version 1.80, 2021/10/07 15:31:31 |
version 1.81, 2021/10/08 03:42:09 |
|
|
<table> |
<table> |
<tr> |
<tr> |
<td> |
<td> |
<a href="images/XXX.png"> |
<a href="images/StarryPointers.png"> |
<img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a> |
<img width="227" height="303" src="images/StarryPointers-s.png" alt="XXX"></a> |
<td> |
<td> |
Released Oct 14, 2021. (51st OpenBSD release)<br> |
Released Oct 14, 2021. (51st OpenBSD release)<br> |
Copyright 1997-2021, Theo de Raadt.<br> |
Copyright 1997-2021, Theo de Raadt.<br> |
|
|
</ul> |
</ul> |
</ul> |
</ul> |
|
|
<li>OpenSSH 8.8 XXX |
<li>OpenSSH 8.8 |
<!-- |
<ul> |
<li>Corrected <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> initialization of supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand helper program (not enabled by default) as a different user. |
<li>Security |
<li>Fixed the <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> "Allocated port" debug message for unix sockets. |
|
<li>Switched <a href="https://man.openbsd.org/scp.1">scp(1)</a> back to using the original scp/rcp protocol by default for release. |
|
<li>Made <a href="https://man.openbsd.org/scp.1">scp(1)</a> SFTP mode (including error logging) more scp-like. |
|
<li>Allowed CanonicalPermittedCNAMEs=none in <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>. |
|
<li>Put back the mux_ctx memleak fix for SSH_CHANNEL_MUX_CLIENT in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>. |
|
<li>Made <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> |
|
discard the current input line and provide a fresh prompt |
|
when Ctrl-C is typed during interactive command input |
|
rather than ignoring the signal. |
|
<li>Altered <a href="https://man.openbsd.org/scp">scp(1)</a> to use the SFTP protocol by default. The original scp/rcp protocol remains available via the -O flag. |
|
<li>Disabled the RSA/SHA-1 signature algorithm by default in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>. |
|
<li>Ensured some programs (including <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>) do not ignore Ctrl-C when awaiting user input. |
|
<li>Added <a href="https://man.openbsd.org/scp.1">scp(1)</a> -O and temporary -s (SFTP) flags to select the sftp protocol. |
|
<li>Made <a href="https://man.openbsd.org/scp.1">scp(1)</a> -3 the default for remote-to-remote copies. |
|
<li>Improved handling of ~ prefixed paths in <a href="https://man.openbsd.org/scp.1">scp(1)</a> in SFTP mode. |
|
<li>Added experimental support for using the SFTP protocol for file transfers in <a href="https://man.openbsd.org/scp.1">scp(1)</a>. |
|
<li>Added a ForkAfterAuthentication directive to <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>, equivalent to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> -f. |
|
<li>Added a StdinNull directive to <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> to prevent reading from stdin, equivalent to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> -n. |
|
<li>Let allowed signers files used by <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> signatures support key lifetimes and verification mode to specify a signature time at which to check. |
|
<li>Added a SessionType directive to <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>, equivalent to the -N (no session) and -s (subsystem) command line flags. |
|
<li>Allowed spaces to appear in usernames for <a href="https://man.openbsd.org/scp.1">scp(1)</a> local to remote and scp -3 remote to remote copies. |
|
<li>Prevented a hang in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> when interrupted. |
|
<li>Matched host certificates against host public keys in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, allowing use of certificates with private keys held in an ssh-agent. |
|
<li>Prevented a race condition which could result in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> not shutting down until the next time it receives a new connection. |
|
<li>Allowed <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> SetEnv to override $TERM. |
|
<li>Fixed a segmentation violation in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> in an UpdateHostKezs debug() message when the update removed more host keys than remain present. |
|
<li>Fixed <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to restore file descriptors to non-blocking mode on exit. |
|
<li>Fixed <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> started with ControlPersist incorrectly executing a shell when the -N option was specified. |
|
--> |
|
<ul> |
<ul> |
<li>Security fixes |
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: OpenSSH |
<ul> |
8.5 introduced the LogVerbose keyword. When this option was |
<li>... |
enabled with a set of patterns that activated logging in code |
</ul> |
that runs in the low-privilege sandboxed sshd process, the log |
<li>Potentially incompatible changes |
messages were constructed in such a way that printf(3) format |
<ul> |
strings could effectively be specified the low-privilege code. |
<li>... |
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a> from |
</ul> |
OpenSSH 6.2 through 8.7 failed to correctly initialise |
<li>New Features |
supplemental groups when executing an AuthorizedKeysCommand or |
<ul> |
