| version 1.64, 2022/06/28 04:53:02 |
version 1.65, 2022/07/15 06:46:06 |
|
|
| <li>Added a <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> |
<li>Added a <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> |
| cache of regions between 128k and 2M to accommodate programs |
cache of regions between 128k and 2M to accommodate programs |
| allocating and deallocating regions of these sizes quickly. |
allocating and deallocating regions of these sizes quickly. |
| ` <li>Added <a href="https://man.openbsd.org/pax.1">pax(1)</a> support |
<li>Added <a href="https://man.openbsd.org/pax.1">pax(1)</a> support |
| for mtime/atime/ctime extended headers (in not-SMALL builds). |
for mtime/atime/ctime extended headers (in not-SMALL builds). |
| <li>Added -k flag to <a |
<li>Added -k flag to <a |
| href="https://man.openbsd.org/gzip.1">gzip(1)</a> and <a |
href="https://man.openbsd.org/gzip.1">gzip(1)</a> and <a |
|
|
| <li>Added support for tpm2 CRB interface to <a |
<li>Added support for tpm2 CRB interface to <a |
| href="https://man.openbsd.org/tpm.4">tpm(4)</a>, fixing recent S4 |
href="https://man.openbsd.org/tpm.4">tpm(4)</a>, fixing recent S4 |
| regressions on the Surface Go 2 caused by a firmware change. |
regressions on the Surface Go 2 caused by a firmware change. |
| ` <li>Ensured armv7 and arm64 efiboot allocate fresh memory for the |
<li>Ensured armv7 and arm64 efiboot allocate fresh memory for the |
| device tree with at least one page of free space to extend into. This |
device tree with at least one page of free space to extend into. This |
| fixes booting on VMWare Fusion. |
fixes booting on VMWare Fusion. |
| <li>Stopped binding audio devices exposed by <a |
<li>Stopped binding audio devices exposed by <a |
|
|
| <li>Security |
<li>Security |
| <ul> |
<ul> |
| <!-- OpenSSH 8.9 --> |
<!-- OpenSSH 8.9 --> |
| <li>Near miss in <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<li>Near miss in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| fix an integer overflow in the user authentication path |
fix an integer overflow in the user authentication path |
| that, in conjunction with other logic errors, could have yielded |
that, in conjunction with other logic errors, could have yielded |
| unauthenticated access under difficult to exploit conditions.<br> |
unauthenticated access under difficult to exploit conditions.<br> |
|
|
| <li>In OpenSSH 8.9 the FIDO security key middleware interface |
<li>In OpenSSH 8.9 the FIDO security key middleware interface |
| changed and increments SSH_SK_VERSION_MAJOR. |
changed and increments SSH_SK_VERSION_MAJOR. |
| <!-- OpenSSH 9.0 --> |
<!-- OpenSSH 9.0 --> |
| <li>This release switches <a href=https://man.openbsd.org/scp.1>scp(1)</a> |
<li>This release switches <a href="https://man.openbsd.org/scp.1">scp(1)</a> |
| from using the legacy scp/rcp protocol |
from using the legacy scp/rcp protocol |
| to using the SFTP protocol by default.<br> |
to using the SFTP protocol by default.<br> |
| Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. |
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. |
| "scp host:* .") through the remote shell. This has the side effect of |
"scp host:* .") through the remote shell. This has the side effect of |
| requiring double quoting of shell meta-characters in file names |
requiring double quoting of shell meta-characters in file names |
| included on <a href=https://man.openbsd.org/scp.1>scp(1)</a> |
included on <a href="https://man.openbsd.org/scp.1">scp(1)</a> |
| command-lines, otherwise they could be interpreted |
command-lines, otherwise they could be interpreted |
| as shell commands on the remote side.<br> |
as shell commands on the remote side.<br> |
| This creates one area of potential incompatibility: |
This creates one area of potential incompatibility: |
| <a href=https://man.openbsd.org/scp.1>scp(1)</a> when using |
<a href="https://man.openbsd.org/scp.1">scp(1)</a> when using |
| the SFTP protocol no longer requires this finicky and brittle quoting, |
the SFTP protocol no longer requires this finicky and brittle quoting, |
| and attempts to use it may cause transfers to fail. We consider the |
and attempts to use it may cause transfers to fail. We consider the |
| removal of the need for double-quoting shell characters in file names |
removal of the need for double-quoting shell characters in file names |
| to be a benefit and do not intend to introduce bug-compatibility for |
to be a benefit and do not intend to introduce bug-compatibility for |
| legacy scp/rcp in <a href=https://man.openbsd.org/scp.1>scp(1)</a> |
legacy scp/rcp in <a href="https://man.openbsd.org/scp.1">scp(1)</a> |
| when using the SFTP protocol.<br> |
when using the SFTP protocol.<br> |
| Another area of potential incompatibility relates to the use of remote |
Another area of potential incompatibility relates to the use of remote |
| paths relative to other user's home directories, for example - |
paths relative to other user's home directories, for example - |
| "scp host:~user/file /tmp". The SFTP protocol has no native way to |
