10024 lines
514 KiB
Plaintext
10024 lines
514 KiB
Plaintext
|
<!--
|
||
|
DO NOT EDIT MANUALLY! This is generated from:
|
||
|
www/build/openssh/releasenotes.html.head
|
||
|
www/build/openssh/releasenotes.html.tail
|
||
|
|
||
|
See comments in www/build/openssh/Makefile for details.
|
||
|
--><!doctype html>
|
||
|
<html lang="en">
|
||
|
<head>
|
||
|
<meta charset="utf-8">
|
||
|
<title>OpenSSH: Release Notes</title>
|
||
|
<meta name="description" content="OpenSSH release notes">
|
||
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||
|
<link rel="canonical" href="https://www.openssh.com/releasenotes.html">
|
||
|
<link rel="stylesheet" type="text/css" href="openbsd.css">
|
||
|
</head>
|
||
|
<body>
|
||
|
<h2 id="OpenBSD"> <a href="/"> <i>Open</i><b>SSH</b></a> Release Notes </h2>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-8.5" id="8.5">OpenSSH 8.5</a>/<a href="txt/release-8.5" id="8.5p1">8.5p1</a> (2021-03-03)</h3>
|
||
|
<pre>OpenSSH 8.5 was released on 2021-03-03. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="https://www.openssh.com/donations.html">https://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Future deprecation notice
|
||
|
=========================
|
||
|
|
||
|
It is now possible[1] to perform chosen-prefix attacks against the
|
||
|
SHA-1 algorithm for less than USD$50K.
|
||
|
|
||
|
In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
|
||
|
hash algorithm in conjunction with the RSA public key algorithm.
|
||
|
OpenSSH will disable this signature scheme by default in the near
|
||
|
future.
|
||
|
|
||
|
Note that the deactivation of "ssh-rsa" signatures does not necessarily
|
||
|
require cessation of use for RSA keys. In the SSH protocol, keys may be
|
||
|
capable of signing using multiple algorithms. In particular, "ssh-rsa"
|
||
|
keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
|
||
|
"rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
|
||
|
these is being turned off by default.
|
||
|
|
||
|
This algorithm is unfortunately still used widely despite the
|
||
|
existence of better alternatives, being the only remaining public key
|
||
|
signature algorithm specified by the original SSH RFCs that is still
|
||
|
enabled by default.
|
||
|
|
||
|
The better alternatives include:
|
||
|
|
||
|
* The <a href="https://tools.ietf.org/html/rfc8332">RFC8332</a> RSA SHA-2 signature algorithms rsa-sha2-256/512. These
|
||
|
algorithms have the advantage of using the same key type as
|
||
|
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
|
||
|
supported since OpenSSH 7.2 and are already used by default if the
|
||
|
client and server support them.
|
||
|
|
||
|
* The <a href="https://tools.ietf.org/html/rfc8709">RFC8709</a> ssh-ed25519 signature algorithm. It has been supported
|
||
|
in OpenSSH since release 6.5.
|
||
|
|
||
|
* The <a href="https://tools.ietf.org/html/rfc5656">RFC5656</a> ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
|
||
|
have been supported by OpenSSH since release 5.7.
|
||
|
|
||
|
To check whether a server is using the weak ssh-rsa public key
|
||
|
algorithm, for host authentication, try to connect to it after
|
||
|
removing the ssh-rsa algorithm from <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>'s allowed list:
|
||
|
|
||
|
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
|
||
|
|
||
|
If the host key verification fails and no other supported host key
|
||
|
types are available, the server software on that host should be
|
||
|
upgraded.
|
||
|
|
||
|
This release enables the UpdateHostKeys option by default to assist
|
||
|
the client by automatically migrating to better algorithms.
|
||
|
|
||
|
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
|
||
|
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
|
||
|
(2020) <a href="https://eprint.iacr.org/2020/014.pdf">https://eprint.iacr.org/2020/014.pdf</a>
|
||
|
|
||
|
Security
|
||
|
========
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: fixed a double-free memory corruption that was
|
||
|
introduced in OpenSSH 8.2 . We treat all such memory faults as
|
||
|
potentially exploitable. This bug could be reached by an attacker
|
||
|
with access to the agent socket.
|
||
|
|
||
|
On modern operating systems where the OS can provide information
|
||
|
about the user identity connected to a socket, OpenSSH ssh-agent
|
||
|
and sshd limit agent socket access only to the originating user
|
||
|
and root. Additional mitigation may be afforded by the system's
|
||
|
malloc(3)/free(3) implementation, if it detects double-free
|
||
|
conditions.
|
||
|
|
||
|
The most likely scenario for exploitation is a user forwarding an
|
||
|
agent either to an account shared with a malicious user or to a
|
||
|
host with an attacker holding root access.
|
||
|
|
||
|
* Portable <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Prevent excessively long username going to PAM.
|
||
|
This is a mitigation for a buffer overflow in Solaris' PAM username
|
||
|
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
|
||
|
implementations. This is not a problem in sshd itself, it only
|
||
|
prevents sshd from being used as a vector to attack Solaris' PAM.
|
||
|
It does not prevent the bug in PAM from being exploited via some
|
||
|
other PAM application. GH<a href="https://github.com/openssh/openssh-portable/pull/212">PR212</a>
|
||
|
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: this release changes the first-preference signature
|
||
|
algorithm from ECDSA to ED25519.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: set the TOS/DSCP specified in the configuration
|
||
|
for interactive use prior to TCP connect. The connection phase of
|
||
|
the SSH session is time-sensitive and often explicitly interactive.
|
||
|
The ultimate interactive/bulk TOS/DSCP will be set after
|
||
|
authentication completes.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove the pre-standardization cipher
|
||
|
rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before
|
||
|
it was standardized in <a href="https://tools.ietf.org/html/rfc4253">RFC4253</a> (2006), has been deprecated and
|
||
|
disabled by default since OpenSSH 7.2 (2016) and was only briefly
|
||
|
documented in ssh.1 in 2001.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: update/replace the experimental post-quantum
|
||
|
hybrid key exchange method based on Streamlined NTRU Prime coupled
|
||
|
with X25519.
|
||
|
|
||
|
The previous sntrup4591761x25519-sha512@tinyssh.org method is
|
||
|
replaced with sntrup761x25519-sha512@openssh.com. Per its
|
||
|
designers, the sntrup4591761 algorithm was superseded almost two
|
||
|
years ago by sntrup761.
|
||
|
|
||
|
(note this both the updated method and the one that it replaced are
|
||
|
disabled by default)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: disable CheckHostIP by default. It provides insignificant
|
||
|
benefits while making key rotation significantly more difficult,
|
||
|
especially for hosts behind IP-based load-balancers.
|
||
|
|
||
|
Changes since OpenSSH 8.4
|
||
|
=========================
|
||
|
|
||
|
New features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: this release enables UpdateHostkeys by default subject to
|
||
|
some conservative preconditions:
|
||
|
- The key was matched in the UserKnownHostsFile (and not in the
|
||
|
GlobalKnownHostsFile).
|
||
|
- The same key does not exist under another name.
|
||
|
- A certificate host key is not in use.
|
||
|
- known_hosts contains no matching wildcard hostname pattern.
|
||
|
- VerifyHostKeyDNS is not enabled.
|
||
|
- The default UserKnownHostsFile is in use.
|
||
|
|
||
|
We expect some of these conditions will be modified or relaxed in
|
||
|
future.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a new LogVerbose configuration directive for
|
||
|
that allows forcing maximum debug logging by file/function/line
|
||
|
pattern-lists.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when prompting the user to accept a new hostkey, display
|
||
|
any other host names/addresses already associated with the key.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow UserKnownHostsFile=none to indicate that no
|
||
|
known_hosts file should be used to identify host keys.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a ssh_config KnownHostsCommand option that allows the
|
||
|
client to obtain known_hosts data from a command in addition to
|
||
|
the usual files.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a ssh_config PermitRemoteOpen option that allows the
|
||
|
client to restrict the destination when RemoteForward is used
|
||
|
with SOCKS.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: for FIDO keys, if a signature operation fails with a
|
||
|
"incorrect PIN" reason and no PIN was initially requested from the
|
||
|
user, then request a PIN and retry the operation. This supports
|
||
|
some biometric devices that fall back to requiring PIN when reading
|
||
|
of the biometric failed, and devices that require PINs for all
|
||
|
hosted credentials.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: implement client address-based rate-limiting via new
|
||
|
<a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> PerSourceMaxStartups and PerSourceNetBlockSize
|
||
|
directives that provide more fine-grained control on a per-origin
|
||
|
address basis than the global MaxStartups limit.
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Prefix keyboard interactive prompts with "(user@host)" to
|
||
|
make it easier to determine which connection they are associated
|
||
|
with in cases like scp -3, ProxyJump, etc. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3224">bz#3224</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix sshd_config SetEnv directives located inside Match
|
||
|
blocks. GH<a href="https://github.com/openssh/openssh-portable/pull/201">PR201</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when requesting a FIDO token touch on stderr, inform the
|
||
|
user once the touch has been recorded.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: prevent integer overflow when ridiculously large
|
||
|
ConnectTimeout values are specified, capping the effective value
|
||
|
(for most platforms) at 24 days. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3229">bz#3229</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: consider the ECDSA key subtype when ordering host key
|
||
|
algorithms in the client.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: rename the PubkeyAcceptedKeyTypes keyword to
|
||
|
PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
|
||
|
that it control allowed key algorithms, when this option actually
|
||
|
specifies the signature algorithms that are accepted. The previous
|
||
|
name remains available as an alias. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3253">bz#3253</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: similarly, rename HostbasedKeyTypes (ssh) and
|
||
|
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: add missing lsetstat@openssh.com documentation
|
||
|
and advertisement in the server's SSH2_FXP_VERSION hello packet.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: more strictly enforce KEX state-machine by
|
||
|
banning packet types once they are received. Fixes memleak caused
|
||
|
by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: allow the full range of UIDs/GIDs for chown/chgrp on 32bit
|
||
|
platforms instead of being limited by LONG_MAX. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3206">bz#3206</a>
|
||
|
|
||
|
* Minor man page fixes (capitalization, commas, etc.) <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3223">bz#3223</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: when doing an sftp recursive upload or download of a
|
||
|
read-only directory, ensure that the directory is created with
|
||
|
write and execute permissions in the interim so that the transfer
|
||
|
can actually complete, then set the directory permission as the
|
||
|
final step. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3222">bz#3222</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: document the -Z, check the validity of its argument
|
||
|
earlier and provide a better error message if it's not correct.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2879">bz#2879</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: ignore comments at the end of config lines in ssh_config,
|
||
|
similar to what we already do for sshd_config. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2320">bz#2320</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: mention that DisableForwarding is valid in a
|
||
|
sshd_config Match block. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3239">bz3239</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: fix incorrect sorting of "ls -ltr" under some
|
||
|
circumstances. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3248">bz3248</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix potential integer truncation of (unlikely)
|
||
|
timeout values. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3250">bz#3250</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: make hostbased authentication send the signature algorithm
|
||
|
in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
|
||
|
This make HostbasedAcceptedAlgorithms do what it is supposed to -
|
||
|
filter on signature algorithm and not key type.