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser |
<li>... |
or AuthorizedPrincipalsCommandUser directive has been set to |
</ul> |
run the command as a different user. |
<li>Bugfixes |
|
<ul> |
|
<li>... |
|
</ul> |
|
</ul> |
</ul> |
|
<li>Potentially incompatible changes |
|
<ul> |
|
<li>A near-future release of OpenSSH will switch <a |
|
href='https://man.openbsd.org/scp.1'>scp(1)</a> from using |
|
the legacy scp/rcp protocol to using SFTP by default. |
|
<li>This release disables RSA signatures using the SHA-1 hash |
|
algorithm by default. |
|
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: this |
|
release changes the behaviour of remote to remote copies |
|
(e.g. "scp host-a:/path host-b:") to transfer through the |
|
local host by default. This was previously available via the |
|
-3 flag. This mode avoids the need to expose credentials on |
|
the origin hop, avoids triplicate interpretation of filenames |
|
by the shell (by the local system, the copy origin and the |
|
destination) and, in conjunction with the SFTP support for |
|
<a href='https://man.openbsd.org/scp.1'>scp(1)</a> mentioned |
|
below, allows use of all authentication methods to the remote |
|
hosts (previously, only non-interactive methods could be |
|
used). A -R flag has been added to select the old behaviour. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/<a |
|
href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: both the |
|
client and server are now using a stricter configuration file |
|
parser. The new parser uses more shell-like rules for quotes, |
|
space and escape characters. It is also more strict in |
|
rejecting configurations that include options lacking |
|
arguments. Previously some options (e.g. DenyUsers) could |
|
appear on a line with no subsequent arguments. This release |
|
will reject such configurations. The new parser will also |
|
reject configurations with unterminated quotes and multiple |
|
'=' characters after the option name. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: when using |
|
SSHFP DNS records for host key verification, <a |
|
href='https://man.openbsd.org/ssh.1'>ssh(1)</a> will verify |
|
all matching records instead of just those with the specific |
|
signature type requested. This may cause host key verification |
|
problems if stale SSHFP records of a different or legacy |
|
signature type exist alongside other records for a particular |
|
host. |
|
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
|
when generating a FIDO key and specifying an explicit |
|
attestation challenge (using -Ochallenge), the challenge will |
|
now be hashed by the builtin security key middleware. This |
|
removes the (undocumented) requirement that challenges be |
|
exactly 32 bytes in length and matches the expectations of |
|
libfido2. |
|
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: |
|
environment="..." directives in authorized_keys files are now |
|
first-match-wins and limited to 1024 discrete environment |
|
variable names. |
|
</ul> |
|
|
|
<li>New features |
|
<ul> |
|
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: |
|
experimental support for transfers using the SFTP protocol as |
|
a replacement for the venerable SCP/RCP protocol that it has |
|
traditionally used. SFTP offers more predictable filename |
|
handling and does not require expansion of glob(3) patterns |
|
via the shell on the remote side. |
|
<li><a href='https://man.openbsd.org/sftp-server.8'>sftp-server(8)</a>: |
|
add a protocol extension to support expansion of ~/ and ~user/ |
|
prefixed paths. This was added to support these paths when |
|
used by <a href='https://man.openbsd.org/scp.1'>scp(1)</a> |
|
while in SFTP mode. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a |
|
ForkAfterAuthentication |
|
<a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> |
|
counterpart to the <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> -f flag. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a |
|
StdinNull directive to |
|
<a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> |
|
that allows the config file to do the same thing as -n does on |
|
the <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> |
|
command- line. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a |
|
SessionType directive to ssh_config, allowing the |
|
configuration file to offer equivalent control to the -N (no |
|
session) and -s (subsystem) command-line flags. |
|
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
|
allowed signers files used by |
|
<a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a> |
|
signatures now support listing key validity intervals |
|
alongside they key, and |
|
<a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a> |
|
can optionally check during signature verification whether a |
|
specified time falls inside this interval. This feature is |
|
intended for use by git to support signing and verifying |
|
objects using ssh keys. |
|
<li><a href='https://man.openbsd.org/ssh-keygen.8'>ssh-keygen(8)</a>: |
|
support printing of the full public key in a sshsig signature |
|
via a -Oprint-pubkey flag. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: allow the |
|
<a |
|
href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> |
|