"scp host:~user/file /tmp". The SFTP protocol has no native way to |
| expand a ~user path. However, |
expand a ~user path. However, |
| <a href=https://man.openbsd.org/sftp-server.8>sftp-server(8)</a> |
<a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a> |
| in OpenSSH 8.7 and later support a protocol extension |
in OpenSSH 8.7 and later support a protocol extension |
| "expand-path@openssh.com" to support this.<br> |
"expand-path@openssh.com" to support this.<br> |
| In case of incompatibility, the |
In case of incompatibility, the |
| <a href=https://man.openbsd.org/scp.1>scp(1)</a> client may be instructed to use |
<a href="https://man.openbsd.org/scp.1">scp(1)</a> client may be instructed to use |
| the legacy scp/rcp using the -O flag. |
the legacy scp/rcp using the -O flag. |
| </ul> |
</ul> |
| |
|
| <li>New features |
<li>New features |
| <ul> |
<ul> |
| <!-- OpenSSH 8.9 --> |
<!-- OpenSSH 8.9 --> |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>, |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, |
| <a href=https://man.openbsd.org/ssh-add.1>ssh-add(1)</a>, |
<a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>, |
| <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>: |
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: |
| add a system for restricting forwarding and use of keys added to |
add a system for restricting forwarding and use of keys added to |
| <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a> |
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> |
| A detailed description of the feature is available at |
A detailed description of the feature is available at |
| https://www.openssh.com/agent-restrict.html and the protocol |
https://www.openssh.com/agent-restrict.html and the protocol |
| extensions are documented in the |
extensions are documented in the |
|
|
| >PROTOCOL</a> and |
>PROTOCOL</a> and |
| <a href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.agent?annotate=OPENBSD_7_1" |
<a href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.agent?annotate=OPENBSD_7_1" |
| >PROTOCOL.agent</a> files in the source release. |
>PROTOCOL.agent</a> files in the source release. |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| add the sntrup761x25519-sha512@openssh.com hybrid |
add the sntrup761x25519-sha512@openssh.com hybrid |
| ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the |
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the |
| default KEXAlgorithms list (after the ECDH methods but before the |
default KEXAlgorithms list (after the ECDH methods but before the |
| prime-group DH ones). |
prime-group DH ones). |
| <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
| when downloading resident keys from a FIDO token, |
when downloading resident keys from a FIDO token, |
| pass back the user ID that was used when the key was created and |
pass back the user ID that was used when the key was created and |
| append it to the filename the key is written to (if it is not the |
append it to the filename the key is written to (if it is not the |
| default). Avoids keys being clobbered if the user created multiple |
default). Avoids keys being clobbered if the user created multiple |
| resident keys with the same application string but different user |
resident keys with the same application string but different user |
| IDs. |
IDs. |
| <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>, |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, |
| <a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>: |
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: |
| better handling for FIDO keys |
better handling for FIDO keys |
| on tokens that provide user verification (UV) on the device itself, |
on tokens that provide user verification (UV) on the device itself, |
| including biometric keys, avoiding unnecessary PIN prompts. |
including biometric keys, avoiding unnecessary PIN prompts. |
| <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>: add "ssh-keygen -Y match-principals" operation to |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: add "ssh-keygen -Y match-principals" operation to |
| perform matching of principals names against an allowed signers |
perform matching of principals names against an allowed signers |
| file. To be used towards a TOFU model for SSH signatures in git. |
file. To be used towards a TOFU model for SSH signatures in git. |
| <li><a href=https://man.openbsd.org/ssh-add.1>ssh-add(1)</a>, |
<li><a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>, |
| <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>: |
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: |
| allow pin-required FIDO keys to be added |
allow pin-required FIDO keys to be added |
| to <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>. |
to <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>. |
| $SSH_ASKPASS will be used to request the PIN at authentication time. |
$SSH_ASKPASS will be used to request the PIN at authentication time. |
| <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