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a number of platform-specific syscalls to the Linux
|
||
|
seccomp-bpf sandbox. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3232">bz#3232</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3260">bz#3260</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove debug message from sigchld handler that could cause
|
||
|
deadlock on some platforms. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3259">bz#3259</a>
|
||
|
|
||
|
* Sync contrib/ssh-copy-id with upstream.
|
||
|
|
||
|
* unittests: add a hostname function for systems that don't have it.
|
||
|
Some systems don't have a hostname command (it's not required by
|
||
|
POSIX). The do have uname -n (which is), but not all of those have
|
||
|
it report the FQDN.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.5.tar.gz">openssh-8.5.tar.gz</a>) = 04cae43c389fb411227c01219e4eb46e3113f34e
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.5.tar.gz">openssh-8.5.tar.gz</a>) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.5p1.tar.gz">openssh-8.5p1.tar.gz</a>) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.5p1.tar.gz">openssh-8.5p1.tar.gz</a>) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available from the mirror sites:
|
||
|
<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc">https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc</a>
|
||
|
|
||
|
Please note that the OpenPGP key used to sign releases has been
|
||
|
rotated for this release. The new key has been signed by the previous
|
||
|
key to provide continuity.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="https://www.openssh.com/report.html">https://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-8.4" id="8.4">OpenSSH 8.4</a>/<a href="txt/release-8.4" id="8.4p1">8.4p1</a> (2020-09-27)</h3>
|
||
|
<pre>OpenSSH 8.4 was released on 2020-09-27. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="https://www.openssh.com/donations.html">https://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Future deprecation notice
|
||
|
=========================
|
||
|
|
||
|
It is now possible[1] to perform chosen-prefix attacks against the
|
||
|
SHA-1 algorithm for less than USD$50K. For this reason, we will be
|
||
|
disabling the "ssh-rsa" public key signature algorithm by default in a
|
||
|
near-future release.
|
||
|
|
||
|
This algorithm is unfortunately still used widely despite the
|
||
|
existence of better alternatives, being the only remaining public key
|
||
|
signature algorithm specified by the original SSH RFCs.
|
||
|
|
||
|
The better alternatives include:
|
||
|
|
||
|
* The <a href="https://tools.ietf.org/html/rfc8332">RFC8332</a> RSA SHA-2 signature algorithms rsa-sha2-256/512. These
|
||
|
algorithms have the advantage of using the same key type as
|
||
|
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
|
||
|
supported since OpenSSH 7.2 and are already used by default if the
|
||
|
client and server support them.
|
||
|
|
||
|
* The ssh-ed25519 signature algorithm. It has been supported in
|
||
|
OpenSSH since release 6.5.
|
||
|
|
||
|
* The <a href="https://tools.ietf.org/html/rfc5656">RFC5656</a> ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
|
||
|
have been supported by OpenSSH since release 5.7.
|
||
|
|
||
|
To check whether a server is using the weak ssh-rsa public key
|
||
|
algorithm, for host authentication, try to connect to it after
|
||
|
removing the ssh-rsa algorithm from <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>'s allowed list:
|
||
|
|
||
|
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
|
||
|
|
||
|
If the host key verification fails and no other supported host key
|
||
|
types are available, the server software on that host should be
|
||
|
upgraded.
|
||
|
|
||
|
We intend to enable UpdateHostKeys by default in the next OpenSSH
|
||
|
release. This will assist the client by automatically migrating to
|
||
|
better algorithms. Users may consider enabling this option manually.
|
||
|
|
||
|
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
|
||
|
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
|
||
|
(2020) <a href="https://eprint.iacr.org/2020/014.pdf">https://eprint.iacr.org/2020/014.pdf</a>
|
||
|
|
||
|
Security
|
||
|
========
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: restrict ssh-agent from signing web challenges for
|
||
|
FIDO/U2F keys.
|
||
|
|
||
|
When signing messages in ssh-agent using a FIDO key that has an
|
||
|
application string that does not start with "ssh:", ensure that the
|
||
|
message being signed is one of the forms expected for the SSH protocol
|
||
|
(currently public key authentication and sshsig signatures).
|
||
|
|
||
|
This prevents ssh-agent forwarding on a host that has FIDO keys
|
||
|
attached granting the ability for the remote side to sign challenges
|
||
|
for web authentication using those keys too.
|
||
|
|
||
|
Note that the converse case of web browsers signing SSH challenges is
|
||
|
already precluded because no web RP can have the "ssh:" prefix in the
|
||
|
application string that we require.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Enable FIDO 2.1 credProtect extension when generating
|
||
|
a FIDO resident key.
|
||
|
|
||
|
The recent FIDO 2.1 Client to Authenticator Protocol introduced a
|
||
|
"credProtect" feature to better protect resident keys. We use this
|
||
|
option to require a PIN prior to all operations that may retrieve
|
||
|
a resident key from a FIDO token.
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* For FIDO/U2F support, OpenSSH recommends the use of libfido2 1.5.0
|
||
|
or greater. Older libraries have limited support at the expense of
|
||
|
disabling particular features. These include resident keys, PIN-
|
||
|
required keys and multiple attached tokens.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: the format of the attestation information optionally
|
||
|
recorded when a FIDO key is generated has changed. It now includes
|
||
|
the authenticator data needed to validate attestation signatures.
|
||
|
|
||
|
* The API between OpenSSH and the FIDO token middleware has changed
|
||
|
and the SSH_SK_VERSION_MAJOR version has been incremented as a
|
||
|
result. Third-party middleware libraries must support the current
|
||
|
API version (7) to work with OpenSSH 8.4.
|
||
|
|
||
|
* The portable OpenSSH distribution now requires automake to rebuild
|
||
|
the configure script and supporting files. This is not required when
|
||
|
simply building portable OpenSSH from a release tar file.
|
||
|
|
||
|
Changes since OpenSSH 8.3
|
||
|
=========================
|
||
|
|
||
|
New features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: support for FIDO keys that require a PIN for
|
||
|
each use. These keys may be generated using ssh-keygen using a new
|
||
|
"verify-required" option. When a PIN-required key is used, the user
|
||
|
will be prompted for a PIN to complete the signature operation.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: authorized_keys now supports a new "verify-required"
|
||
|
option to require FIDO signatures assert that the token verified
|
||
|
that the user was present before making the signature. The FIDO
|
||
|
protocol supports multiple methods for user-verification, but
|
||
|
currently OpenSSH only supports PIN verification.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: add support for verifying FIDO webauthn
|
||
|
signatures. Webauthn is a standard for using FIDO keys in web
|
||
|
browsers. These signatures are a slightly different format to plain
|
||
|
FIDO signatures and thus require explicit support.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow some keywords to expand shell-style ${ENV}
|
||
|
environment variables. The supported keywords are CertificateFile,
|
||
|
ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
|
||
|
RemoteForward when used for Unix domain socket paths. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3140">bz#3140</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: allow some additional control over the use of
|
||
|
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
|
||
|
including forcibly enabling and disabling its use. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=69">bz#69</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>'s AddKeysToAgent keyword accept a time
|
||
|
limit for keys in addition to its current flag options. Time-
|
||
|
limited keys will automatically be removed from ssh-agent after
|
||
|
their expiry time has passed.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>, <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: allow the -A flag to explicitly enable agent
|
||
|
forwarding in scp and sftp. The default remains to not forward an
|
||
|
agent, even when ssh_config enables it.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a '%k' TOKEN that expands to the effective HostKey of
|
||
|
the destination. This allows, e.g., keeping host keys in individual
|
||
|
files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1654">bz#1654</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add %-TOKEN, environment variable and tilde expansion to
|
||
|
the UserKnownHostsFile directive, allowing the path to be
|
||
|
completed by the configuration (e.g. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1654">bz#1654</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: allow "ssh-add -d -" to read keys to be deleted
|
||
|
from stdin. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3180">bz#3180</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: improve logging for MaxStartups connection throttling.
|
||
|
sshd will now log when it starts and stops throttling and periodically
|
||
|
while in this state. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3055">bz#3055</a>
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: better support for multiple attached FIDO
|
||
|
tokens. In cases where OpenSSH cannot unambiguously determine which
|
||
|
token to direct a request to, the user is now required to select a
|
||
|
token by touching it. In cases of operations that require a PIN to
|
||
|
be verified, this avoids sending the wrong PIN to the wrong token
|
||
|
and incrementing the token's PIN failure counter (tokens
|
||
|
effectively erase their keys after too many PIN failures).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix Include before Match in sshd_config; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3122">bz#3122</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: close stdin/out/error when forking after authentication
|
||
|
completes ("ssh -f ...") <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3137">bz#3137</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: limit the amount of channel input data buffered,
|
||
|
avoiding peers that advertise large windows but are slow to read
|
||
|
from causing high memory consumption.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: handle multiple requests sent in a single write() to
|
||
|
the agent.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow sshd_config longer than 256k
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: avoid spurious "Unable to load host key" message when sshd
|
||
|
load a private key but no public counterpart
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: prefer the default hostkey algorithm list whenever we have
|
||
|
a hostkey that matches its best-preference algorithm.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.1">sshd(1)</a>: when ordering the hostkey algorithms to request from a
|
||
|
server, prefer certificate types if the known_hosts files contain a key
|
||
|
marked as a @cert-authority; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3157">bz#3157</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: perform host key fingerprint comparisons for the "Are you
|
||
|
sure you want to continue connecting (yes/no/[fingerprint])?"
|
||
|
prompt with case sensitivity.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: ensure that address/masklen mismatches in sshd_config
|
||
|
yield fatal errors at daemon start time rather than later when
|
||
|
they are evaluated.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: ensure that certificate extensions are lexically
|
||
|
sorted. Previously if the user specified a custom extension then
|
||
|
the everything would be in order except the custom ones. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3198">bz#3198</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: also compare username when checking for JumpHost loops.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3057">bz#3057</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: preserve group/world read permission on known_hosts
|
||
|
files across runs of "ssh-keygen -Rf /path". The old behaviour was
|
||
|
to remove all rights for group/other. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3146">bz#3146</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Mention the [-a rounds] flag in the ssh-keygen
|
||
|
manual page and usage().
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: explicitly construct path to ~/.ssh/rc rather than
|
||
|
relying on it being relative to the current directory, so that it
|
||
|
can still be found if the shell startup changes its directory.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3185">bz#3185</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: when redirecting sshd's log output to a file, undo this
|
||
|
redirection after the session child process is forked(). Fixes
|
||
|
missing log messages when using this feature under some
|
||
|
circumstances.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: start ClientAliveInterval bookkeeping before first pass
|
||
|
through select() loop; fixed theoretical case where busy sshd may
|
||
|
ignore timeouts from client.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: only reset the ServerAliveInterval check when we receive
|
||
|
traffic from the server and ignore traffic from a port forwarding
|
||
|
client, preventing a client from keeping a connection alive when
|
||
|
it should be terminated. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2265">bz#2265</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: avoid spurious error message when ssh-keygen
|
||
|
creates files outside ~/.ssh
|
||
|
|
||
|
* sftp-client(1): fix off-by-one error that caused sftp downloads to
|
||
|
make one more concurrent request that desired. This prevented using
|
||
|
<a href="https://man.openbsd.org/sftp.1">sftp(1)</a> in unpipelined request/response mode, which is useful when
|
||
|
debugging. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3054">bz#3054</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: handle EINTR in waitfd() and timeout_connect()
|
||
|
helpers. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3071">bz#3071</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: defer creation of ~/.ssh until we attempt to
|
||
|
write to it so we don't leave an empty .ssh directory when it's not
|
||
|
needed. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3156">bz#3156</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix multiplier when parsing time specifications
|
||
|
when handling seconds after other units. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3171">bz#3171</a>
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: always send any PAM account messages. If the PAM account
|
||
|
stack returns any messages, always send them to the user and not
|
||
|
just if the check succeeds. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2049">bz#2049</a>
|
||
|
|
||
|
* Implement some backwards compatibility for libfido2 libraries
|
||
|
older than 1.5.0. Note that use of an older library will result
|
||
|
in the loss of certain features including resident key support,
|
||
|
PIN support and support for multiple attached tokens.
|
||
|
|
||
|
* configure fixes for XCode 12
|
||
|
|
||
|
* gnome-ssh-askpass3: ensure the "close" button is not focused by
|
||
|
default for SSH_ASKPASS_PROMPT=none prompts. Avoids space/enter
|
||
|
accidentally dismissing FIDO touch notifications.
