===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/68.html,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- www/68.html 2020/10/02 16:59:46 1.13
+++ www/68.html 2020/10/02 20:20:09 1.14
@@ -512,35 +512,211 @@
-
OpenSSH 8.3 XXX
- Temporary List, replace with SSH ChangeLog:
-- Preserved group/world read permission on known_hosts files across runs of ssh-keygen(1) "-Rf /path".
-
- Restricted ssh-agent(1) from signing web challenges for FIDO keys, preventing ssh-agent forwarding on a host that has FIDO keys attached from granting the ability for the remote side to also sign challenges for web authentication using those keys.
-
- Added to ssh_config(5) a selection of keywords allowed to expand shell-style ${ENV} environment variables on the client side.
-
- Added ssh(1) support for fido(4) WebAuthn (verification only).
-
- Allowed sshd_config(5) longer than 256k.
-
- Allowed ssh-add(1) "-d -" to read keys to be deleted from stdin.
-
- Prevented ssh(1) port forwarding clients from keeping a connection alive when it should be terminated.
-
- Allowed additional control over the use of ssh-askpass(1) in ssh-add(1), including force-enable/disable.
-
- Added %-TOKEN, environment variable and tilde expansion to UserKnownHostsFile in ssh_config(5).
-
- Added a "%k" TOKEN to ssh_config(5) that expands to the effective HostKey of the destination.
-
- Allowed scp(1) and sftp(1) -A option to explicitly enable agent forwarding.
-
- Added optional time limits for the AddKeysToAgent keyword in ssh_config(5).
-
- Added support for requiring user-verified FIDO keys in sshd(8).
-
- Capped ssh(1) channel input buffer size at 16MB, avoiding high memory use when a peer advertises a large window but is slow to consume sent data.
-
+OpenSSH 8.4
- Potentially incompatible changes.
-
+
+
+ - For FIDO/U2F support, OpenSSH recommends the use of libfido2
+1.5.0 or greater. Older libraries have limited support at the expense
+of disabling particular features. These include resident keys, PIN-
+required keys and multiple attached tokens.
+
+
- ssh-keygen(1):
+the format of the attestation information optionally recorded when a
+FIDO key is generated has changed. It now includes the authenticator
+data needed to validate attestation signatures.
+
+
- The API between OpenSSH and the FIDO token middleware has
+changed and the SSH_SK_VERSION_MAJOR version has been incremented as a
+result. Third-party middleware libraries must support the current API
+version (7) to work with OpenSSH 8.4.
+
+
- The portable OpenSSH distribution now requires automake to
+rebuild the configure script and supporting files. This is not
+required when simply building portable OpenSSH from a release tar
+file.
+
+
- New Features
-
+
+
+ - ssh(1), ssh-keygen">ssh-keygen(1):
+support for FIDO keys that require a PIN for each use. These keys may
+be generated using ssh-keygen using a new "verify-required" option.
+When a PIN-required key is used, the user will be prompted for a PIN
+to complete the signature operation.
+
+
- sshd(8):
+authorized_keys now supports a new "verify-required" option to require
+FIDO signatures assert that the token verified that the user was
+present before making the signature. The FIDO protocol supports
+multiple methods for user-verification, but currently OpenSSH only
+supports PIN verification.
+
+
- sshd(8), ssh-keygen(1): add
+support for verifying FIDO webauthn signatures. Webauthn is a standard
+for using FIDO keys in web browsers. These signatures are a slightly
+different format to plain FIDO signatures and thus require explicit
+support.
+
+
- ssh(1): allow some
+keywords to expand shell-style ${ENV} environment variables. The
+supported keywords are CertificateFile, ControlPath, IdentityAgent and
+IdentityFile, plus LocalForward and RemoteForward when used for Unix
+domain socket paths.
+
+
- ssh(1), ssh-agent(1): allow some
+additional control over the use of ssh-askpass via a new
+$SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling
+and disabling its use.
+
+
- ssh(1): allow ssh_config(5)'s
+AddKeysToAgent keyword accept a time limit for keys in addition to its
+current flag options. Time- limited keys will automatically be removed
+from ssh-agent after their expiry time has passed.
+
+
- scp(1), sftp(1): allow the -A flag to
+explicitly enable agent forwarding in scp and sftp. The default
+remains to not forward an agent, even when ssh_config enables it.
