!
!
|
Released Oct 14, 2021. (51st OpenBSD release)
Copyright 1997-2021, Theo de Raadt.
--- 17,24 ----
!
!
|
Released Oct 14, 2021. (51st OpenBSD release)
Copyright 1997-2021, Theo de Raadt.
***************
*** 768,823 ****
! OpenSSH 8.8 XXX
!
! - Security fixes
!
!
- Potentially incompatible changes
!
!
- New Features
!
!
- Bugfixes
!
mandoc 1.14.6
! OpenSSH 8.8
!
! - Security
! - sshd(8): OpenSSH
! 8.5 introduced the LogVerbose keyword. When this option was
! enabled with a set of patterns that activated logging in code
! that runs in the low-privilege sandboxed sshd process, the log
! messages were constructed in such a way that printf(3) format
! strings could effectively be specified the low-privilege code.
!
- sshd(8) from
! OpenSSH 6.2 through 8.7 failed to correctly initialise
! supplemental groups when executing an AuthorizedKeysCommand or
! AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser
! or AuthorizedPrincipalsCommandUser directive has been set to
! run the command as a different user.
+ - Potentially incompatible changes
+
+ - A near-future release of OpenSSH will switch scp(1) from using
+ the legacy scp/rcp protocol to using SFTP by default.
+
- This release disables RSA signatures using the SHA-1 hash
+ algorithm by default.
+
- scp(1): this
+ release changes the behaviour of remote to remote copies
+ (e.g. "scp host-a:/path host-b:") to transfer through the
+ local host by default. This was previously available via the
+ -3 flag. This mode avoids the need to expose credentials on
+ the origin hop, avoids triplicate interpretation of filenames
+ by the shell (by the local system, the copy origin and the
+ destination) and, in conjunction with the SFTP support for
+ scp(1) mentioned
+ below, allows use of all authentication methods to the remote
+ hosts (previously, only non-interactive methods could be
+ used). A -R flag has been added to select the old behaviour.
+
- ssh(1)/sshd(8): both the
+ client and server are now using a stricter configuration file
+ parser. The new parser uses more shell-like rules for quotes,
+ space and escape characters. It is also more strict in
+ rejecting configurations that include options lacking
+ arguments. Previously some options (e.g. DenyUsers) could
+ appear on a line with no subsequent arguments. This release
+ will reject such configurations. The new parser will also
+ reject configurations with unterminated quotes and multiple
+ '=' characters after the option name.
+
- ssh(1): when using
+ SSHFP DNS records for host key verification, ssh(1) will verify
+ all matching records instead of just those with the specific
+ signature type requested. This may cause host key verification
+ problems if stale SSHFP records of a different or legacy
+ signature type exist alongside other records for a particular
+ host.
+
- ssh-keygen(1):
+ when generating a FIDO key and specifying an explicit
+ attestation challenge (using -Ochallenge), the challenge will
+ now be hashed by the builtin security key middleware. This
+ removes the (undocumented) requirement that challenges be
+ exactly 32 bytes in length and matches the expectations of
+ libfido2.
+
- sshd(8):
+ environment="..." directives in authorized_keys files are now
+ first-match-wins and limited to 1024 discrete environment
+ variable names.
+
+
+ - New features
+
+ - scp(1):
+ experimental support for transfers using the SFTP protocol as
+ a replacement for the venerable SCP/RCP protocol that it has
+ traditionally used. SFTP offers more predictable filename
+ handling and does not require expansion of glob(3) patterns
+ via the shell on the remote side.
+
- sftp-server(8):
+ add a protocol extension to support expansion of ~/ and ~user/
+ prefixed paths. This was added to support these paths when
+ used by scp(1)
+ while in SFTP mode.
+
- ssh(1): add a
+ ForkAfterAuthentication
+ ssh_config(5)
+ counterpart to the ssh(1) -f flag.
+
- ssh(1): add a
+ StdinNull directive to
+ ssh_config(5)
+ that allows the config file to do the same thing as -n does on
+ the ssh(1)
+ command- line.
+
- ssh(1): add a
+ SessionType directive to ssh_config, allowing the
+ configuration file to offer equivalent control to the -N (no
+ session) and -s (subsystem) command-line flags.