|
||
|
|
||
|
* gnome-ssh-askpass3: allow some control over textarea colour via
|
||
|
$GNOME_SSH_ASKPASS_FG_COLOR and $GNOME_SSH_ASKPASS_BG_COLOR
|
||
|
environment variables.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: document another PAM spec problem in a frustrated comment
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: support NetBSD's utmpx.ut_ss address field. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=960">bz#960</a>
|
||
|
|
||
|
* Add the ssh-sk-helper binary and its manpage to the RPM spec file
|
||
|
|
||
|
* Detect the Frankenstein monster of Linux/X32 and allow the sandbox
|
||
|
to function there. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3085">bz#3085</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.4.tar.gz">openssh-8.4.tar.gz</a>) = 71675139df6807f396e6bd92ff8cb9b0356385d8
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.4.tar.gz">openssh-8.4.tar.gz</a>) = JhBgLYkyRge/zQK8ylBSRcOYvrV/tHwQcvVXfExGB70=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz">openssh-8.4p1.tar.gz</a>) = 69305059e10a60693ebe6f17731f962c9577535c
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz">openssh-8.4p1.tar.gz</a>) = WgHSLkB+scBbqKj3xlTTiKE+nyJuTtM704dI2vodKyQ=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="https://www.openssh.com/report.html">https://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-8.3" id="8.3">OpenSSH 8.3</a>/<a href="txt/release-8.3" id="8.3p1">8.3p1</a> (2020-05-27)</h3>
|
||
|
<pre>OpenSSH 8.3 was released on 2020-05-27. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="https://www.openssh.com/donations.html">https://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Future deprecation notice
|
||
|
=========================
|
||
|
|
||
|
It is now possible[1] to perform chosen-prefix attacks against the
|
||
|
SHA-1 algorithm for less than USD$50K. For this reason, we will be
|
||
|
disabling the "ssh-rsa" public key signature algorithm by default in a
|
||
|
near-future release.
|
||
|
|
||
|
This algorithm is unfortunately still used widely despite the
|
||
|
existence of better alternatives, being the only remaining public key
|
||
|
signature algorithm specified by the original SSH RFCs.
|
||
|
|
||
|
The better alternatives include:
|
||
|
|
||
|
* The <a href="https://tools.ietf.org/html/rfc8332">RFC8332</a> RSA SHA-2 signature algorithms rsa-sha2-256/512. These
|
||
|
algorithms have the advantage of using the same key type as
|
||
|
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
|
||
|
supported since OpenSSH 7.2 and are already used by default if the
|
||
|
client and server support them.
|
||
|
|
||
|
* The ssh-ed25519 signature algorithm. It has been supported in
|
||
|
OpenSSH since release 6.5.
|
||
|
|
||
|
* The <a href="https://tools.ietf.org/html/rfc5656">RFC5656</a> ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
|
||
|
have been supported by OpenSSH since release 5.7.
|
||
|
|
||
|
To check whether a server is using the weak ssh-rsa public key
|
||
|
algorithm, for host authentication, try to connect to it after
|
||
|
removing the ssh-rsa algorithm from <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>'s allowed list:
|
||
|
|
||
|
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
|
||
|
|
||
|
If the host key verification fails and no other supported host key
|
||
|
types are available, the server software on that host should be
|
||
|
upgraded.
|
||
|
|
||
|
A future release of OpenSSH will enable UpdateHostKeys by default
|
||
|
to allow the client to automatically migrate to better algorithms.
|
||
|
Users may consider enabling this option manually. Vendors of devices
|
||
|
that implement the SSH protocol should ensure that they support the
|
||
|
new signature algorithms for RSA keys.
|
||
|
|
||
|
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
|
||
|
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
|
||
|
(2020) <a href="https://eprint.iacr.org/2020/014.pdf">https://eprint.iacr.org/2020/014.pdf</a>
|
||
|
|
||
|
Security
|
||
|
========
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>: when receiving files, <a href="https://man.openbsd.org/scp.1">scp(1)</a> could be become desynchronised
|
||
|
if a utimes(2) system call failed. This could allow file contents
|
||
|
to be interpreted as file metadata and thereby permit an adversary
|
||
|
to craft a file system that, when copied with <a href="https://man.openbsd.org/scp.1">scp(1)</a> in a
|
||
|
configuration that caused utimes(2) to fail (e.g. under a SELinux
|
||
|
policy or syscall sandbox), transferred different file names and
|
||
|
contents to the actual file system layout.
|
||
|
|
||
|
Exploitation of this is not likely as utimes(2) does not fail under
|
||
|
normal circumstances. Successful exploitation is not silent - the
|
||
|
output of <a href="https://man.openbsd.org/scp.1">scp(1)</a> would show transfer errors followed by the actual
|
||
|
file(s) that were received.
|
||
|
|
||
|
Finally, filenames returned from the peer are (since openssh-8.0)
|
||
|
matched against the user's requested destination, thereby
|
||
|
disallowing a successful exploit from writing files outside the
|
||
|
user's selected target glob (or directory, in the case of a
|
||
|
recursive transfer). This ensures that this attack can achieve no
|
||
|
more than a hostile peer is already able to achieve within the scp
|
||
|
protocol.
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: reject an argument of "-1" in the same way as <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and
|
||
|
<a href="https://man.openbsd.org/scp.1">scp(1)</a> do instead of accepting and silently ignoring it.
|
||
|
|
||
|
Changes since OpenSSH 8.2
|
||
|
=========================
|
||
|
|
||
|
The focus of this release is bug fixing.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: make IgnoreRhosts a tri-state option: "yes" to ignore
|
||
|
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
|
||
|
to allow .shosts files but not .rhosts.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow the IgnoreRhosts directive to appear anywhere in a
|
||
|
sshd_config, not just before any Match blocks; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3148">bz3148</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add %TOKEN percent expansion for the LocalFoward and
|
||
|
RemoteForward keywords when used for Unix domain socket forwarding.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3014">bz#3014</a>
|
||
|
|
||
|
* all: allow loading public keys from the unencrypted envelope of a
|
||
|
private key file if no corresponding public key file is present.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: prefer to use chacha20 from libcrypto where
|
||
|
possible instead of the (slower) portable C implementation included
|
||
|
in OpenSSH.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: add ability to dump the contents of a binary key
|
||
|
revocation list via "ssh-keygen -lQf /path" <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3132">bz#3132</a>
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix IdentitiesOnly=yes to also apply to keys loaded from
|
||
|
a PKCS11Provider; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3141">bz#3141</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: avoid NULL dereference when trying to convert an
|
||
|
invalid <a href="https://tools.ietf.org/html/rfc4716">RFC4716</a> private key.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>: when performing remote-to-remote copies using "scp -3",
|
||
|
start the second <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> channel with BatchMode=yes enabled to
|
||
|
avoid confusing and non-deterministic ordering of prompts.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: when signing a challenge using a FIDO token,
|
||
|
perform hashing of the message to be signed in the middleware layer
|
||
|
rather than in OpenSSH code. This permits the use of security key
|
||
|
middlewares that perform the hashing implicitly, such as Windows
|
||
|
Hello.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix incorrect error message for "too many known hosts
|
||
|
files." <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3149">bz#3149</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: make failures when establishing "Tunnel" forwarding
|
||
|
terminate the connection when ExitOnForwardFailure is enabled;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3116">bz#3116</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: fix printing of fingerprints on private keys and add
|
||
|
a regression test for same.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: document order of checking AuthorizedKeysFile (first) and
|
||
|
AuthorizedKeysCommand (subsequently, if the file doesn't match);
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3134">bz#3134</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: document that /etc/hosts.equiv and /etc/shosts.equiv are
|
||
|
not considered for HostbasedAuthentication when the target user is
|
||
|
root; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3148">bz#3148</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: fix NULL dereference in private certificate
|
||
|
key parsing (oss-fuzz #20074).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: more consistency between sets of %TOKENS are
|
||
|
accepted in various configuration options.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: improve error messages for some common
|
||
|
PKCS#11 C_Login failure cases; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3130">bz#3130</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: make error messages for problems during SSH banner
|
||
|
exchange consistent with other SSH transport-layer error messages
|
||
|
and ensure they include the relevant IP addresses <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3129">bz#3129</a>
|
||
|
|
||
|
* various: fix a number of spelling errors in comments and debug/error
|
||
|
messages
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: when downloading FIDO2 resident keys
|
||
|
from a token, don't prompt for a PIN until the token has told us
|
||
|
that it needs one. Avoids double-prompting on devices that
|
||
|
implement on-device authentication.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: no-touch-required FIDO certificate option
|
||
|
should be an extension, not a critical option.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: offer a better error message
|
||
|
when trying to use a FIDO key function and SecurityKeyProvider is
|
||
|
empty.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>, <a href="https://man.openbsd.org/ssh-agent.8">ssh-agent(8)</a>: ensure that a key lifetime fits within
|
||
|
the values allowed by the wire format (u32). Prevents integer
|
||
|
wraparound of the timeout values. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3119">bz#3119</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: detect and prevent trivial configuration loops when using
|
||
|
ProxyJump. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3057">bz#3057</a>.
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* Detect systems where signals flagged with SA_RESTART will interrupt
|
||
|
select(2). POSIX permits implementations to choose whether
|
||
|
select(2) will return when interrupted with a SA_RESTART-flagged
|
||
|
signal, but OpenSSH requires interrupting behaviour.
|
||
|
|
||
|
* Several compilation fixes for HP/UX and AIX.
|
||
|
|
||
|
* On platforms that do not support setting process-wide routing
|
||
|
domains (all excepting OpenBSD at present), fail to accept a
|
||
|
configuration attempts to set one at process start time rather than
|
||
|
fatally erroring at run time. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3126">bz#3126</a>
|
||
|
|
||
|
* Improve detection of egrep (used in regression tests) on platforms
|
||
|
that offer a poor default one (e.g. Solaris).
|
||
|
|
||
|
* A number of shell portability fixes for the regression tests.
|
||
|
|
||
|
* Fix theoretical infinite loop in the glob(3) replacement
|
||
|
implementation.
|
||
|
|
||
|
* Fix seccomp sandbox compilation problems for some Linux
|
||
|
configurations <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3085">bz#3085</a>
|
||
|
|
||
|
* Improved detection of libfido2 and some compilation fixes for some
|
||
|
configurations when --with-security-key-builtin is selected.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.3.tar.gz">openssh-8.3.tar.gz</a>) = 46c63b7ddbe46a0666222f7988c993866c31fcca
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.3.tar.gz">openssh-8.3.tar.gz</a>) = M6CnZ+duGs4bzDio8hQNLwyLQChV+3wkUEO8HWLV35c=
|
||
|
|
||
|
- SHA1 (/<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz">openssh-8.3p1.tar.gz</a>) = 04c7adb9986f16746588db8988b910530c589819
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz">openssh-8.3p1.tar.gz</a>) = 8r774Ecv5+t10jNA6xdTHLazqsJAdeIGa0H4FOEjh7I=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="https://www.openssh.com/report.html">https://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-8.2" id="8.2">OpenSSH 8.2</a>/<a href="txt/release-8.2" id="8.2p1">8.2p1</a> (2020-02-14)</h3>
|
||
|
<pre>OpenSSH 8.2 was released on 2020-02-14. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="https://www.openssh.com/donations.html">https://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Future deprecation notice
|
||
|
=========================
|
||
|
|
||
|
It is now possible[1] to perform chosen-prefix attacks against the
|
||
|
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
|
||
|
be disabling the "ssh-rsa" public key signature algorithm that depends
|
||
|
on SHA-1 by default in a near-future release.
|
||
|
|
||
|
This algorithm is unfortunately still used widely despite the
|
||
|
existence of better alternatives, being the only remaining public key
|
||
|
signature algorithm specified by the original SSH RFCs.
|
||
|
|
||
|
The better alternatives include:
|
||
|
|
||
|
* The <a href="https://tools.ietf.org/html/rfc8332">RFC8332</a> RSA SHA-2 signature algorithms rsa-sha2-256/512. These
|
||
|
algorithms have the advantage of using the same key type as
|
||
|
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
|
||
|
supported since OpenSSH 7.2 and are already used by default if the
|
||
|
client and server support them.
|
||
|
|
||
|
* The ssh-ed25519 signature algorithm. It has been supported in
|
||
|
OpenSSH since release 6.5.
|
||
|
|
||
|
* The <a href="https://tools.ietf.org/html/rfc5656">RFC5656</a> ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
|
||
|
have been supported by OpenSSH since release 5.7.
|
||
|
|
||
|
To check whether a server is using the weak ssh-rsa public key
|
||
|
algorithm for host authentication, try to connect to it after
|
||
|
removing the ssh-rsa algorithm from <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>'s allowed list:
|
||
|
|
||
|
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
|
||
|
|
||
|
If the host key verification fails and no other supported host key
|
||
|
types are available, the server software on that host should be
|
||
|
upgraded.
|
||
|
|
||
|
A future release of OpenSSH will enable UpdateHostKeys by default
|
||
|
to allow the client to automatically migrate to better algorithms.
|
||
|
Users may consider enabling this option manually.
