
logging for MaxStartups connection throttling. sshd will now log when |
logging for MaxStartups connection throttling. sshd will now log when |
it starts and stops throttling and periodically while in this state. |
it starts and stops throttling and periodically while in this state. |
|
|
|
|
</ul> |
</ul> |
<li>Bugfixes |
<li>Bugfixes |
<ul> |
<ul> |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: better |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: better |
support for multiple attached FIDO tokens. In cases where OpenSSH |
support for multiple attached FIDO tokens. In cases where OpenSSH |
|
|
wrong PIN to the wrong token and incrementing the token's PIN failure |
wrong PIN to the wrong token and incrementing the token's PIN failure |
counter (tokens effectively erase their keys after too many PIN |
counter (tokens effectively erase their keys after too many PIN |
failures). |
failures). |
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: fix Include |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: fix Include |
before Match in <a |
before Match in <a |
href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>. |
href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>. |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: close |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: close |
stdin/out/error when forking after authentication completes ("ssh -f |
stdin/out/error when forking after authentication completes ("ssh -f |
..."). |
..."). |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
href="https://man.openbsd.org/sshd">sshd(8)</a>: limit the amount of |
href="https://man.openbsd.org/sshd">sshd(8)</a>: limit the amount of |
channel input data buffered, avoiding peers that advertise large |
channel input data buffered, avoiding peers that advertise large |
windows but are slow to read from causing high memory consumption. |
windows but are slow to read from causing high memory consumption. |
|
|
<li><a href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-agent">ssh-agent(1)</a>: |
handle multiple requests sent in a single write() to the agent. |
handle multiple requests sent in a single write() to the agent. |
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: allow <a |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: allow <a |
href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> longer than 256k |
href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> longer than 256k |
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: avoid |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: avoid |
spurious "Unable to load host key" message when sshd load a private |
spurious "Unable to load host key" message when sshd load a private |
key but no public counterpart |
key but no public counterpart |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: prefer the |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: prefer the |
default hostkey algorithm list whenever we have a hostkey that matches |
default hostkey algorithm list whenever we have a hostkey that matches |
its best-preference algorithm. |
its best-preference algorithm. |
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(1)</a>: when |
<li><a href="https://man.openbsd.org/sshd">sshd(1)</a>: when |
ordering the hostkey algorithms to request from a server, prefer |
ordering the hostkey algorithms to request from a server, prefer |
certificate types if the known_hosts files contain a key marked as a |
certificate types if the known_hosts files contain a key marked as a |
@cert-authority; |
@cert-authority; |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: perform host |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: perform host |
key fingerprint comparisons for the "Are you sure you want to continue |
key fingerprint comparisons for the "Are you sure you want to continue |
connecting (yes/no/[fingerprint])?" prompt with case sensitivity. |
connecting (yes/no/[fingerprint])?" prompt with case sensitivity. |
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: ensure that |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: ensure that |
address/masklen mismatches in sshd_config yield fatal errors at daemon |
address/masklen mismatches in sshd_config yield fatal errors at daemon |
start time rather than later when they are evaluated. |
start time rather than later when they are evaluated. |
|
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
ensure that certificate extensions are lexically sorted. Previously if |
ensure that certificate extensions are lexically sorted. Previously if |
the user specified a custom extension then the everything would be in |
the user specified a custom extension then the everything would be in |
order except the custom ones. |
order except the custom ones. |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: also compare |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: also compare |
username when checking for JumpHost loops. |
username when checking for JumpHost loops. |
|
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
preserve group/world read permission on known_hosts files across runs |
preserve group/world read permission on known_hosts files across runs |
of "ssh-keygen -Rf /path". The old behaviour was to remove all rights |
of "ssh-keygen -Rf /path". The old behaviour was to remove all rights |
for group/other. |
for group/other. |
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
|
Mention the [-a rounds] flag in the ssh-keygen manual page and |
Mention the [-a rounds] flag in the ssh-keygen manual page and |
usage(). |
usage(). |
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: explicitly construct path to ~/.ssh/rc rather than |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: explicitly construct path to ~/.ssh/rc rather than |
relying on it being relative to the current directory, so that it |
relying on it being relative to the current directory, so that it |
can still be found if the shell startup changes its directory. |
can still be found if the shell startup changes its directory. |
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: when |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: when |
redirecting sshd's log output to a file, undo this redirection after |
redirecting sshd's log output to a file, undo this redirection after |
the session child process is forked(). Fixes missing log messages when |
the session child process is forked(). Fixes missing log messages when |
using this feature under some circumstances. |
using this feature under some circumstances. |
|
|
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: start |
<li><a href="https://man.openbsd.org/sshd">sshd(8)</a>: start |
ClientAliveInterval bookkeeping before first pass through select() |
ClientAliveInterval bookkeeping before first pass through select() |
loop; fixed theoretical case where busy sshd may ignore timeouts from |
loop; fixed theoretical case where busy sshd may ignore timeouts from |
client. |
client. |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: only reset the |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>: only reset the |
ServerAliveInterval check when we receive traffic from the server and |
ServerAliveInterval check when we receive traffic from the server and |
ignore traffic from a port forwarding client, preventing a client from |
ignore traffic from a port forwarding client, preventing a client from |
keeping a connection alive when it should be terminated. |
keeping a connection alive when it should be terminated. |
|
|
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: |
avoid spurious error message when ssh-keygen creates files outside |
avoid spurious error message when ssh-keygen creates files outside |
~/.ssh |
~/.ssh |
|
|
<li><a |
<li><a |
href="https://man.openbsd.org/sftp-client">sftp-client(1)</a>: fix |
href="https://man.openbsd.org/sftp-client">sftp-client(1)</a>: fix |
off-by-one error that caused sftp downloads to make one more |
off-by-one error that caused sftp downloads to make one more |
concurrent request that desired. This prevented using <a |
concurrent request that desired. This prevented using <a |
href="https://man.openbsd.org/sftp">sftp(1)</a> in unpipelined |
href="https://man.openbsd.org/sftp">sftp(1)</a> in unpipelined |
request/response mode, which is useful when debugging. |
request/response mode, which is useful when debugging. |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
href="https://man.openbsd.org/sshd">sshd(8)</a>: handle EINTR in |
href="https://man.openbsd.org/sshd">sshd(8)</a>: handle EINTR in |
waitfd() and timeout_connect() helpers. |
waitfd() and timeout_connect() helpers. |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: defer |
href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>: defer |
creation of ~/.ssh until we attempt to write to it so we don't leave |
creation of ~/.ssh until we attempt to write to it so we don't leave |
an empty .ssh directory when it's not needed. |
an empty .ssh directory when it's not needed. |
|
|
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
<li><a href="https://man.openbsd.org/ssh">ssh(1)</a>, <a |
href="https://man.openbsd.org/sshd">sshd(8)</a>: fix multiplier when |
href="https://man.openbsd.org/sshd">sshd(8)</a>: fix multiplier when |
parsing time specifications when handling seconds after other units. |
parsing time specifications when handling seconds after other units. |
|
|
</ul> |
</ul> |
</ul> |
</ul> |
|
|
<li>Ports and packages: |
<li>Ports and packages: |
<p>The package system provides an easy way to install 3rd party software. New features include: |
<p>The package system provides an easy way to install 3rd party software. New features include: |
<ul> |
<ul> |
<li>... |
<li><span style="color:red;">missing chunk</span>... |
</ul> |
</ul> |
|
|
<p>Many pre-built packages for each architecture: |
<p>Many pre-built packages for each architecture: |