version 1.12, 2023/10/10 21:40:23 |
version 1.13, 2023/10/10 22:11:09 |
|
|
</ul> |
</ul> |
</ul> |
</ul> |
|
|
<li>OpenSSH 9.5 |
<li>OpenSSH 9.5 and OpenSSH 9.4 |
<ul> |
<ul> |
<li>Potentially incompatible changes |
<li>Potentially incompatible changes |
<ul> |
<ul> |
|
|
subsystem commands and arguments. This may change behaviour for exotic |
subsystem commands and arguments. This may change behaviour for exotic |
configurations, but the most common subsystem configuration |
configurations, but the most common subsystem configuration |
(sftp-server) is unlikely to be affected. |
(sftp-server) is unlikely to be affected. |
|
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: |
|
PKCS#11 modules must now be specified by their full |
|
paths. Previously dlopen(3) could search for them in system |
|
library directories. |
</ul> |
</ul> |
<li>New features |
<li>New features |
<ul> |
<ul> |
|
|
implement a ping capability. These messages use numbers in the "local |
implement a ping capability. These messages use numbers in the "local |
extensions" number space and are advertised using a "ping@openssh.com" |
extensions" number space and are advertised using a "ping@openssh.com" |
ext-info message with a string version number of "0". |
ext-info message with a string version number of "0". |
<li>sshd(8): allow override of Subsystem directives in sshd Match blocks. |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
|
allow override of Subsystem directives in sshd Match blocks. |
|
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
allow forwarding Unix Domain sockets via ssh -W. |
|
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
add support for configuration tags to ssh(1). |
|
This adds a ssh_config(5) "Tag" directive and corresponding |
|
"Match tag" predicate that may be used to select blocks of |
|
configuration similar to the pf.conf(5) keywords of the same |
|
name. |
|
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
add a "match localnetwork" predicate. This allows matching |
|
on the addresses of available network interfaces and may be used to |
|
vary the effective client configuration based on network location. |
|
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
|
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, |
|
<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
|
infrastructure support for KRL |
|
extensions. This defines wire formats for optional KRL extensions |
|
and implements parsing of the new submessages. No actual extensions |
|
are supported at this point. |
|
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
|
AuthorizedPrincipalsCommand and AuthorizedKeysCommand now |
|
accept two additional %-expansion sequences: %D which expands to |
|
the routing domain of the connected session and %C which expands |
|
to the addresses and port numbers for the source and destination |
|
of the connection. |
|
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
|
increase the default work factor (rounds) for the |
|
bcrypt KDF used to derive symmetric encryption keys for passphrase |
|
protected key files by 50%. |
</ul> |
</ul> |
<li>Bugfixes |
<li>Bugfixes |
<ul> |
<ul> |
|
|
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
limit artificial login delay to a reasonable maximum (5s) |
limit artificial login delay to a reasonable maximum (5s) |
and don't delay at all for the "none" authentication mechanism. |
and don't delay at all for the "none" authentication mechanism. |
<li>sshd(8): Log errors in kex_exchange_identification() with level |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
|
Log errors in kex_exchange_identification() with level |
verbose instead of error to reduce preauth log spam. All of those |
verbose instead of error to reduce preauth log spam. All of those |
get logged with a more generic error message by sshpkt_fatal(). |
get logged with a more generic error message by sshpkt_fatal(). |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
correct math for ClientAliveInterval that caused the probes |
correct math for ClientAliveInterval that caused the probes |
to be sent less frequently than configured. |
to be sent less frequently than configured. |
<li>fix regression in OpenSSH 9.4 (mux.c r1.99) that caused |
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: |
multiplexed sessions to ignore SIGINT under some circumstances. |
improve isolation between loaded PKCS#11 modules |
|
by running separate ssh-pkcs11-helpers for each loaded provider. |
|
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
make -f (fork after authentication) work correctly with |
|
multiplexed connections, including ControlPersist. |
|
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
make ConnectTimeout apply to multiplexing sockets and not |
|
just to network connections. |
|
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>, |
|
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
improve defences against invalid PKCS#11 |
|
modules being loaded by checking that the requested module |
|
contains the required symbol before loading it. |
|
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: |
|
fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand |
|
appears before it in sshd_config. Since OpenSSH 8.7 the |
|
AuthorizedPrincipalsCommand directive was incorrectly ignored in |
|
this situation. |
|
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, |
|
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, |
|
<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
|
remove vestigal support for KRL |
|
signatures When the KRL format was originally defined, it included |
|
support for signing of KRL objects. However, the code to sign KRLs |
|
and verify KRL signatues was never completed in OpenSSH. This |
|
release removes the partially-implemented code to verify KRLs. |
|
All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in |
|
KRL files. |
|
<li>All: fix a number of memory leaks and unreachable/harmless integer |
|
overflows. |
|
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>, |
|
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
don't truncate strings logged from PKCS#11 modules |
|
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, |
|
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
better validate CASignatureAlgorithms in |
|
ssh_config and sshd_config. Previously this directive would accept |
|
certificate algorithm names, but these were unusable in practice as |
|
OpenSSH does not support CA chains. |
|
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
make <code>ssh -Q CASignatureAlgorithms</code> only list signature |
|
algorithms that are valid for CA signing. Previous behaviour was |
|
to list all signing algorithms, including certificate algorithms. |
|
<li><a href="https://man.openbsd.org/ssh-keyscan.1">ssh-keyscan(1)</a>: |
|
gracefully handle systems where rlimits or the |
|
maximum number of open files is larger than INT_MAX |
|
<li><a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: |
|
fix "no comment" not showing on when running |
|
<code>ssh-keygen -l</code> on multiple keys where one has a comment |
|
and other following keys do not. |
|
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>, |
|
<li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: |
|
adjust ftruncate() logic to handle servers that |
|
reorder requests. Previously, if the server reordered requests then |
|
the resultant file would be erroneously truncated. |
|
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: |
|
don't incorrectly disable hostname canonicalization when |
|
CanonicalizeHostname=yes and ProxyJump was expicitly set to |
|
"none". |
|
<li><a href="https://man.openbsd.org/scp.1">scp(1)</a>: |
|
when copying local to remote, check that the source file |
|
exists before opening an SFTP connection to the server. |
</ul> |
</ul> |
</ul> |
</ul> |
|
|