+
- ssh-keygen(1):
+ allowed signers files used by
+ ssh-keygen(1)
+ signatures now support listing key validity intervals
+ alongside they key, and
+ ssh-keygen(1)
+ can optionally check during signature verification whether a
+ specified time falls inside this interval. This feature is
+ intended for use by git to support signing and verifying
+ objects using ssh keys.
+
- ssh-keygen(8):
+ support printing of the full public key in a sshsig signature
+ via a -Oprint-pubkey flag.
+
- ssh(1): allow the
+ ssh_config(5)
+ CanonicalizePermittedCNAMEs directive to accept a "none"
+ argument to specify the default behaviour.
+
+
+ - Bugfixes
+
+ - ssh(1)/
+ sshd(8): start
+ time-based re-keying exactly on schedule in the client and
+ server mainloops. Previously the re-key timeout could expire
+ but re-keying would not start until a packet was sent or
+ received, causing a spin in select() if the connection was
+ quiescent.
+
- ssh-keygen(1):
+ avoid Y2038 problem in printing certificate validity
+ lifetimes. Dates past 2^31-1 seconds since epoch were
+ displayed incorrectly on some platforms.
+
- scp(1): allow
+ spaces to appear in usernames for local to remote and scp -3
+ remote to remote copies.
+
- ssh(1)/
+ sshd(8): remove
+ references to ChallengeResponseAuthentication in favour of
+ KbdInteractiveAuthentication. The former is what was in SSHv1,
+ the latter is what is in SSHv2 (RFC4256)
+ and they were treated as somewhat but not entirely equivalent. We
+ retain the old name as a deprecated alias so configuration
+ files continue to work as well as a reference in the man page
+ for people looking for it.
+
- ssh(1)/
+ ssh-add(1)/
+ ssh-keygen(1):
+ fix decoding of X.509 subject name when extracting a key from
+ a PKCS#11 certificate.
+
- ssh(1): restore
+ blocking status on stdio fds before close.
+ ssh(1) needs file
+ descriptors in non-blocking mode to operate but it was not
+ restoring the original state on exit. This could cause
+ problems with fds shared with other programs via the shell.
+
- ssh(1)/
+ sshd(8): switch both
+ client and server mainloops from select(3) to
+ pselect(3). Avoids race conditions where a signal may arrive
+ immediately before select(3) and not be processed until an
+ event fires.
+
- ssh(1): sessions
+ started with ControlPersist were incorrectly executing a shell
+ when the -N (no shell) option was specified.
+
- ssh(1): check if
+ IPQoS or TunnelDevice are already set before
+ overriding. Prevents values in config files from overriding
+ values supplied on the command line.
+
- ssh(1): fix debug
+ message when finding a private key to match a certificate
+ being attempted for user authentication. Previously it would
+ print the certificate's path, whereas it was supposed to be
+ showing the private key's path.
+
- sshd(8): match
+ host certificates against host public keys, not private
+ keys. Allows use of certificates with private keys held in a
+ ssh-agent.
+
- ssh(1): add a
+ workaround for a bug in OpenSSH 7.4 sshd(8),
+ which allows RSA/SHA2 signatures for public key authentication but
+ fails to advertise this correctly via SSH2_MSG_EXT_INFO. This
+ causes clients of these server to incorrectly match
+ PubkeyAcceptedAlgorithmse and potentially refuse to offer
+ valid keys.
+
- sftp(1)/
+ scp(1): degrade
+ gracefully if a sftp-server offers the limits@openssh.com
+ extension but fails when the client tries to invoke it.
+
- ssh(1): allow
+ ssh_config SetEnv to override $TERM, which is otherwise
+ handled specially by the protocol. Useful in ~/.ssh/config to
+ set TERM to something generic (e.g. "xterm" instead of
+ "xterm-256color") for destinations that lack terminfo entries.
+
- sftp-server(8):
+ the limits@openssh.com extension was incorrectly marked as an
+ operation that writes to the filesystem, which made it
+ unavailable in sftp-server read-only mode.
+
- ssh(1): fix SEGV
+ in UpdateHostkeys debug() message, triggered when the update
+ removed more host keys than remain present.
+
- scp(1): when using
+ the SFTP protocol, continue transferring files after a
+ transfer error occurs, better matching original scp/rcp
+ behaviour.
+
- ssh(1): fixed a
+ number of memory leaks in multiplexing,
+
- ssh-keygen(1):
+ avoid crash when using the -Y find-principals command.
+
- A number of documentation and manual improvements.
+
+
mandoc 1.14.6
| |