CanonicalizePermittedCNAMEs directive to accept a "none" |
|
argument to specify the default behaviour. |
|
</ul> |
|
|
|
<li>Bugfixes |
|
<ul> |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/ |
|
<a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: start |
|
time-based re-keying exactly on schedule in the client and |
|
server mainloops. Previously the re-key timeout could expire |
|
but re-keying would not start until a packet was sent or |
|
received, causing a spin in select() if the connection was |
|
quiescent. |
|
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
|
avoid Y2038 problem in printing certificate validity |
|
lifetimes. Dates past 2^31-1 seconds since epoch were |
|
displayed incorrectly on some platforms. |
|
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: allow |
|
spaces to appear in usernames for local to remote and scp -3 |
|
remote to remote copies. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/ |
|
<a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: remove |
|
references to ChallengeResponseAuthentication in favour of |
|
KbdInteractiveAuthentication. The former is what was in SSHv1, |
|
the latter is what is in SSHv2 (<a href='https://tools.ietf.org/html/rfc4256'>RFC4256</a>) |
|
and they were treated as somewhat but not entirely equivalent. We |
|
retain the old name as a deprecated alias so configuration |
|
files continue to work as well as a reference in the man page |
|
for people looking for it. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/ |
|
<a href='https://man.openbsd.org/ssh-add.1'>ssh-add(1)</a>/ |
|
<a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
|
fix decoding of X.509 subject name when extracting a key from |
|
a PKCS#11 certificate. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: restore |
|
blocking status on stdio fds before close. |
|
<a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> needs file |
|
descriptors in non-blocking mode to operate but it was not |
|
restoring the original state on exit. This could cause |
|
problems with fds shared with other programs via the shell. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/ |
|
<a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: switch both |
|
client and server mainloops from select(3) to |
|
pselect(3). Avoids race conditions where a signal may arrive |
|
immediately before select(3) and not be processed until an |
|
event fires. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: sessions |
|
started with ControlPersist were incorrectly executing a shell |
|
when the -N (no shell) option was specified. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: check if |
|
IPQoS or TunnelDevice are already set before |
|
overriding. Prevents values in config files from overriding |
|
values supplied on the command line. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix debug |
|
message when finding a private key to match a certificate |
|
being attempted for user authentication. Previously it would |
|
print the certificate's path, whereas it was supposed to be |
|
showing the private key's path. |
|
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: match |
|
host certificates against host public keys, not private |
|
keys. Allows use of certificates with private keys held in a |
|
ssh-agent. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a |
|
workaround for a bug in OpenSSH 7.4 <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>, |
|
which allows RSA/SHA2 signatures for public key authentication but |
|
fails to advertise this correctly via SSH2_MSG_EXT_INFO. This |
|
causes clients of these server to incorrectly match |
|
PubkeyAcceptedAlgorithmse and potentially refuse to offer |
|
valid keys. |
|
<li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>/ |
|
<a href='https://man.openbsd.org/scp.1'>scp(1)</a>: degrade |
|
gracefully if a sftp-server offers the limits@openssh.com |
|
extension but fails when the client tries to invoke it. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: allow |
|
ssh_config SetEnv to override $TERM, which is otherwise |
|
handled specially by the protocol. Useful in ~/.ssh/config to |
|
set TERM to something generic (e.g. "xterm" instead of |
|
"xterm-256color") for destinations that lack terminfo entries. |
|
<li><a href='https://man.openbsd.org/sftp-server.8'>sftp-server(8)</a>: |
|
the limits@openssh.com extension was incorrectly marked as an |
|
operation that writes to the filesystem, which made it |
|
unavailable in sftp-server read-only mode. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix SEGV |
|
in UpdateHostkeys debug() message, triggered when the update |
|
removed more host keys than remain present. |
|
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: when using |
|
the SFTP protocol, continue transferring files after a |
|
transfer error occurs, better matching original scp/rcp |
|
behaviour. |
|
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fixed a |
|
number of memory leaks in multiplexing, |
|
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
|
avoid crash when using the -Y find-principals command. |
|
<li>A number of documentation and manual improvements. |
|
</ul> |
|
</ul> |
|
|
<li>mandoc 1.14.6 |
<li>mandoc 1.14.6 |
<ul> |
<ul> |