| version 1.80, 2021/10/07 15:31:31 |
version 1.81, 2021/10/08 03:42:09 |
|
|
| <table> |
<table> |
| <tr> |
<tr> |
| <td> |
<td> |
| <a href="images/XXX.png"> |
<a href="images/StarryPointers.png"> |
| <img width="227" height="303" src="images/XXX-s.gif" alt="XXX"></a> |
<img width="227" height="303" src="images/StarryPointers-s.png" alt="XXX"></a> |
| <td> |
<td> |
| Released Oct 14, 2021. (51st OpenBSD release)<br> |
Released Oct 14, 2021. (51st OpenBSD release)<br> |
| Copyright 1997-2021, Theo de Raadt.<br> |
Copyright 1997-2021, Theo de Raadt.<br> |
|
|
| </ul> |
</ul> |
| </ul> |
</ul> |
| |
|
| <li>OpenSSH 8.8 XXX |
<li>OpenSSH 8.8 |
| <!-- |
<ul> |
| <li>Corrected <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> initialization of supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand helper program (not enabled by default) as a different user. |
<li>Security |
| <li>Fixed the <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> "Allocated port" debug message for unix sockets. |
|
| <li>Switched <a href="https://man.openbsd.org/scp.1">scp(1)</a> back to using the original scp/rcp protocol by default for release. |
|
| <li>Made <a href="https://man.openbsd.org/scp.1">scp(1)</a> SFTP mode (including error logging) more scp-like. |
|
| <li>Allowed CanonicalPermittedCNAMEs=none in <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>. |
|
| <li>Put back the mux_ctx memleak fix for SSH_CHANNEL_MUX_CLIENT in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>. |
|
| <li>Made <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> |
|
| discard the current input line and provide a fresh prompt |
|
| when Ctrl-C is typed during interactive command input |
|
| rather than ignoring the signal. |
|
| <li>Altered <a href="https://man.openbsd.org/scp">scp(1)</a> to use the SFTP protocol by default. The original scp/rcp protocol remains available via the -O flag. |
|
| <li>Disabled the RSA/SHA-1 signature algorithm by default in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>. |
|
| <li>Ensured some programs (including <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>) do not ignore Ctrl-C when awaiting user input. |
|
| <li>Added <a href="https://man.openbsd.org/scp.1">scp(1)</a> -O and temporary -s (SFTP) flags to select the sftp protocol. |
|
| <li>Made <a href="https://man.openbsd.org/scp.1">scp(1)</a> -3 the default for remote-to-remote copies. |
|
| <li>Improved handling of ~ prefixed paths in <a href="https://man.openbsd.org/scp.1">scp(1)</a> in SFTP mode. |
|
| <li>Added experimental support for using the SFTP protocol for file transfers in <a href="https://man.openbsd.org/scp.1">scp(1)</a>. |
|
| <li>Added a ForkAfterAuthentication directive to <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>, equivalent to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> -f. |
|
| <li>Added a StdinNull directive to <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> to prevent reading from stdin, equivalent to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> -n. |
|
| <li>Let allowed signers files used by <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> signatures support key lifetimes and verification mode to specify a signature time at which to check. |
|
| <li>Added a SessionType directive to <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>, equivalent to the -N (no session) and -s (subsystem) command line flags. |
|
| <li>Allowed spaces to appear in usernames for <a href="https://man.openbsd.org/scp.1">scp(1)</a> local to remote and scp -3 remote to remote copies. |
|
| <li>Prevented a hang in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> when interrupted. |
|
| <li>Matched host certificates against host public keys in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, allowing use of certificates with private keys held in an ssh-agent. |
|
| <li>Prevented a race condition which could result in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> not shutting down until the next time it receives a new connection. |
|
| <li>Allowed <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> SetEnv to override $TERM. |
|
| <li>Fixed a segmentation violation in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> in an UpdateHostKezs debug() message when the update removed more host keys than remain present. |
|
| <li>Fixed <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to restore file descriptors to non-blocking mode on exit. |
|
| <li>Fixed <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> started with ControlPersist incorrectly executing a shell when the -N option was specified. |
|
| --> |
|
| <ul> |
<ul> |
| <li>Security fixes |
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: OpenSSH |
| <ul> |
8.5 introduced the LogVerbose keyword. When this option was |
| <li>... |
enabled with a set of patterns that activated logging in code |
| </ul> |
that runs in the low-privilege sandboxed sshd process, the log |
| <li>Potentially incompatible changes |
messages were constructed in such a way that printf(3) format |
| <ul> |
strings could effectively be specified the low-privilege code. |
| <li>... |
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a> from |
| </ul> |
OpenSSH 6.2 through 8.7 failed to correctly initialise |
| <li>New Features |
supplemental groups when executing an AuthorizedKeysCommand or |
| <ul> |
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser |
| <li>... |