|
||
|
|
||
|
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
|
||
|
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
|
||
|
(2020) <a href="https://eprint.iacr.org/2020/014.pdf">https://eprint.iacr.org/2020/014.pdf</a>
|
||
|
|
||
|
Security
|
||
|
========
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: this release removes the "ssh-rsa"
|
||
|
(RSA/SHA1) algorithm from those accepted for certificate signatures
|
||
|
(i.e. the client and server CASignatureAlgorithms option) and will
|
||
|
use the rsa-sha2-512 signature algorithm by default when the
|
||
|
<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> CA signs new certificates.
|
||
|
|
||
|
Certificates are at special risk to the aforementioned SHA1
|
||
|
collision vulnerability as an attacker has effectively unlimited
|
||
|
time in which to craft a collision that yields them a valid
|
||
|
certificate, far more than the relatively brief LoginGraceTime
|
||
|
window that they have to forge a host key signature.
|
||
|
|
||
|
The OpenSSH certificate format includes a CA-specified (typically
|
||
|
random) nonce value near the start of the certificate that should
|
||
|
make exploitation of chosen-prefix collisions in this context
|
||
|
challenging, as the attacker does not have full control over the
|
||
|
prefix that actually gets signed. Nonetheless, SHA1 is now a
|
||
|
demonstrably broken algorithm and futher improvements in attacks
|
||
|
are highly likely.
|
||
|
|
||
|
OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
|
||
|
algorithms and will refuse to accept certificates signed by an
|
||
|
OpenSSH 8.2+ CA using RSA keys unless the unsafe algorithm is
|
||
|
explicitly selected during signing ("ssh-keygen -t ssh-rsa").
|
||
|
Older clients/servers may use another CA key type such as
|
||
|
ssh-ed25519 (supported since OpenSSH 6.5) or one of the
|
||
|
ecdsa-sha2-nistp256/384/521 types (supported since OpenSSH 5.7)
|
||
|
instead if they cannot be upgraded.
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: the above removal of "ssh-rsa" from the accepted
|
||
|
CASignatureAlgorithms list.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: this release removes diffie-hellman-group14-sha1
|
||
|
from the default key exchange proposal for both the client and
|
||
|
server.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: the command-line options related to the generation
|
||
|
and screening of safe prime numbers used by the
|
||
|
diffie-hellman-group-exchange-* key exchange algorithms have
|
||
|
changed. Most options have been folded under the -O flag.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: the sshd listener process title visible to ps(1) has
|
||
|
changed to include information about the number of connections that
|
||
|
are currently attempting authentication and the limits configured
|
||
|
by MaxStartups.
|
||
|
|
||
|
* ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
|
||
|
support to provide address-space isolation for token middleware
|
||
|
libraries (including the internal one). It needs to be installed
|
||
|
in the expected path, typically under /usr/libexec or similar.
|
||
|
|
||
|
Changes since OpenSSH 8.1
|
||
|
=========================
|
||
|
|
||
|
This release contains some significant new features.
|
||
|
|
||
|
FIDO/U2F Support
|
||
|
----------------
|
||
|
|
||
|
This release adds support for FIDO/U2F hardware authenticators to
|
||
|
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
|
||
|
authentication hardware that are widely used for website
|
||
|
authentication. In OpenSSH FIDO devices are supported by new public
|
||
|
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
|
||
|
certificate types.
|
||
|
|
||
|
<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> may be used to generate a FIDO token-backed key, after
|
||
|
which they may be used much like any other key type supported by
|
||
|
OpenSSH, so long as the hardware token is attached when the keys are
|
||
|
used. FIDO tokens also generally require the user explicitly authorise
|
||
|
operations by touching or tapping them.
|
||
|
|
||
|
Generating a FIDO key requires the token be attached, and will usually
|
||
|
require the user tap the token to confirm the operation:
|
||
|
|
||
|
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
|
||
|
Generating public/private ecdsa-sk key pair.
|
||
|
You may need to touch your security key to authorize key generation.
|
||
|
Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
|
||
|
Enter passphrase (empty for no passphrase):
|
||
|
Enter same passphrase again:
|
||
|
Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
|
||
|
Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub
|
||
|
|
||
|
This will yield a public and private key-pair. The private key file
|
||
|
should be useless to an attacker who does not have access to the
|
||
|
physical token. After generation, this key may be used like any other
|
||
|
supported key in OpenSSH and may be listed in authorized_keys, added
|
||
|
to <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>, etc. The only additional stipulation is that the FIDO
|
||
|
token that the key belongs to must be attached when the key is used.
|
||
|
|
||
|
FIDO tokens are most commonly connected via USB but may be attached
|
||
|
via other means such as Bluetooth or NFC. In OpenSSH, communication
|
||
|
with the token is managed via a middleware library, specified by the
|
||
|
SecurityKeyProvider directive in ssh/<a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> or the
|
||
|
$SSH_SK_PROVIDER environment variable for <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> and
|
||
|
<a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>. The API for this middleware is documented in the sk-api.h
|
||
|
and PROTOCOL.u2f files in the source distribution.
|
||
|
|
||
|
OpenSSH includes a middleware ("SecurityKeyProvider=internal") with
|
||
|
support for USB tokens. It is automatically enabled in OpenBSD and may
|
||
|
be enabled in portable OpenSSH via the configure flag
|
||
|
--with-security-key-builtin. If the internal middleware is enabled
|
||
|
then it is automatically used by default. This internal middleware
|
||
|
requires that libfido2 (<a href="https://github.com/Yubico/libfido2">https://github.com/Yubico/libfido2</a>)and its
|
||
|
dependencies be installed. We recommend that packagers of portable
|
||
|
OpenSSH enable the built-in middleware, as it provides the
|
||
|
lowest-friction experience for users.
|
||
|
|
||
|
Note: FIDO/U2F tokens are required to implement the ECDSA-P256
|
||
|
"ecdsa-sk" key type, but hardware support for Ed25519 "ed25519-sk" is
|
||
|
less common. Similarly, not all hardware tokens support some of the
|
||
|
optional features such as resident keys.
|
||
|
|
||
|
The protocol-level changes to support FIDO/U2F keys in SSH are
|
||
|
documented in the PROTOCOL.u2f file in the OpenSSH source
|
||
|
distribution.
|
||
|
|
||
|
There are a number of supporting changes to this feature:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: add a "no-touch-required" option when generating
|
||
|
FIDO-hosted keys, that disables their default behaviour of
|
||
|
requiring a physical touch/tap on the token during authentication.
|
||
|
Note: not all tokens support disabling the touch requirement.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a sshd_config PubkeyAuthOptions directive that
|
||
|
collects miscellaneous public key authentication-related options
|
||
|
for <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. At present it supports only a single option
|
||
|
"no-touch-required". This causes sshd to skip its default check for
|
||
|
FIDO/U2F keys that the signature was authorised by a touch or press
|
||
|
event on the token hardware.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: add a "no-touch-required" option
|
||
|
for authorized_keys and a similar extension for certificates. This
|
||
|
option disables the default requirement that FIDO key signatures
|
||
|
attest that the user touched their key to authorize them, mirroring
|
||
|
the similar PubkeyAuthOptions sshd_config option.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: add support for the writing the FIDO attestation
|
||
|
information that is returned when new keys are generated via the
|
||
|
"-O write-attestation=/path" option. FIDO attestation certificates
|
||
|
may be used to verify that a FIDO key is hosted in trusted
|
||
|
hardware. OpenSSH does not currently make use of this information,
|
||
|
beyond optionally writing it to disk.
|
||
|
|
||
|
FIDO2 resident keys
|
||
|
-------------------
|
||
|
|
||
|
FIDO/U2F OpenSSH keys consist of two parts: a "key handle" part stored
|
||
|
in the private key file on disk, and a per-device private key that is
|
||
|
unique to each FIDO/U2F token and that cannot be exported from the
|
||
|
token hardware. These are combined by the hardware at authentication
|
||
|
time to derive the real key that is used to sign authentication
|
||
|
challenges.
|
||
|
|
||
|
For tokens that are required to move between computers, it can be
|
||
|
cumbersome to have to move the private key file first. To avoid this
|
||
|
requirement, tokens implementing the newer FIDO2 standard support
|
||
|
"resident keys", where it is possible to effectively retrieve the key
|
||
|
handle part of the key from the hardware.
|
||
|
|
||
|
OpenSSH supports this feature, allowing resident keys to be generated
|
||
|
using the <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> "-O resident" flag. This will produce a
|
||
|
public/private key pair as usual, but it will be possible to retrieve
|
||
|
the private key part from the token later. This may be done using
|
||
|
"ssh-keygen -K", which will download all available resident keys from
|
||
|
the tokens attached to the host and write public/private key files
|
||
|
for them. It is also possible to download and add resident keys
|
||
|
directly to <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> without writing files to the file-system
|
||
|
using "ssh-add -K".
|
||
|
|
||
|
Resident keys are indexed on the token by the application string and
|
||
|
user ID. By default, OpenSSH uses an application string of "ssh:" and
|
||
|
an empty user ID. If multiple resident keys on a single token are
|
||
|
desired then it may be necessary to override one or both of these
|
||
|
defaults using the <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> "-O application=" or "-O user="
|
||
|
options. Note: OpenSSH will only download and use resident keys whose
|
||
|
application string begins with "ssh:"
|
||
|
|
||
|
Storing both parts of a key on a FIDO token increases the likelihood
|
||
|
of an attacker being able to use a stolen token device. For this
|
||
|
reason, tokens should enforce PIN authentication before allowing
|
||
|
download of keys, and users should set a PIN on their tokens before
|
||
|
creating any resident keys.
|
||
|
|
||
|
Other New Features
|
||
|
------------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add an Include sshd_config keyword that allows including
|
||
|
additional configuration files via glob(3) patterns. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2468">bz2468</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: make the LE (low effort) DSCP code point available
|
||
|
via the IPQoS directive; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2986">bz2986</a>,
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when AddKeysToAgent=yes is set and the key contains no
|
||
|
comment, add the key to the agent with the key's path as the
|
||
|
comment. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2564">bz2564</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: expose PKCS#11 key labels and X.509
|
||
|
subjects as key comments, rather than simply listing the PKCS#11
|
||
|
provider library path. <a href="https://github.com/openssh/openssh-portable/pull/138">PR138</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: allow PEM export of DSA and ECDSA keys; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3091">bz3091</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: make zlib compile-time optional, available via the
|
||
|
Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure
|
||
|
option for OpenSSH portable.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: when clients get denied by MaxStartups, send a
|
||
|
notification prior to the SSH2 protocol banner according to
|
||
|
<a href="https://tools.ietf.org/html/rfc4253">RFC4253</a> section 4.2.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: when invoking the $SSH_ASKPASS prompt
|
||
|
program, pass a hint to the program to describe the type of
|
||
|
desired prompt. The possible values are "confirm" (indicating
|
||
|
that a yes/no confirmation dialog with no text entry should be
|
||
|
shown), "none" (to indicate an informational message only), or
|
||
|
blank for the original ssh-askpass behaviour of requesting a
|
||
|
password/phrase.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow forwarding a different agent socket to the path
|
||
|
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
|
||
|
option to accepting an explicit path or the name of an environment
|
||
|
variable in addition to yes/no.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: add a new signature operations "find-principals" to
|
||
|
look up the principal associated with a signature from an allowed-
|
||
|
signers file.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: expose the number of currently-authenticating connections
|
||
|
along with the MaxStartups limit in the process title visible to
|
||
|
"ps".
