version 1.11, 2023/10/10 21:33:54 |
version 1.12, 2023/10/10 21:40:23 |
|
|
</ul> |
</ul> |
</ul> |
</ul> |
|
|
<li>OpenSSH XXX.YYY |
<li>OpenSSH 9.5 |
<ul> |
<ul> |
<li>Security |
<li>Potentially incompatible changes |
<ul> |
<ul> |
<li>... |
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
|
generate Ed25519 keys by default. Ed25519 public keys |
|
are very convenient due to their small size. Ed25519 keys are |
|
specified in RFC 8709 and OpenSSH has supported them since version 6.5 |
|
(January 2014). |
|
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
|
the Subsystem directive now accurately preserves quoting of |
|
subsystem commands and arguments. This may change behaviour for exotic |
|
configurations, but the most common subsystem configuration |
|
(sftp-server) is unlikely to be affected. |
</ul> |
</ul> |
<li>Potentially-incompatible changes |
<li>New features |
<ul> |
<ul> |
<li>... |
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
add keystroke timing obfuscation to the client. This attempts |
|
to hide inter-keystroke timings by sending interactive traffic at |
|
fixed intervals (default: every 20ms) when there is only a small |
|
amount of data being sent. It also sends fake "chaff" keystrokes for |
|
a random interval after the last real keystroke. These are |
|
controlled by a new ssh_config ObscureKeystrokeTiming keyword. |
|
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
|
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
|
Introduce a transport-level ping facility. This adds |
|
a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to |
|
implement a ping capability. These messages use numbers in the "local |
|
extensions" number space and are advertised using a "ping@openssh.com" |
|
ext-info message with a string version number of "0". |
|
<li>sshd(8): allow override of Subsystem directives in sshd Match blocks. |
</ul> |
</ul> |
<li>Bugfixes |
<li>Bugfixes |
<ul> |
<ul> |
<li>... |
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>: |
|
fix scp in SFTP mode recursive upload and download of |
|
directories that contain symlinks to other directories. In scp mode, |
|
the links would be followed, but in SFTP mode they were not. |
|
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
|
handle cr+lf (instead of just cr) line endings in |
|
sshsig signature files. |
|
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
interactive mode for ControlPersist sessions if they |
|
originally requested a tty. |
|
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
|
make PerSourceMaxStartups first-match-wins |
|
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
|
limit artificial login delay to a reasonable maximum (5s) |
|
and don't delay at all for the "none" authentication mechanism. |
|
<li>sshd(8): Log errors in kex_exchange_identification() with level |
|
verbose instead of error to reduce preauth log spam. All of those |
|
get logged with a more generic error message by sshpkt_fatal(). |
|
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
|
correct math for ClientAliveInterval that caused the probes |
|
to be sent less frequently than configured. |
|
<li>fix regression in OpenSSH 9.4 (mux.c r1.99) that caused |
|
multiplexed sessions to ignore SIGINT under some circumstances. |
</ul> |
</ul> |
</ul> |
</ul> |
|
|