| allow selection of hash at sshsig signing time |
allow selection of hash at sshsig signing time |
| (either sha512 (default) or sha256). |
(either sha512 (default) or sha256). |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| read network data directly to the packet input |
read network data directly to the packet input |
| buffer instead of indirectly via a small stack buffer. Provides a |
buffer instead of indirectly via a small stack buffer. Provides a |
| modest performance improvement. |
modest performance improvement. |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| read data directly to the channel input buffer, |
read data directly to the channel input buffer, |
| providing a similar modest performance improvement. |
providing a similar modest performance improvement. |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| extend the PubkeyAuthentication configuration directive to |
extend the PubkeyAuthentication configuration directive to |
| accept yes|no|unbound|host-bound to allow control over one of the |
accept yes|no|unbound|host-bound to allow control over one of the |
| protocol extensions used to implement agent-restricted keys. |
protocol extensions used to implement agent-restricted keys. |
| <!-- OpenSSH 9.0 --> |
<!-- OpenSSH 9.0 --> |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| use the hybrid Streamlined NTRU Prime + x25519 key |
use the hybrid Streamlined NTRU Prime + x25519 key |
| exchange method by default ("sntrup761x25519-sha512@openssh.com"). |
exchange method by default ("sntrup761x25519-sha512@openssh.com"). |
| The NTRU algorithm is believed to resist attacks enabled by future |
The NTRU algorithm is believed to resist attacks enabled by future |
|
|
| later" attacks where an adversary who can record and store SSH |
later" attacks where an adversary who can record and store SSH |
| session ciphertext would be able to decrypt it once a sufficiently |
session ciphertext would be able to decrypt it once a sufficiently |
| advanced quantum computer is available. |
advanced quantum computer is available. |
| <li><a href=https://man.openbsd.org/sftp-server.8>sftp-server(8)</a>: |
<li><a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: |
| support the "copy-data" extension to allow server- |
support the "copy-data" extension to allow server- |
| side copying of files/data, following the design in |
side copying of files/data, following the design in |
| draft-ietf-secsh-filexfer-extensions-00. |
draft-ietf-secsh-filexfer-extensions-00. |
| <li><a href=https://man.openbsd.org/sftp.1>sftp(1)</a>: |
<li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: |
| add a "cp" command to allow the sftp client to perform |
add a "cp" command to allow the sftp client to perform |
| server-side file copies. |
server-side file copies. |
| </ul> |
</ul> |
|
|
| <li>Bugfixes |
<li>Bugfixes |
| <ul> |
<ul> |
| <!-- OpenSSH 8.9 --> |
<!-- OpenSSH 8.9 --> |
| <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| document that CASignatureAlgorithms, ExposeAuthInfo and |
document that CASignatureAlgorithms, ExposeAuthInfo and |
| PubkeyAuthOptions can be used in a Match block. |
PubkeyAuthOptions can be used in a Match block. |
| <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| fix possible string truncation when constructing paths to |
fix possible string truncation when constructing paths to |
| .rhosts/.shosts files with very long user home directory names. |
.rhosts/.shosts files with very long user home directory names. |
| <li>ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 |
<li>ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 |
| exchange hashes |
exchange hashes |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| don't put the TTY into raw mode when SessionType=none, |
don't put the TTY into raw mode when SessionType=none, |
| avoids ^C being unable to kill such a session. |
avoids ^C being unable to kill such a session. |
| <li><a href=https://man.openbsd.org/scp.1>scp(1)</a>: |
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>: |
| fix some corner-case bugs in SFTP-mode handling of |
fix some corner-case bugs in SFTP-mode handling of |
| ~-prefixed paths. |
~-prefixed paths. |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| unbreak hostbased auth using RSA keys. Allow |
unbreak hostbased auth using RSA keys. Allow |
| <a href=https://man.openbsd.org/ssh.1>ssh(1)</a> to |
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to |
| select RSA keys when only RSA/SHA2 signature algorithms are |
select RSA keys when only RSA/SHA2 signature algorithms are |
| configured (this is the default case). Previously RSA keys were |
configured (this is the default case). Previously RSA keys were |
| not being considered in the default case. |
not being considered in the default case. |
| <li>ssh-keysign(1): make ssh-keysign use the requested signature |
<li>ssh-keysign(1): make ssh-keysign use the requested signature |
| algorithm and not the default for the key type. Part of unbreaking |