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: make ClientAliveCountMax=0 have sensible semantics: it
|
||
|
will now disable connection killing entirely rather than the
|
||
|
current behaviour of instantly killing the connection after the
|
||
|
first liveness test regardless of success. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2627">bz2627</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: clarify order of AllowUsers / DenyUsers vs AllowGroups /
|
||
|
DenyGroups in the <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> manual page. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1690">bz1690</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: better describe HashKnownHosts in the manual page. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2560">bz2560</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: clarify that that permitopen=/PermitOpen do no name or
|
||
|
address translation in the manual page. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3099">bz3099</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow the UpdateHostKeys feature to function when
|
||
|
multiple known_hosts files are in use. When updating host keys,
|
||
|
ssh will now search subsequent known_hosts files, but will add
|
||
|
updated host keys to the first specified file only. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2738">bz2738</a>
|
||
|
|
||
|
* All: replace all calls to signal(2) with a wrapper around
|
||
|
sigaction(2). This wrapper blocks all other signals during the
|
||
|
handler preventing races between handlers, and sets SA_RESTART
|
||
|
which should reduce the potential for short read/write operations.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: fix a race condition in the SIGCHILD handler that could
|
||
|
turn in to a kill(-1); <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3084">bz3084</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix a case where valid (but extremely large) SSH channel
|
||
|
IDs were being incorrectly rejected. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3098">bz3098</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when checking host key fingerprints as answers to new
|
||
|
hostkey prompts, ignore whitespace surrounding the fingerprint
|
||
|
itself.
|
||
|
|
||
|
* All: wait for file descriptors to be readable or writeable during
|
||
|
non-blocking connect, not just readable. Prevents a timeout when
|
||
|
the server doesn't immediately send a banner (e.g. multiplexers
|
||
|
like sslh)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: document the sntrup4591761x25519-sha512@tinyssh.org
|
||
|
key exchange algorithm. <a href="https://github.com/openssh/openssh-portable/pull/151">PR151</a>
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: multiple adjustments to the Linux seccomp sandbox:
|
||
|
- Non-fatally deny IPC syscalls in sandbox
|
||
|
- Allow clock_gettime64() in sandbox (MIPS / glibc >= 2.31)
|
||
|
- Allow clock_nanosleep_time64 in sandbox (ARM) <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3100">bz3100</a>
|
||
|
- Allow clock_nanosleep() in sandbox (recent glibc) <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3093">bz3093</a>
|
||
|
|
||
|
* Explicit check for memmem declaration and fix up declaration if the
|
||
|
system headers lack it. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3102">bz3102</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.2.tar.gz">openssh-8.2.tar.gz</a>) = 0daae2a8c47c489a8784f2c38c4b39e6159ba678
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.2.tar.gz">openssh-8.2.tar.gz</a>) = +UmInEIoHJqYqWneMb/kgRbLcq8WDCo7+ooYcjzW4jg=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz">openssh-8.2p1.tar.gz</a>) = d1ab35a93507321c5db885e02d41ce1414f0507c
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz">openssh-8.2p1.tar.gz</a>) = Q5JRUebPbO4UUBkMDpr03Da0HBJzdhnt/4vOvf9k5nE=
|
||
|
|
||
|
Note: the openssh-8.2 tarball for OpenBSD that was initially released
|
||
|
advertised an incorrect version for "ssh -V" and the sshd server
|
||
|
banner. The above tarball replace the incorrect release, which has
|
||
|
been renamed to <a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.2.tar.gz">openssh-8.2.tar.gz</a>.incorrect. These are the checksums
|
||
|
for the original, incorrect tarball:
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.2.tar.gz">openssh-8.2.tar.gz</a>) = 77584c22fbb89269398acdf53c1e554400584ba8
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.2.tar.gz">openssh-8.2.tar.gz</a>) = UttLaaSYXVK1O65cYvyQzyQ5sCfuJ4Lwrs8zNsPrluQ=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="https://www.openssh.com/report.html">https://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-8.1" id="8.1">OpenSSH 8.1</a>/<a href="txt/release-8.1" id="8.1p1">8.1p1</a> (2019-10-09)</h3>
|
||
|
<pre>OpenSSH 8.1 was released on 2019-10-09. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Security
|
||
|
========
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: an exploitable integer
|
||
|
overflow bug was found in the private key parsing code for the XMSS
|
||
|
key type. This key type is still experimental and support for it is
|
||
|
not compiled by default. No user-facing autoconf option exists in
|
||
|
portable OpenSSH to enable it. This bug was found by Adam Zabrocki
|
||
|
and reported via SecuriTeam's SSD program.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: add protection for private keys at
|
||
|
rest in RAM against speculation and memory side-channel attacks like
|
||
|
Spectre, Meltdown and Rambleed. This release encrypts private keys
|
||
|
when they are not in use with a symmetric key that is derived from a
|
||
|
relatively large "prekey" consisting of random data (currently 16KB).
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: when acting as a CA and signing certificates with
|
||
|
an RSA key, default to using the rsa-sha2-512 signature algorithm.
|
||
|
Certificates signed by RSA keys will therefore be incompatible
|
||
|
with OpenSSH versions prior to 7.2 unless the default is
|
||
|
overridden (using "ssh-keygen -t ssh-rsa -s ...").
|
||
|
|
||
|
Changes since OpenSSH 8.0
|
||
|
=========================
|
||
|
|
||
|
This release is focused on bug-fixing.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Allow %n to be expanded in ProxyCommand strings
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Allow prepending a list of algorithms to the
|
||
|
default set by starting the list with the '^' character, E.g.
|
||
|
"HostKeyAlgorithms ^ssh-ed25519"
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: add an experimental lightweight signature and
|
||
|
verification ability. Signatures may be made using regular ssh keys
|
||
|
held on disk or stored in a ssh-agent and verified against an
|
||
|
authorized_keys-like list of allowed keys. Signatures embed a
|
||
|
namespace that prevents confusion and attacks between different
|
||
|
usage domains (e.g. files vs email).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: print key comment when extracting public key from a
|
||
|
private key. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3052">bz#3052</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: accept the verbose flag when searching for host keys
|
||
|
in known hosts (i.e. "ssh-keygen -vF host") to print the matching
|
||
|
host's random-art signature too. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3003">bz#3003</a>
|
||
|
|
||
|
* All: support PKCS8 as an optional format for storage of private
|
||
|
keys to disk. The OpenSSH native key format remains the default,
|
||
|
but PKCS8 is a superior format to PEM if interoperability with
|
||
|
non-OpenSSH software is required, as it may use a less insecure
|
||
|
key derivation function than PEM's.
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: if a PKCS#11 token returns no keys then try to login and
|
||
|
refetch them. Based on patch from Jakub Jelen; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2430">bz#2430</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: produce a useful error message if the user's shell is set
|
||
|
incorrectly during "match exec" processing. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2791">bz#2791</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: allow the maximum uint32 value for the argument passed
|
||
|
to -b which allows better error messages from later validation.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3050">bz#3050</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: avoid pledge sandbox violations in some combinations of
|
||
|
remote forwarding, connection multiplexing and ControlMaster.
|
||
|
|
||
|
* ssh-keyscan(1): include SHA2-variant RSA key algorithms in KEX
|
||
|
proposal; allows ssh-keyscan to harvest keys from servers that
|
||
|
disable old SHA1 ssh-rsa. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3029">bz#3029</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: print explicit "not modified" message if a file was
|
||
|
requested for resumed download but was considered already complete.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2978">bz#2978</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: fix a typo and make <esc><right> move right to the
|
||
|
closest end of a word just like <esc><left> moves left to the
|
||
|
closest beginning of a word.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: cap the number of permitopen/permitlisten directives
|
||
|
allowed to appear on a single authorized_keys line.
|
||
|
|
||
|
* All: fix a number of memory leaks (one-off or on exit paths).
|
||
|
|
||
|
* Regression tests: a number of fixes and improvements, including
|
||
|
fixes to the interop tests, adding the ability to run most tests
|
||
|
on builds that disable OpenSSL support, better support for running
|
||
|
tests under Valgrind and a number of bug-fixes.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: check for convtime() refusing to accept times that
|
||
|
resolve to LONG_MAX Reported by Kirk Wolf <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2977">bz2977</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: slightly more instructive error message when the user
|
||
|
specifies multiple -J options on the command-line. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3015">bz3015</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: process agent requests for RSA certificate private
|
||
|
keys using correct signature algorithm when requested. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3016">bz3016</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: check for user@host when parsing sftp target. This
|
||
|
allows user@[1.2.3.4] to work without a path. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2999">bz#2999</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: enlarge format buffer size for certificate serial
|
||
|
number so the log message can record any 64-bit integer without
|
||
|
truncation. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3012">bz#3012</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: for PermitOpen violations add the remote host and port to
|
||
|
be able to more easily ascertain the source of the request. Add the
|
||
|
same logging for PermitListen violations which where not previously
|
||
|
logged at all.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>, <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: use the correct POSIX format style for left
|
||
|
justification for the transfer progress meter. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3002">bz#3002</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> when examining a configuration using sshd -T, assume any
|
||
|
attribute not provided by -C does not match, which allows it to work
|
||
|
when sshd_config contains a Match directive with or without -C.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2858">bz#2858</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: downgrade PKCS#11 "provider returned no
|
||
|
slots" warning from log level error to debug. This is common when
|
||
|
attempting to enumerate keys on smartcard readers with no cards
|
||
|
plugged in. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3058">bz#3058</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: do not unconditionally log in to PKCS#11
|
||
|
tokens. Avoids spurious PIN prompts for keys not selected for
|
||
|
authentication in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and when listing public keys available in
|
||
|
a token using <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3006">bz#3006</a>
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix SIGWINCH delivery of Solaris for multiplexed sessions
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3030">bz#3030</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix typo that prevented detection of Linux VRF
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add no-op implementation of pam_putenv to avoid build
|
||
|
breakage on platforms where the PAM implementation lacks this
|
||
|
function (e.g. HP-UX). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3008">bz#3008</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: fix Solaris privilege sandbox from preventing
|
||
|
the legacy sftp rename operation from working (was refusing to
|
||
|
allow hard links to files owned by other users). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3036">bz#3036</a>
|
||
|
|
||
|
* All: add a proc_pidinfo()-based closefrom() for OS X to avoid
|
||
|
the need to brute-force close all high-numbered file descriptors.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=3049">bz#3049</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: in the Linux seccomp-bpf sandbox, allow mprotect(2) with
|
||
|
PROT_(READ|WRITE|NONE) only. This syscall is used by some hardened
|
||
|
heap allocators. Github <a href="https://github.com/openssh/openssh-portable/pull/142">PR142</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: in the Linux seccomp-bpf sandbox, allow the s390-specific
|
||
|
ioctl for ECC hardware support.
|
||
|
|
||
|
* All: use "doc" man page format if the mandoc(1) tool is present on
|
||
|
the system. Previously configure would not select the "doc" man
|
||
|
page format if mandoc was present but nroff was not.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: don't install duplicate STREAMS modules on Solaris; check
|
||
|
if STREAMS modules are already installed on a pty before installing
|
||
|
since when compiling with XPG>=4 they will likely be installed
|
||
|
already. Prevents hangs and duplicate lines on the terminal.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2945">bz#2945</a> and <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2998">bz#2998</a>,
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.1.tar.gz">openssh-8.1.tar.gz</a>) = bf7b0c65a7c0afa5ba9c787f345b8a24fa459add
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.1.tar.gz">openssh-8.1.tar.gz</a>) = vamkKxZTFfgxQXSxGeJ1vbuot0H3Vx9bNBgrvChSrFg=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz">openssh-8.1p1.tar.gz</a>) = c44b96094869f177735ae053d92bd5fcab1319de
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz">openssh-8.1p1.tar.gz</a>) = AvXb7zg10HU1VvlzzVe0wZtrH2zSTANEXiOsd8obk/8=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-8.0" id="8.0">OpenSSH 8.0</a>/<a href="txt/release-8.0" id="8.0p1">8.0p1</a> (2019-04-17)</h3>
|
||
|
<pre>OpenSSH 8.0 was released on 2019-04-17. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Security
|
||
|
========
|
||
|
|
||
|
This release contains mitigation for a weakness in the <a href="https://man.openbsd.org/scp.1">scp(1)</a> tool
|
||
|
and protocol (CVE-2019-6111): when copying files from a remote system
|
||
|
to a local directory, <a href="https://man.openbsd.org/scp.1">scp(1)</a> did not verify that the filenames that
|
||
|
the server sent matched those requested by the client. This could
|
||
|
allow a hostile server to create or clobber unexpected local files
|
||
|
with attacker-controlled content.
|
||
|
|
||
|
This release adds client-side checking that the filenames sent from
|
||
|
the server match the command-line request,
|
||
|
|
||
|
The scp protocol is outdated, inflexible and not readily fixed. We
|
||
|
recommend the use of more modern protocols like sftp and rsync for
|
||
|
file transfer instead.