or AuthorizedPrincipalsCommandUser directive has been set to |
| </ul> |
run the command as a different user. |
| <li>Bugfixes |
|
| <ul> |
|
| <li>... |
|
| </ul> |
|
| </ul> |
</ul> |
| |
<li>Potentially incompatible changes |
| |
<ul> |
| |
<li>A near-future release of OpenSSH will switch <a |
| |
href='https://man.openbsd.org/scp.1'>scp(1)</a> from using |
| |
the legacy scp/rcp protocol to using SFTP by default. |
| |
<li>This release disables RSA signatures using the SHA-1 hash |
| |
algorithm by default. |
| |
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: this |
| |
release changes the behaviour of remote to remote copies |
| |
(e.g. "scp host-a:/path host-b:") to transfer through the |
| |
local host by default. This was previously available via the |
| |
-3 flag. This mode avoids the need to expose credentials on |
| |
the origin hop, avoids triplicate interpretation of filenames |
| |
by the shell (by the local system, the copy origin and the |
| |
destination) and, in conjunction with the SFTP support for |
| |
<a href='https://man.openbsd.org/scp.1'>scp(1)</a> mentioned |
| |
below, allows use of all authentication methods to the remote |
| |
hosts (previously, only non-interactive methods could be |
| |
used). A -R flag has been added to select the old behaviour. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/<a |
| |
href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: both the |
| |
client and server are now using a stricter configuration file |
| |
parser. The new parser uses more shell-like rules for quotes, |
| |
space and escape characters. It is also more strict in |
| |
rejecting configurations that include options lacking |
| |
arguments. Previously some options (e.g. DenyUsers) could |
| |
appear on a line with no subsequent arguments. This release |
| |
will reject such configurations. The new parser will also |
| |
reject configurations with unterminated quotes and multiple |
| |
'=' characters after the option name. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: when using |
| |
SSHFP DNS records for host key verification, <a |
| |
href='https://man.openbsd.org/ssh.1'>ssh(1)</a> will verify |
| |
all matching records instead of just those with the specific |
| |
signature type requested. This may cause host key verification |
| |
problems if stale SSHFP records of a different or legacy |
| |
signature type exist alongside other records for a particular |
| |
host. |
| |
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
| |
when generating a FIDO key and specifying an explicit |
| |
attestation challenge (using -Ochallenge), the challenge will |
| |
now be hashed by the builtin security key middleware. This |
| |
removes the (undocumented) requirement that challenges be |
| |
exactly 32 bytes in length and matches the expectations of |
| |
libfido2. |
| |
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: |
| |
environment="..." directives in authorized_keys files are now |
| |
first-match-wins and limited to 1024 discrete environment |
| |
variable names. |
| |
</ul> |
| |
|
| |
<li>New features |
| |
<ul> |
| |
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: |
| |
experimental support for transfers using the SFTP protocol as |
| |
a replacement for the venerable SCP/RCP protocol that it has |
| |
traditionally used. SFTP offers more predictable filename |
| |
handling and does not require expansion of glob(3) patterns |
| |
via the shell on the remote side. |
| |
<li><a href='https://man.openbsd.org/sftp-server.8'>sftp-server(8)</a>: |
| |
add a protocol extension to support expansion of ~/ and ~user/ |
| |
prefixed paths. This was added to support these paths when |
| |
used by <a href='https://man.openbsd.org/scp.1'>scp(1)</a> |
| |
while in SFTP mode. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a |
| |
ForkAfterAuthentication |
| |
<a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> |
| |
counterpart to the <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> -f flag. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a |
| |
StdinNull directive to |
| |
<a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> |
| |
that allows the config file to do the same thing as -n does on |
| |
the <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> |
| |
command- line. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a |
| |
SessionType directive to ssh_config, allowing the |
| |
configuration file to offer equivalent control to the -N (no |
| |
session) and -s (subsystem) command-line flags. |
| |
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
| |
allowed signers files used by |
| |
<a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a> |
| |
signatures now support listing key validity intervals |
| |
alongside they key, and |
| |
<a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a> |
| |
can optionally check during signature verification whether a |
| |
specified time falls inside this interval. This feature is |
| |
intended for use by git to support signing and verifying |
| |
objects using ssh keys. |
| |
<li><a href='https://man.openbsd.org/ssh-keygen.8'>ssh-keygen(8)</a>: |
| |
support printing of the full public key in a sshsig signature |
| |
via a -Oprint-pubkey flag. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: allow the |
| |
<a |
| |
href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> |
| |
CanonicalizePermittedCNAMEs directive to accept a "none" |
| |
argument to specify the default behaviour. |