algorithm and not the default for the key type. Part of unbreaking |
| hostbased auth for RSA/SHA2 keys. |
hostbased auth for RSA/SHA2 keys. |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| stricter UpdateHostkey signature verification logic on |
stricter UpdateHostkey signature verification logic on |
| the client- side. Require RSA/SHA2 signatures for RSA hostkeys |
the client- side. Require RSA/SHA2 signatures for RSA hostkeys |
| except when RSA/SHA1 was explicitly negotiated during initial |
except when RSA/SHA1 was explicitly negotiated during initial |
| KEX |
KEX |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| fix signature algorithm selection logic for |
fix signature algorithm selection logic for |
| UpdateHostkeys on the server side. The previous code tried to |
UpdateHostkeys on the server side. The previous code tried to |
| prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some |
prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some |
| cases. This will use RSA/SHA2 signatures for RSA keys if the |
cases. This will use RSA/SHA2 signatures for RSA keys if the |
| client proposed these algorithms in initial KEX. |
client proposed these algorithms in initial KEX. |
| <li>All: convert all uses of |
<li>All: convert all uses of |
| <a href=https://man.openbsd.org/select.2>select(2)</a>/ |
<a href="https://man.openbsd.org/select.2">select(2)</a>/ |
| <a href=https://man.openbsd.org/pselect.2>pselect(2)</a> to |
<a href="https://man.openbsd.org/pselect.2">pselect(2)</a> to |
| <a href=https://man.openbsd.org/poll.2>poll(2)</a>/ |
<a href="https://man.openbsd.org/poll.2">poll(2)</a>/ |
| <a href=https://man.openbsd.org/ppoll.2>ppoll(2)</a>. |
<a href="https://man.openbsd.org/ppoll.2">ppoll(2)</a>. |
| This includes the mainloops in |
This includes the mainloops in |
| <a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>, |
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>, |
| <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a> |
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> |
| and <a href=https://man.openbsd.org/sftp-server.8>sftp-server(8)</a>, |
and <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>, |
| as well as the <a href=https://man.openbsd.org/sshd.8>sshd(8)</a> |
as well as the <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> |
| listen loop and all other FD read/writability checks. |
listen loop and all other FD read/writability checks. |
| <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
| the "-Y find-principals" command was verifying key |
the "-Y find-principals" command was verifying key |
| validity when using ca certs but not with simple key lifetimes |
validity when using ca certs but not with simple key lifetimes |
| within the allowed signers file. |
within the allowed signers file. |
| <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
| make sshsig verify-time argument parsing optional |
make sshsig verify-time argument parsing optional |
| <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| fix truncation in rhosts/shosts path construction. |
fix truncation in rhosts/shosts path construction. |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>: |
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: |
| avoid xmalloc(0) for PKCS#11 keyid for ECDSA |
avoid xmalloc(0) for PKCS#11 keyid for ECDSA |
| keys (we already did this for RSA keys). Avoids fatal errors for |
keys (we already did this for RSA keys). Avoids fatal errors for |
| PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B |
PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B |
| "cryptoauthlib" |
"cryptoauthlib" |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>: |
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: |
| improve the testing of credentials against |
improve the testing of credentials against |
| inserted FIDO: ask the token whether a particular key belongs to |
inserted FIDO: ask the token whether a particular key belongs to |
| it in cases where the token supports on-token user-verification |
it in cases where the token supports on-token user-verification |
|
|
| Will reduce spurious "Confirm user presence" notifications for key |
Will reduce spurious "Confirm user presence" notifications for key |
| handles that relate to FIDO keys that are not currently inserted in at |
handles that relate to FIDO keys that are not currently inserted in at |
| least some cases. |
least some cases. |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| correct value for IPTOS_DSCP_LE. It needs to |
correct value for IPTOS_DSCP_LE. It needs to |
| allow for the preceding two ECN bits. |
allow for the preceding two ECN bits. |
| <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
| add missing -O option to usage() for the "-Y sign" option. |
add missing -O option to usage() for the "-Y sign" option. |
| <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
| fix a NULL deref when using the find-principals |
fix a NULL deref when using the find-principals |
| function, when matching an allowed_signers line that contains a |