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>: Relating to the above changes to <a href="https://man.openbsd.org/scp.1">scp(1)</a>; the scp protocol
|
||
|
relies on the remote shell for wildcard expansion, so there is no
|
||
|
infallible way for the client's wildcard matching to perfectly
|
||
|
reflect the server's. If there is a difference between client and
|
||
|
server wildcard expansion, the client may refuse files from the
|
||
|
server. For this reason, we have provided a new "-T" flag to scp
|
||
|
that disables these client-side checks at the risk of
|
||
|
reintroducing the attack described above.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Remove support for obsolete "host/port" syntax. Slash-
|
||
|
separated host/port was added in 2001 as an alternative to
|
||
|
host:port syntax for the benefit of IPv6 users. These days there
|
||
|
are establised standards for this like [::1]:22 and the slash
|
||
|
syntax is easily mistaken for CIDR notation, which OpenSSH
|
||
|
supports for some things. Remove the slash notation from
|
||
|
ListenAddress and PermitOpen; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2335">bz#2335</a>
|
||
|
|
||
|
Changes since OpenSSH 7.9
|
||
|
=========================
|
||
|
|
||
|
This release is focused on new features and internal refactoring.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>, <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: Add support for ECDSA keys in
|
||
|
PKCS#11 tokens.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add experimental quantum-computing resistant
|
||
|
key exchange method, based on a combination of Streamlined NTRU
|
||
|
Prime 4591^761 and X25519.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Increase the default RSA key size to 3072 bits,
|
||
|
following NIST Special Publication 800-57's guidance for a
|
||
|
128-bit equivalent symmetric security level.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Allow "PKCS11Provider=none" to override later instances of
|
||
|
the PKCS11Provider directive in ssh_config; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2974">bz#2974</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add a log message for situations where a connection is
|
||
|
dropped for attempting to run a command but a sshd_config
|
||
|
ForceCommand=internal-sftp restriction is in effect; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2960">bz#2960</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: When prompting whether to record a new host key, accept
|
||
|
the key fingerprint as a synonym for "yes". This allows the user
|
||
|
to paste a fingerprint obtained out of band at the prompt and
|
||
|
have the client do the comparison for you.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: When signing multiple certificates on a single
|
||
|
command-line invocation, allow automatically incrementing the
|
||
|
certificate serial number.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>, <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: Accept -J option as an alias to ProxyJump on
|
||
|
the scp and sftp command-lines.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>, ssh-pkcs11-helper(8), <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: Accept "-v"
|
||
|
command-line flags to increase the verbosity of output; pass
|
||
|
verbose flags though to subprocesses, such as ssh-pkcs11-helper
|
||
|
started from ssh-agent.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: Add a "-T" option to allowing testing whether keys in
|
||
|
an agent are usable by performing a signature and a verification.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: Add a "lsetstat@openssh.com" protocol extension
|
||
|
that replicates the functionality of the existing SSH2_FXP_SETSTAT
|
||
|
operation but does not follow symlinks. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2067">bz#2067</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: Add "-h" flag to chown/chgrp/chmod commands to request
|
||
|
they do not follow symlinks.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Expose $SSH_CONNECTION in the PAM environment. This makes
|
||
|
the connection 4-tuple available to PAM modules that wish to use
|
||
|
it in decision-making. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2741">bz#2741</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add a ssh_config "Match final" predicate Matches in same
|
||
|
pass as "Match canonical" but doesn't require hostname
|
||
|
canonicalisation be enabled. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2906">bz#2906</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: Support a prefix of '@' to suppress echo of sftp batch
|
||
|
commands; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2926">bz#2926</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: When printing certificate contents using
|
||
|
"ssh-keygen -Lf /path/certificate", include the algorithm that
|
||
|
the CA used to sign the cert.
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix authentication failures when sshd_config contains
|
||
|
"AuthenticationMethods any" inside a Match block that overrides
|
||
|
a more restrictive default.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Avoid sending duplicate keepalives when ClientAliveCount
|
||
|
is enabled.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix two race conditions related to SIGHUP daemon restart.
|
||
|
Remnant file descriptors in recently-forked child processes could
|
||
|
block the parent sshd's attempt to listen(2) to the configured
|
||
|
addresses. Also, the restarting parent sshd could exit before any
|
||
|
child processes that were awaiting their re-execution state had
|
||
|
completed reading it, leaving them in a fallback path.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Fix stdout potentially being redirected to /dev/null when
|
||
|
ProxyCommand=- was in use.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Avoid sending SIGPIPE to child processes if they attempt
|
||
|
to write to stderr after their parent processes have exited;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2071">bz#2071</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Fix bad interaction between the ssh_config ConnectTimeout
|
||
|
and ConnectionAttempts directives - connection attempts after the
|
||
|
first were ignoring the requested timeout; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2918">bz#2918</a>
|
||
|
|
||
|
* ssh-keyscan(1): Return a non-zero exit status if no keys were
|
||
|
found; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2903">bz#2903</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>: Sanitize scp filenames to allow UTF-8 characters without
|
||
|
terminal control sequences; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2434">bz#2434</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix confusion between ClientAliveInterval and time-based
|
||
|
RekeyLimit that could cause connections to be incorrectly closed.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2757">bz#2757</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: Correct some bugs in PKCS#11 token PIN
|
||
|
handling at initial token login. The attempt to read the PIN
|
||
|
could be skipped in some cases, particularly on devices with
|
||
|
integrated PIN readers. This would lead to an inability to
|
||
|
retrieve keys from these tokens. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2652">bz#2652</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: Support keys on PKCS#11 tokens that set the
|
||
|
CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the
|
||
|
C_SignInit operation. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2638">bz#2638</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Improve documentation for ProxyJump/-J, clarifying that
|
||
|
local configuration does not apply to jump hosts.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Clarify manual - ssh-keygen -e only writes
|
||
|
public keys, not private.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: be more strict in processing protocol banners,
|
||
|
allowing \r characters only immediately before \n.
|
||
|
|
||
|
* Various: fix a number of memory leaks, including <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2942">bz#2942</a> and
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2938">bz#2938</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>, <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: fix calculation of initial bandwidth limits.
|
||
|
Account for bytes written before the timer starts and adjust the
|
||
|
schedule on which recalculations are performed. Avoids an initial
|
||
|
burst of traffic and yields more accurate bandwidth limits;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2927">bz#2927</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Only consider the ext-info-c extension during the initial
|
||
|
key eschange. It shouldn't be sent in subsequent ones, but if it
|
||
|
is present we should ignore it. This prevents sshd from sending a
|
||
|
SSH_MSG_EXT_INFO for REKEX for buggy these clients. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2929">bz#2929</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Clarify manual that ssh-keygen -F (find host in
|
||
|
authorized_keys) and -R (remove host from authorized_keys) options
|
||
|
may accept either a bare hostname or a [hostname]:port combo.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2935">bz#2935</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Don't attempt to connect to empty SSH_AUTH_SOCK; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2936">bz#2936</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Silence error messages when sshd fails to load some of
|
||
|
the default host keys. Failure to load an explicitly-configured
|
||
|
hostkey is still an error, and failure to load any host key is
|
||
|
still fatal. pr/103
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Redirect stderr of ProxyCommands to /dev/null when ssh is
|
||
|
started with ControlPersist; prevents random ProxyCommand output
|
||
|
from interfering with session output.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: The ssh client was keeping a redundant ssh-agent socket
|
||
|
(leftover from authentication) around for the life of the
|
||
|
connection; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2912">bz#2912</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix bug in HostbasedAcceptedKeyTypes and
|
||
|
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types
|
||
|
were specified, then authentication would always fail for RSA keys
|
||
|
as the monitor checks only the base key (not the signature
|
||
|
algorithm) type against *AcceptedKeyTypes. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2746">bz#2746</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Request correct signature types from ssh-agent when
|
||
|
certificate keys and RSA-SHA2 signatures are in use.
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: On Cygwin, run as SYSTEM where possible, using S4U for
|
||
|
token creation if it supports MsV1_0 S4U Logon.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: On Cygwin, use custom user/group matching code that
|
||
|
respects the OS' behaviour of case-insensitive matching.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Don't set $MAIL if UsePAM=yes as PAM typically specifies
|
||
|
the user environment if it's enabled; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2937">bz#2937</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> Cygwin: Change service name to cygsshd to avoid collision
|
||
|
with Microsoft's OpenSSH port.
|
||
|
|
||
|
* Allow building against OpenSSL -dev (3.x)
|
||
|
|
||
|
* Fix a number of build problems against version configurations and
|
||
|
versions of OpenSSL. Including <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2931">bz#2931</a> and <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2921">bz#2921</a>
|
||
|
|
||
|
* Improve warnings in cygwin service setup. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2922">bz#2922</a>
|
||
|
|
||
|
* Remove hardcoded service name in cygwin setup. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2922">bz#2922</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.0.tar.gz">openssh-8.0.tar.gz</a>) = 8aaa99091fc7e5a92a4a320e1e5521046b3f95f0
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.0.tar.gz">openssh-8.0.tar.gz</a>) = 1xvSJk1KYSnOLPYEUzyCVwTEQ7MHOaCO65DzeNuuLdo=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz">openssh-8.0p1.tar.gz</a>) = 756dbb99193f9541c9206a667eaa27b0fa184a4f
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz">openssh-8.0p1.tar.gz</a>) = vZQ4eeaUmOgDHra39E0IzcN9WaeraJqgtDcyDDSB/Wg=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.9" id="7.9">OpenSSH 7.9</a>/<a href="txt/release-7.9" id="7.9p1">7.9p1</a> (2018-10-19)</h3>
|
||
|
<pre>OpenSSH 7.9 was released on 2018-10-19. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: the setting of the new CASignatureAlgorithms
|
||
|
option (see below) bans the use of DSA keys as certificate
|
||
|
authorities.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: the authentication success/failure log message has
|
||
|
changed format slightly. It now includes the certificate
|
||
|
fingerprint (previously it included only key ID and CA key
|
||
|
fingerprint).
|
||
|
|
||
|
Changes since OpenSSH 7.8
|
||
|
=========================
|
||
|
|
||
|
This is primarily a bugfix release.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow most port numbers to be specified using
|
||
|
service names from getservbyname(3) (typically /etc/services).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow the IdentityAgent configuration directive to accept
|
||
|
environment variable names. This supports the use of multiple
|
||
|
agent sockets without needing to use fixed paths.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: support signalling sessions via the SSH protocol.
|
||
|
A limited subset of signals is supported and only for login or
|
||
|
command sessions (i.e. not subsystems) that were not subject to
|
||
|
a forced command via authorized_keys or sshd_config. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1424">bz#1424</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: support "ssh -Q sig" to list supported signature options.
|
||
|
Also "ssh -Q help" to show the full set of supported queries.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a CASignatureAlgorithms option for the
|
||
|
client and server configs to allow control over which signature
|
||
|
formats are allowed for CAs to sign certificates. For example,
|
||
|
this allows banning CAs that sign certificates using the RSA-SHA1
|
||
|
signature algorithm.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: allow key revocation lists (KRLs) to
|
||
|
revoke keys specified by SHA256 hash.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: allow creation of key revocation lists directly
|
||
|
from base64-encoded SHA256 fingerprints. This supports revoking
|
||
|
keys using only the information contained in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>
|
||
|
authentication log messages.
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: avoid spurious "invalid format" errors when
|
||
|
attempting to load PEM private keys while using an incorrect
|
||
|
passphrase. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2901">bz#2901</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: when a channel closed message is received from a client,
|
||
|
close the stderr file descriptor at the same time stdout is
|
||
|
closed. This avoids stuck processes if they were waiting for
|
||
|
stderr to close and were insensitive to stdin/out closing. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2863">bz#2863</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow ForwardX11Timeout=0 to disable the untrusted X11
|
||
|
forwarding timeout and support X11 forwarding indefinitely.
|
||
|
Previously the behaviour of ForwardX11Timeout=0 was undefined.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: when compiled with GSSAPI support, cache supported method
|
||
|
OIDs regardless of whether GSSAPI authentication is enabled in the
|
||
|
main section of sshd_config. This avoids sandbox violations if
|
||
|
GSSAPI authentication was later enabled in a Match block. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2107">bz#2107</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: do not fail closed when configured with a text key
|
||
|
revocation list that contains a too-short key. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2897">bz#2897</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: treat connections with ProxyJump specified the same as
|
||
|
ones with a ProxyCommand set with regards to hostname
|
||
|
canonicalisation (i.e. don't try to canonicalise the hostname
|
||
|
unless CanonicalizeHostname is set to 'always'). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2896">bz#2896</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix regression in OpenSSH 7.8 that could prevent public-
|
||
|
key authentication using certificates hosted in a <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>
|
||
|
or against <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> from OpenSSH <7.8.