| |
</ul> |
| |
|
| |
<li>Bugfixes |
| |
<ul> |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/ |
| |
<a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: start |
| |
time-based re-keying exactly on schedule in the client and |
| |
server mainloops. Previously the re-key timeout could expire |
| |
but re-keying would not start until a packet was sent or |
| |
received, causing a spin in select() if the connection was |
| |
quiescent. |
| |
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
| |
avoid Y2038 problem in printing certificate validity |
| |
lifetimes. Dates past 2^31-1 seconds since epoch were |
| |
displayed incorrectly on some platforms. |
| |
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: allow |
| |
spaces to appear in usernames for local to remote and scp -3 |
| |
remote to remote copies. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/ |
| |
<a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: remove |
| |
references to ChallengeResponseAuthentication in favour of |
| |
KbdInteractiveAuthentication. The former is what was in SSHv1, |
| |
the latter is what is in SSHv2 (<a href='https://tools.ietf.org/html/rfc4256'>RFC4256</a>) |
| |
and they were treated as somewhat but not entirely equivalent. We |
| |
retain the old name as a deprecated alias so configuration |
| |
files continue to work as well as a reference in the man page |
| |
for people looking for it. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/ |
| |
<a href='https://man.openbsd.org/ssh-add.1'>ssh-add(1)</a>/ |
| |
<a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
| |
fix decoding of X.509 subject name when extracting a key from |
| |
a PKCS#11 certificate. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: restore |
| |
blocking status on stdio fds before close. |
| |
<a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> needs file |
| |
descriptors in non-blocking mode to operate but it was not |
| |
restoring the original state on exit. This could cause |
| |
problems with fds shared with other programs via the shell. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/ |
| |
<a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: switch both |
| |
client and server mainloops from select(3) to |
| |
pselect(3). Avoids race conditions where a signal may arrive |
| |
immediately before select(3) and not be processed until an |
| |
event fires. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: sessions |
| |
started with ControlPersist were incorrectly executing a shell |
| |
when the -N (no shell) option was specified. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: check if |
| |
IPQoS or TunnelDevice are already set before |
| |
overriding. Prevents values in config files from overriding |
| |
values supplied on the command line. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix debug |
| |
message when finding a private key to match a certificate |
| |
being attempted for user authentication. Previously it would |
| |
print the certificate's path, whereas it was supposed to be |
| |
showing the private key's path. |
| |
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: match |
| |
host certificates against host public keys, not private |
| |
keys. Allows use of certificates with private keys held in a |
| |
ssh-agent. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a |
| |
workaround for a bug in OpenSSH 7.4 <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>, |
| |
which allows RSA/SHA2 signatures for public key authentication but |
| |
fails to advertise this correctly via SSH2_MSG_EXT_INFO. This |
| |
causes clients of these server to incorrectly match |
| |
PubkeyAcceptedAlgorithmse and potentially refuse to offer |
| |
valid keys. |
| |
<li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>/ |
| |
<a href='https://man.openbsd.org/scp.1'>scp(1)</a>: degrade |
| |
gracefully if a sftp-server offers the limits@openssh.com |
| |
extension but fails when the client tries to invoke it. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: allow |
| |
ssh_config SetEnv to override $TERM, which is otherwise |
| |
handled specially by the protocol. Useful in ~/.ssh/config to |
| |
set TERM to something generic (e.g. "xterm" instead of |
| |
"xterm-256color") for destinations that lack terminfo entries. |
| |
<li><a href='https://man.openbsd.org/sftp-server.8'>sftp-server(8)</a>: |
| |
the limits@openssh.com extension was incorrectly marked as an |
| |
operation that writes to the filesystem, which made it |
| |
unavailable in sftp-server read-only mode. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix SEGV |
| |
in UpdateHostkeys debug() message, triggered when the update |
| |
removed more host keys than remain present. |
| |
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: when using |
| |
the SFTP protocol, continue transferring files after a |
| |
transfer error occurs, better matching original scp/rcp |
| |
behaviour. |
| |
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fixed a |
| |
number of memory leaks in multiplexing, |
| |
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: |
| |
avoid crash when using the -Y find-principals command. |
| |
<li>A number of documentation and manual improvements. |
| |
</ul> |
| |
</ul> |
| |
|
| <li>mandoc 1.14.6 |
<li>mandoc 1.14.6 |
| <ul> |
<ul> |
![[BACK]](/icons/back.gif){kind=icon}
Return to 70.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www