function, when matching an allowed_signers line that contains a |
| namespace restriction, but no restriction specified on the |
namespace restriction, but no restriction specified on the |
| command-line |
command-line |
| <li><a href=https://man.openbsd.org/ssh-agent.1>ssh-agent(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: |
| fix memleak in process_extension(); oss-fuzz issue #42719 |
fix memleak in process_extension(); oss-fuzz issue #42719 |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>: |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
| suppress "Connection to xxx closed" messages when LogLevel |
suppress "Connection to xxx closed" messages when LogLevel |
| is set to "error" or above. |
is set to "error" or above. |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| use correct zlib flags when inflate(3)-ing compressed packet data. |
use correct zlib flags when inflate(3)-ing compressed packet data. |
| <li><a href=https://man.openbsd.org/scp.1>scp(1)</a>: |
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>: |
| when recursively transferring files in SFTP mode, create the |
when recursively transferring files in SFTP mode, create the |
| destination directory if it doesn't already exist to match |
destination directory if it doesn't already exist to match |
| <a href=https://man.openbsd.org/scp.1>scp(1)</a> in |
<a href="https://man.openbsd.org/scp.1">scp(1)</a> in |
| legacy RCP mode behaviour. |
legacy RCP mode behaviour. |
| <li><a href=https://man.openbsd.org/scp.1>scp(1)</a>: |
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>: |
| many improvements in error message consistency between |
many improvements in error message consistency between |
| <a href=https://man.openbsd.org/scp.1>scp(1)</a> |
<a href="https://man.openbsd.org/scp.1">scp(1)</a> |
| in SFTP mode vs legacy RCP mode. |
in SFTP mode vs legacy RCP mode. |
| <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| fix potential race in SIGTERM handling |
fix potential race in SIGTERM handling |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/sshd.8>sshd(8))</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8))</a>: |
| since DSA keys are deprecated, move them to the end of the default |
since DSA keys are deprecated, move them to the end of the default |
| list of public keys so that they will be tried last. |
list of public keys so that they will be tried last. |
| <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
| allow 'ssh-keygen -Y find-principals' to match |
allow 'ssh-keygen -Y find-principals' to match |
| wildcard principals in allowed_signers files |
wildcard principals in allowed_signers files |
| <!-- OpenSSH 9.0 --> |
<!-- OpenSSH 9.0 --> |
| <li><a href=https://man.openbsd.org/ssh.1>ssh(1)</a>, |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
| <a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| fix |
fix |
| <a href=https://man.openbsd.org/poll.2>poll(2)</a> spin when a |
<a href="https://man.openbsd.org/poll.2">poll(2)</a> spin when a |
| channel's output fd closes without data in the channel buffer. |
channel's output fd closes without data in the channel buffer. |
| <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| pack pollfd array in server listen/accept loop. Could |
pack pollfd array in server listen/accept loop. Could |
| cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE |
cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE |
| <li><a href=https://man.openbsd.org/ssh-keygen.1>ssh-keygen(1)</a>: |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
| avoid NULL deref via the find-principals and check-novalidate operations. |
avoid NULL deref via the find-principals and check-novalidate operations. |
| <li><a href=https://man.openbsd.org/scp.1>scp(1)</a>: |
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>: |
| fix a memory leak in argument processing. |
fix a memory leak in argument processing. |
| <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| don't try to resolve ListenAddress directives in the sshd |
don't try to resolve ListenAddress directives in the sshd |
| re-exec path. They are unused after re-exec and parsing errors |
re-exec path. They are unused after re-exec and parsing errors |
| (possible for example if the host's network configuration changed) |
(possible for example if the host's network configuration changed) |
| could prevent connections from being accepted. |
could prevent connections from being accepted. |
| <li><a href=https://man.openbsd.org/sshd.8>sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
| when refusing a public key authentication request from a |
when refusing a public key authentication request from a |
| client for using an unapproved or unsupported signature algorithm |
client for using an unapproved or unsupported signature algorithm |
| include the algorithm name in the log message to make debugging |
include the algorithm name in the log message to make debugging |
![[BACK]](/icons/back.gif){kind=icon}
Return to 71.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www