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* All: support building against the openssl-1.1 API (releases 1.1.0g
|
||
|
and later). The openssl-1.0 API will remain supported at least
|
||
|
until OpenSSL terminates security patch support for that API version.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow the futex(2) syscall in the Linux seccomp sandbox;
|
||
|
apparently required by some glibc/OpenSSL combinations.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: handle getgrouplist(3) returning more than
|
||
|
_SC_NGROUPS_MAX groups. Some platforms consider this limit more
|
||
|
as a guideline.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.9.tar.gz">openssh-7.9.tar.gz</a>) = 7c50a86b8f591decd172ed7f5527abc533098dec
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.9.tar.gz">openssh-7.9.tar.gz</a>) = nSVigtHGn3+xKXRqpSnp4YOyEPPAb+pCHdWS9Eh/IPY=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz">openssh-7.9p1.tar.gz</a>) = 993aceedea8ecabb1d0dd7293508a361891c4eaa
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz">openssh-7.9p1.tar.gz</a>) = a0s7oiU9hO03ccgFByjVl8kc/OiYcTvre2SjBbbxGq0=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.8" id="7.8">OpenSSH 7.8</a>/<a href="txt/release-7.8" id="7.8p1">7.8p1</a> (2018-08-24)</h3>
|
||
|
<pre>OpenSSH 7.8 was released on 2018-08-24. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: write OpenSSH format private keys by default
|
||
|
instead of using OpenSSL's PEM format. The OpenSSH format,
|
||
|
supported in OpenSSH releases since 2014 and described in the
|
||
|
PROTOCOL.key file in the source distribution, offers substantially
|
||
|
better protection against offline password guessing and supports
|
||
|
key comments in private keys. If necessary, it is possible to write
|
||
|
old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments
|
||
|
when generating or updating a key.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove internal support for S/Key multiple factor
|
||
|
authentication. S/Key may still be used via PAM or BSD auth.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: remove vestigal support for running <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> as setuid. This
|
||
|
used to be required for hostbased authentication and the (long
|
||
|
gone) rhosts-style authentication, but has not been necessary for
|
||
|
a long time. Attempting to execute ssh as a setuid binary, or with
|
||
|
uid != effective uid will now yield a fatal error at runtime.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: the semantics of PubkeyAcceptedKeyTypes and the similar
|
||
|
HostbasedAcceptedKeyTypes options have changed. These now specify
|
||
|
signature algorithms that are accepted for their respective
|
||
|
authentication mechanism, where previously they specified accepted
|
||
|
key types. This distinction matters when using the RSA/SHA2
|
||
|
signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their
|
||
|
certificate counterparts. Configurations that override these
|
||
|
options but omit these algorithm names may cause unexpected
|
||
|
authentication failures (no action is required for configurations
|
||
|
that accept the default for these options).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: the precedence of session environment variables has
|
||
|
changed. ~/.ssh/environment and environment="..." options in
|
||
|
authorized_keys files can no longer override SSH_* variables set
|
||
|
implicitly by sshd.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: the default IPQoS used by ssh/sshd has changed.
|
||
|
They will now use DSCP AF21 for interactive traffic and CS1 for
|
||
|
bulk. For a detailed rationale, please see the commit message:
|
||
|
<a href="https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284">https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284</a>
|
||
|
|
||
|
Changes since OpenSSH 7.7
|
||
|
=========================
|
||
|
|
||
|
This is primarily a bugfix release.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add new signature algorithms "rsa-sha2-256-cert-
|
||
|
v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to
|
||
|
explicitly force use of RSA/SHA2 signatures in authentication.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: extend the PermitUserEnvironment option to accept a
|
||
|
whitelist of environment variable names in addition to global
|
||
|
"yes" or "no" settings.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a PermitListen directive to <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> and a
|
||
|
corresponding permitlisten= authorized_keys option that control
|
||
|
which listen addresses and port numbers may be used by remote
|
||
|
forwarding (ssh -R ...).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add some countermeasures against timing attacks used for
|
||
|
account validation/enumeration. sshd will enforce a minimum time
|
||
|
or each failed authentication attempt consisting of a global 5ms
|
||
|
minimum plus an additional per-user 0-4ms delay derived from a
|
||
|
host secret.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a SetEnv directive to allow an administrator to
|
||
|
explicitly specify environment variables in sshd_config.
|
||
|
Variables set by SetEnv override the default and client-specified
|
||
|
environment.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a SetEnv directive to request that the server sets
|
||
|
an environment variable in the session. Similar to the existing
|
||
|
SendEnv option, these variables are set subject to server
|
||
|
configuration.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow "SendEnv -PATTERN" to clear environment variables
|
||
|
previously marked for sending to the server. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1285">bz#1285</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: make UID available as a %-expansion everywhere
|
||
|
that the username is available currently. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2870">bz#2870</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow setting ProxyJump=none to disable ProxyJump
|
||
|
functionality. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2869">bz#2869</a>
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: avoid observable differences in request parsing that could
|
||
|
be used to determine whether a target user is valid.
|
||
|
|
||
|
* all: substantial internal refactoring
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix some memory leaks; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2366">bz#2366</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix a pwent clobber (introduced in openssh-7.7) that could
|
||
|
occur during key loading, manifesting as crash on some platforms.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: clarify documentation for AuthenticationMethods
|
||
|
option; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2663">bz#2663</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: ensure that the public key algorithm sent in a
|
||
|
public key SSH_MSG_USERAUTH_REQUEST matches the content of the
|
||
|
signature blob. Previously, these could be inconsistent when a
|
||
|
legacy or non-OpenSSH ssh-agent returned a RSA/SHA1 signature
|
||
|
when asked to make a RSA/SHA2 signature.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix failures to read authorized_keys caused by faulty
|
||
|
supplemental group caching. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2873">bz#2873</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>: apply umask to directories, fixing potential mkdir/chmod
|
||
|
race when copying directory trees <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2839">bz#2839</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: return correct exit code when searching for and
|
||
|
hashing known_hosts entries in a single operation; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2772">bz#2772</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: prefer the ssh binary pointed to via argv[0] to $PATH when
|
||
|
re-executing ssh for ProxyJump. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2831">bz#2831</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: do not ban PTY allocation when a sshd session is
|
||
|
restricted because the user password is expired as it breaks
|
||
|
password change dialog. (regression in openssh-7.7).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix error reporting from select() failures.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: improve documentation for -w (tunnel) flag, emphasising
|
||
|
that -w implicitly sets Tunnel=point-to-point. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2365">bz#2365</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: implement EMFILE mitigation for ssh-agent. ssh-agent
|
||
|
will no longer spin when its file descriptor limit is exceeded.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2576">bz#2576</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: disable SSH2_MSG_DEBUG messages for Twisted Conch
|
||
|
clients. Twisted Conch versions that lack a version number in
|
||
|
their identification strings will mishandle these messages when
|
||
|
running on Python 2.x (<a href="https://twistedmatrix.com/trac/ticket/9422">https://twistedmatrix.com/trac/ticket/9422</a>)
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: notify user immediately when underlying ssh process dies
|
||
|
expectedly. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2719">bz#2719</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix tunnel forwarding; regression in 7.7 release.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2855">bz#2855</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: don't kill ssh-agent's listening socket entirely if
|
||
|
it fails to accept(2) a connection. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2837">bz#2837</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: relax checking of authorized_keys environment="..."
|
||
|
options to allow underscores in variable names (regression
|
||
|
introduced in 7.7). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2851">bz#2851</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add some missing options in the configuration dump output
|
||
|
(ssh -G). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2835">bz#2835</a>
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Expose details of completed authentication to PAM auth
|
||
|
modules via SSH_AUTH_INFO_0 in the PAM environment. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2408">bz#2408</a>
|
||
|
|
||
|
* Fix compilation problems caused by fights between zlib and OpenSSL
|
||
|
colliding uses of "free_func"
|
||
|
|
||
|
* Improve detection of unsupported compiler options. Recently these
|
||
|
may have manifested as "unsupported -Wl,-z,retpoline" warnings
|
||
|
during linking.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: some sandbox support for Linux/s390 <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2752">bz#2752</a>.
|
||
|
|
||
|
* regress tests: unbreak key-options.sh test on platforms without
|
||
|
openpty(3). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2856">bz#2856</a>
|
||
|
|
||
|
* use getrandom(2) for PRNG seeding when built without OpenSSL.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.8.tar.gz">openssh-7.8.tar.gz</a>) = ed5511cd42b543cd15166a9cbc56705f23b847e7
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.8.tar.gz">openssh-7.8.tar.gz</a>) = TDqIsMEmghsBUNCrSCPyCxChfitntyOLXNC694py1XE
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.8p1.tar.gz">openssh-7.8p1.tar.gz</a>) = 27e267e370315561de96577fccae563bc2c37a60
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.8p1.tar.gz">openssh-7.8p1.tar.gz</a>) = GkhLsVFSwYO7JRThEqow3TQTjDz7Ay7uVJCmbFBxRMo
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.7" id="7.7">OpenSSH 7.7</a>/<a href="txt/release-7.7" id="7.7p1">7.7p1</a> (2018-04-02)</h3>
|
||
|
<pre>OpenSSH 7.7 was released on 2018-04-02. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Drop compatibility support for some very old SSH
|
||
|
implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
|
||
|
versions were all released in or before 2001 and predate the final
|
||
|
SSH RFCs. The support in question isn't necessary for RFC-compliant
|
||
|
SSH implementations.
|
||
|
|
||
|
Changes since OpenSSH 7.6
|
||
|
=========================
|
||
|
|
||
|
This is primarily a bugfix release.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* All: Add experimental support for PQC XMSS keys (Extended Hash-
|
||
|
Based Signatures) based on the algorithm described in
|
||
|
<a href="https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12">https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12</a>
|
||
|
The XMSS signature code is experimental and not compiled in by
|
||
|
default.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add a "rdomain" criteria for the sshd_config Match keyword
|
||
|
to allow conditional configuration that depends on which routing
|
||
|
domain a connection was received on (currently supported on OpenBSD
|
||
|
and Linux).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: Add an optional rdomain qualifier to the
|
||
|
ListenAddress directive to allow listening on different routing
|
||
|
domains. This is supported only on OpenBSD and Linux at present.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: Add RDomain directive to allow the authenticated
|
||
|
session to be placed in an explicit routing domain. This is only
|
||
|
supported on OpenBSD at present.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add "expiry-time" option for authorized_keys files to
|
||
|
allow for expiring keys.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add a BindInterface option to allow binding the outgoing
|
||
|
connection to an interface's address (basically a more usable
|
||
|
BindAddress)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Expose device allocated for tun/tap forwarding via a new
|
||
|
%T expansion for LocalCommand. This allows LocalCommand to be used
|
||
|
to prepare the interface.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Expose the device allocated for tun/tap forwarding via a
|
||
|
new SSH_TUNNEL environment variable. This allows automatic setup of
|
||
|
the interface and surrounding network configuration automatically on
|
||
|
the server.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/scp.1">scp(1)</a>/<a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: Add URI support to ssh, sftp and scp, e.g.
|
||
|
ssh://user@host or sftp://user@host/path. Additional connection
|
||
|
parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
|
||
|
implemented since the ssh fingerprint format in the draft uses the
|
||
|
deprecated MD5 hash with no way to specify the any other algorithm.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Allow certificate validity intervals that specify
|
||
|
only a start or stop time (instead of both or neither).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: Allow "cd" and "lcd" commands with no explicit path
|
||
|
argument. lcd will change to the local user's home directory as
|
||
|
usual. cd will change to the starting directory for session (because
|
||
|
the protocol offers no way to obtain the remote user's home
|
||
|
directory). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2760">bz#2760</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: When doing a config test with sshd -T, only require the
|
||
|
attributes that are actually used in Match criteria rather than (an
|
||
|
incomplete list of) all criteria.