+
+
- ssh(1): add a '%k'
+TOKEN that expands to the effective HostKey of the destination. This
+allows, e.g., keeping host keys in individual files using
+"UserKnownHostsFile ~/.ssh/known_hosts.d/%k".
+
+
- ssh-keygen(1):
+allow "ssh-add -d -" to read keys to be deleted from stdin.
+
+
- sshd(8): improve
+logging for MaxStartups connection throttling. sshd will now log when
+it starts and stops throttling and periodically while in this state.
+
+
+
- Bugfixes
-
+
+
+ - ssh(1), ssh-keygen(1): better
+support for multiple attached FIDO tokens. In cases where OpenSSH
+cannot unambiguously determine which token to direct a request to, the
+user is now required to select a token by touching it. In cases of
+operations that require a PIN to be verified, this avoids sending the
+wrong PIN to the wrong token and incrementing the token's PIN failure
+counter (tokens effectively erase their keys after too many PIN
+failures).
+
+
- sshd(8): fix Include
+before Match in sshd_config(5).
+
+
- ssh(1): close
+stdin/out/error when forking after authentication completes ("ssh -f
+...").
+
+
- ssh(1), sshd(8): limit the amount of
+channel input data buffered, avoiding peers that advertise large
+windows but are slow to read from causing high memory consumption.
+
+
- ssh-agent(1):
+handle multiple requests sent in a single write() to the agent.
+
+
- sshd(8): allow sshd_config(5) longer than 256k
+
+
- sshd(8): avoid
+spurious "Unable to load host key" message when sshd load a private
+key but no public counterpart
+
+
- ssh(1): prefer the
+default hostkey algorithm list whenever we have a hostkey that matches
+its best-preference algorithm.
+
+
- sshd(1): when
+ordering the hostkey algorithms to request from a server, prefer
+certificate types if the known_hosts files contain a key marked as a
+@cert-authority;
+
+
- ssh(1): perform host
+key fingerprint comparisons for the "Are you sure you want to continue
+connecting (yes/no/[fingerprint])?" prompt with case sensitivity.
+
+
- sshd(8): ensure that
+address/masklen mismatches in sshd_config yield fatal errors at daemon
+start time rather than later when they are evaluated.
+
+
- ssh-keygen(1):
+ensure that certificate extensions are lexically sorted. Previously if
+the user specified a custom extension then the everything would be in
+order except the custom ones.
+
+
- ssh(1): also compare
+username when checking for JumpHost loops.
+
+
- ssh-keygen(1):
+preserve group/world read permission on known_hosts files across runs
+of "ssh-keygen -Rf /path". The old behaviour was to remove all rights
+for group/other.
+
+
- ssh-keygen(1):
+Mention the [-a rounds] flag in the ssh-keygen manual page and
+usage().
+
+
- sshd(8): explicitly construct path to ~/.ssh/rc rather than
+relying on it being relative to the current directory, so that it
+can still be found if the shell startup changes its directory.
+
+
- sshd(8): when
+redirecting sshd's log output to a file, undo this redirection after
+the session child process is forked(). Fixes missing log messages when
+using this feature under some circumstances.
+
+
- sshd(8): start
+ClientAliveInterval bookkeeping before first pass through select()
+loop; fixed theoretical case where busy sshd may ignore timeouts from
+client.
+
+
- ssh(1): only reset the
+ServerAliveInterval check when we receive traffic from the server and
+ignore traffic from a port forwarding client, preventing a client from
+keeping a connection alive when it should be terminated.
+
+
- ssh-keygen(1):
+avoid spurious error message when ssh-keygen creates files outside
+~/.ssh
+
+
- sftp-client(1): fix
+off-by-one error that caused sftp downloads to make one more
+concurrent request that desired. This prevented using sftp(1) in unpipelined
+request/response mode, which is useful when debugging.
+
+
- ssh(1), sshd(8): handle EINTR in
+waitfd() and timeout_connect() helpers.
+
+
- ssh(1), ssh-keygen(1): defer
+creation of ~/.ssh until we attempt to write to it so we don't leave
+an empty .ssh directory when it's not needed.
+
+
- ssh(1), sshd(8): fix multiplier when
+parsing time specifications when handling seconds after other units.
+
+
Ports and packages: