===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- www/74.html 2023/10/10 21:40:23 1.12
+++ www/74.html 2023/10/10 22:11:09 1.13
@@ -398,7 +398,7 @@
-OpenSSH 9.5
+OpenSSH 9.5 and OpenSSH 9.4
- Potentially incompatible changes
@@ -412,6 +412,10 @@
subsystem commands and arguments. This may change behaviour for exotic
configurations, but the most common subsystem configuration
(sftp-server) is unlikely to be affected.
+ - ssh-agent(1):
+ PKCS#11 modules must now be specified by their full
+ paths. Previously dlopen(3) could search for them in system
+ library directories.
- New features
@@ -429,7 +433,37 @@
implement a ping capability. These messages use numbers in the "local
extensions" number space and are advertised using a "ping@openssh.com"
ext-info message with a string version number of "0".
- - sshd(8): allow override of Subsystem directives in sshd Match blocks.
+
- sshd(8):
+ allow override of Subsystem directives in sshd Match blocks.
+
- ssh(1):
+ allow forwarding Unix Domain sockets via ssh -W.
+
- ssh(1):
+ add support for configuration tags to ssh(1).
+ This adds a ssh_config(5) "Tag" directive and corresponding
+ "Match tag" predicate that may be used to select blocks of
+ configuration similar to the pf.conf(5) keywords of the same
+ name.
+
- ssh(1):
+ add a "match localnetwork" predicate. This allows matching
+ on the addresses of available network interfaces and may be used to
+ vary the effective client configuration based on network location.
+
- ssh(1),
+ sshd(8),
+ ssh-keygen(1):
+ infrastructure support for KRL
+ extensions. This defines wire formats for optional KRL extensions
+ and implements parsing of the new submessages. No actual extensions
+ are supported at this point.
+
- sshd(8):
+ AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
+ accept two additional %-expansion sequences: %D which expands to
+ the routing domain of the connected session and %C which expands
+ to the addresses and port numbers for the source and destination
+ of the connection.
+
- ssh-keygen(1):
+ increase the default work factor (rounds) for the
+ bcrypt KDF used to derive symmetric encryption keys for passphrase
+ protected key files by 50%.
- Bugfixes
@@ -448,14 +482,76 @@
- sshd(8):
limit artificial login delay to a reasonable maximum (5s)
and don't delay at all for the "none" authentication mechanism.
-
- sshd(8): Log errors in kex_exchange_identification() with level
+
- sshd(8):
+ Log errors in kex_exchange_identification() with level
verbose instead of error to reduce preauth log spam. All of those
get logged with a more generic error message by sshpkt_fatal().
- sshd(8):
correct math for ClientAliveInterval that caused the probes
to be sent less frequently than configured.
-
- fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
- multiplexed sessions to ignore SIGINT under some circumstances.
+
- ssh-agent(1):
+ improve isolation between loaded PKCS#11 modules
+ by running separate ssh-pkcs11-helpers for each loaded provider.
+
- ssh(1):
+ make -f (fork after authentication) work correctly with
+ multiplexed connections, including ControlPersist.
+
- ssh(1):
+ make ConnectTimeout apply to multiplexing sockets and not
+ just to network connections.
+
- ssh-agent(1),
+ ssh(1):
+ improve defences against invalid PKCS#11
+ modules being loaded by checking that the requested module
+ contains the required symbol before loading it.
+
- sshd(8):
+ fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
+ appears before it in sshd_config. Since OpenSSH 8.7 the
+ AuthorizedPrincipalsCommand directive was incorrectly ignored in
+ this situation.
+
- sshd(8),
+ ssh(1),
+ ssh-keygen(1):
+ remove vestigal support for KRL
+ signatures When the KRL format was originally defined, it included
+ support for signing of KRL objects. However, the code to sign KRLs
+ and verify KRL signatues was never completed in OpenSSH. This
+ release removes the partially-implemented code to verify KRLs.
+ All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
+ KRL files.
+
- All: fix a number of memory leaks and unreachable/harmless integer
+ overflows.
+
- ssh-agent(1),
+ ssh(1):
+ don't truncate strings logged from PKCS#11 modules
+
- sshd(8),
+ ssh(1):
+ better validate CASignatureAlgorithms in
+ ssh_config and sshd_config. Previously this directive would accept
+ certificate algorithm names, but these were unusable in practice as
+ OpenSSH does not support CA chains.
+
- ssh(1):
+ make
ssh -Q CASignatureAlgorithms only list signature
+ algorithms that are valid for CA signing. Previous behaviour was
+ to list all signing algorithms, including certificate algorithms.
+ - ssh-keyscan(1):
+ gracefully handle systems where rlimits or the
+ maximum number of open files is larger than INT_MAX
+
- ssh-keygen(1):
+ fix "no comment" not showing on when running
+
ssh-keygen -l on multiple keys where one has a comment
+ and other following keys do not.
+ - scp(1),
+
- sftp(1):
+ adjust ftruncate() logic to handle servers that
+ reorder requests. Previously, if the server reordered requests then
+ the resultant file would be erroneously truncated.
+
- ssh(1):
+ don't incorrectly disable hostname canonicalization when
+ CanonicalizeHostname=yes and ProxyJump was expicitly set to
+ "none".
+
- scp(1):
+ when copying local to remote, check that the source file
+ exists before opening an SFTP connection to the server.