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: More strictly check signature types during key
|
||
|
exchange against what was negotiated. Prevents downgrade of RSA
|
||
|
signatures made with SHA-256/512 to SHA-1.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix support for client that advertise a protocol version
|
||
|
of "1.99" (indicating that they are prepared to accept both SSHv1 and
|
||
|
SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
|
||
|
support. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2810">bz#2810</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Warn when the agent returns a ssh-rsa (SHA1) signature when
|
||
|
a rsa-sha2-256/512 signature was requested. This condition is possible
|
||
|
when an old or non-OpenSSH agent is in use. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2799">bz#2799</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: Fix regression introduced in 7.6 that caused ssh-agent
|
||
|
to fatally exit if presented an invalid signature request message.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: Accept yes/no flag options case-insensitively, as
|
||
|
has been the case in <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> for a long time. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2664">bz#2664</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Improve error reporting for failures during connection.
|
||
|
Under some circumstances misleading errors were being shown. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2814">bz#2814</a>
|
||
|
|
||
|
* ssh-keyscan(1): Add -D option to allow printing of results directly
|
||
|
in SSHFP format. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2821">bz#2821</a>
|
||
|
|
||
|
* regress tests: fix PuTTY interop test broken in last release's SSHv1
|
||
|
removal. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2823">bz#2823</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Compatibility fix for some servers that erroneously drop the
|
||
|
connection when the IUTF8 (<a href="https://tools.ietf.org/html/rfc8160">RFC8160</a>) option is sent.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>: Disable RemoteCommand and RequestTTY in the ssh session
|
||
|
started by scp (sftp was already doing this.)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Refuse to create a certificate with an unusable
|
||
|
number of principals.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Fatally exit if ssh-keygen is unable to write all the
|
||
|
public key during key generation. Previously it would silently
|
||
|
ignore errors writing the comment and terminating newline.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Do not modify hostname arguments that are addresses by
|
||
|
automatically forcing them to lower-case. Instead canonicalise them
|
||
|
to resolve ambiguities (e.g. ::0001 => ::1) before they are matched
|
||
|
against known_hosts. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2763">bz#2763</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Don't accept junk after "yes" or "no" responses to hostkey
|
||
|
prompts. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2803">bz#2803</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: Have sftp print a warning about shell cleanliness when
|
||
|
decoding the first packet fails, which is usually caused by shells
|
||
|
polluting stdout of non-interactive startups. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2800">bz#2800</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Switch timers in packet code from using wall-clock
|
||
|
time to monotonic time, allowing the packet layer to better function
|
||
|
over a clock step and avoiding possible integer overflows during
|
||
|
steps.
|
||
|
|
||
|
* Numerous manual page fixes and improvements.
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Correctly detect MIPS ABI in use at configure time. Fixes
|
||
|
sandbox violations on some environments.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Remove UNICOS support. The hardware and software are literal
|
||
|
museum pieces and support in sshd is too intrusive to justify
|
||
|
maintaining.
|
||
|
|
||
|
* All: Build and link with "retpoline" flags when available to mitigate
|
||
|
the "branch target injection" style (variant 2) of the Spectre
|
||
|
branch-prediction vulnerability.
|
||
|
|
||
|
* All: Add auto-generated dependency information to Makefile.
|
||
|
|
||
|
* Numerous fixed to the RPM spec files.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.7.tar.gz">openssh-7.7.tar.gz</a>) = 24812e05fa233014c847c7775748316e7f8a836c
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.7.tar.gz">openssh-7.7.tar.gz</a>) = T4ua1L/vgAYqwB0muRahvnm5ZUr3PLY9nPljaG8egvo=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz">openssh-7.7p1.tar.gz</a>) = 446fe9ed171f289f0d62197dffdbfdaaf21c49f2
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz">openssh-7.7p1.tar.gz</a>) = 1zvn5oTpnvzQJL4Vowv/y+QbASsvezyQhK7WIXdea48=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.6" id="7.6">OpenSSH 7.6</a>/<a href="txt/release-7.6" id="7.6p1">7.6p1</a> (2017-10-03)</h3>
|
||
|
<pre>OpenSSH 7.6 was released on 2017-10-03. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: delete SSH protocol version 1 support, associated
|
||
|
configuration options and documentation.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove support for the hmac-ripemd160 MAC.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove support for the arcfour, blowfish and CAST
|
||
|
ciphers.
|
||
|
|
||
|
* Refuse RSA keys <1024 bits in length and improve reporting for keys
|
||
|
that do not meet this requirement.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: do not offer CBC ciphers by default.
|
||
|
|
||
|
Changes since OpenSSH 7.5
|
||
|
=========================
|
||
|
|
||
|
This is primarily a bugfix release. It also contains substantial
|
||
|
internal refactoring.
|
||
|
|
||
|
Security
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: in read-only mode, sftp-server was incorrectly
|
||
|
permitting creation of zero-length files. Reported by Michal
|
||
|
Zalewski.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add RemoteCommand option to specify a command in the ssh
|
||
|
config file instead of giving it on the client's command line. This
|
||
|
allows the configuration file to specify the command that will be
|
||
|
executed on the remote host.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add ExposeAuthInfo option that enables writing details of
|
||
|
the authentication methods used (including public keys where
|
||
|
applicable) to a file that is exposed via a $SSH_USER_AUTH
|
||
|
environment variable in the subsequent session.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add support for reverse dynamic forwarding. In this mode,
|
||
|
ssh will act as a SOCKS4/5 proxy and forward connections
|
||
|
to destinations requested by the remote SOCKS client. This mode
|
||
|
is requested using extended syntax for the -R and RemoteForward
|
||
|
options and, because it is implemented solely at the client,
|
||
|
does not require the server be updated to be supported.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow LogLevel directive in sshd_config Match blocks;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2717">bz#2717</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: allow inclusion of arbitrary string or flag
|
||
|
certificate extensions and critical options.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: allow ssh-keygen to use a key held in ssh-agent as
|
||
|
a CA when signing certificates. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2377">bz#2377</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow IPQoS=none in ssh/sshd to not set an explicit
|
||
|
ToS/DSCP value and just use the operating system default.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: added -q option to make ssh-add quiet on success.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: expand the StrictHostKeyChecking option with two new
|
||
|
settings. The first "accept-new" will automatically accept
|
||
|
hitherto-unseen keys but will refuse connections for changed or
|
||
|
invalid hostkeys. This is a safer subset of the current behaviour
|
||
|
of StrictHostKeyChecking=no. The second setting "off", is a synonym
|
||
|
for the current behaviour of StrictHostKeyChecking=no: accept new
|
||
|
host keys, and continue connection for hosts with incorrect
|
||
|
hostkeys. A future release will change the meaning of
|
||
|
StrictHostKeyChecking=no to the behaviour of "accept-new". <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2400">bz#2400</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add SyslogFacility option to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> matching the equivalent
|
||
|
option in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2705">bz#2705</a>
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: use HostKeyAlias if specified instead of hostname for
|
||
|
matching host certificate principal names; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2728">bz#2728</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: implement sorting for globbed ls; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2649">bz#2649</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a user@host prefix to client's "Permission denied"
|
||
|
messages, useful in particular when using "stacked" connections
|
||
|
(e.g. ssh -J) where it's not clear which host is denying. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2720">bz#2720</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: accept unknown EXT_INFO extension values that contain \0
|
||
|
characters. These are legal, but would previously cause fatal
|
||
|
connection errors if received.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: repair compression statistics printed at
|
||
|
connection exit
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: print '?' instead of incorrect link count (that the
|
||
|
protocol doesn't provide) for remote listings. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2710">bz#2710</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: return failure rather than fatal() for more cases during
|
||
|
session multiplexing negotiations. Causes the session to fall back
|
||
|
to a non-mux connection if they occur. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2707">bz#2707</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: mention that the server may send debug messages to explain
|
||
|
public key authentication problems under some circumstances; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2709">bz#2709</a>
|
||
|
|
||
|
* Translate OpenSSL error codes to better report incorrect passphrase
|
||
|
errors when loading private keys; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2699">bz#2699</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: adjust compatibility patterns for WinSCP to correctly
|
||
|
identify versions that implement only the legacy DH group exchange
|
||
|
scheme. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2748">bz#2748</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: print the "Killed by signal 1" message only at LogLevel
|
||
|
verbose so that it is not shown at the default level; prevents it
|
||
|
from appearing during ssh -J and equivalent ProxyCommand configs.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1906">bz#1906</a>, <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2744">bz#2744</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: when generating all hostkeys (ssh-keygen -A), clobber
|
||
|
existing keys if they exist but are zero length. zero-length keys
|
||
|
could previously be made if ssh-keygen failed or was interrupted part
|
||
|
way through generating them. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2561">bz#2561</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix pledge(2) violation in the escape sequence "~&" used to
|
||
|
place the current session in the background.
|
||
|
|
||
|
* ssh-keyscan(1): avoid double-close() on file descriptors; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2734">bz#2734</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: avoid reliance on shared use of pointers shared between
|
||
|
monitor and child sshd processes. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2704">bz#2704</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.8">sshd_config(8)</a>: document available AuthenticationMethods; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2453">bz#2453</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: avoid truncation in some login prompts; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2768">bz#2768</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix various compilations failures, inc <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2767">bz#2767</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: make "--" before the hostname terminate argument processing
|
||
|
after the hostname too.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: switch from aes256-cbc to aes256-ctr for encrypting
|
||
|
new-style private keys. Fixes problems related to private key
|
||
|
handling for no-OpenSSL builds. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2754">bz#2754</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: warn and do not attempt to use keys when the public and
|
||
|
private halves do not match. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2737">bz#2737</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: don't print verbose error message when ssh disconnects
|
||
|
from under sftp. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2750">bz#2750</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix keepalive scheduling problem: activity on a forwarded
|
||
|
port from preventing the keepalive from being sent; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2756">bz#2756</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: when started without root privileges, don't require the
|
||
|
privilege separation user or path to exist. Makes running the
|
||
|
regression tests easier without touching the filesystem.
|
||
|
|
||
|
* Make integrity.sh regression tests more robust against timeouts.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2658">bz#2658</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: correctness fix for channels implementation: accept
|
||
|
channel IDs greater than 0x7FFFFFFF.
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.9">sshd(9)</a>: drop two more privileges in the Solaris sandbox:
|
||
|
PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2723">bz#2723</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: expose list of completed authentication methods to PAM
|
||
|
via the SSH_AUTH_INFO_0 PAM environment variable. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2408">bz#2408</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix several problems in the tun/tap forwarding code,
|
||
|
mostly to do with host/network byte order confusion. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2735">bz#2735</a>
|
||
|
|
||
|
* Add --with-cflags-after and --with-ldflags-after configure flags to
|
||
|
allow setting CFLAGS/LDFLAGS after configure has completed. These
|
||
|
are useful for setting sanitiser/fuzzing options that may interfere
|
||
|
with configure's operation.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: avoid Linux seccomp violations on ppc64le over the
|
||
|
socketcall syscall.
|
||
|
|
||
|
* Fix use of ldns when using ldns-config; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2697">bz#2697</a>
|
||
|
|
||
|
* configure: set cache variables when cross-compiling. The cross-
|
||
|
compiling fallback message was saying it assumed the test passed,
|
||
|
but it wasn't actually set the cache variables and this would
|
||
|
cause later tests to fail.
|
||
|
|
||
|
* Add clang libFuzzer harnesses for public key parsing and signature
|
||
|
verification.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.6.tar.gz">openssh-7.6.tar.gz</a>) = 157fe3989a245c58fcdb34d9fe722a3c4e14c008
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz">openssh-7.6p1.tar.gz</a>) = a6984bc2c72192bed015c8b879b35dd9f5350b3b
|
||
|
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.6.tar.gz">openssh-7.6.tar.gz</a>) = Xu3bdpCcu65vM2FnW7b6IKLgd4Kvf2P3WBTMw+I7Bao=
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz">openssh-7.6p1.tar.gz</a>) = oyPK7t3+FFuqoNsW6Y14Sx+8fdQ2pr8fR539XNHSFyM=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
|
||
|
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
|
||
|
Tim Rice and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.5" id="7.5">OpenSSH 7.5</a>/<a href="txt/release-7.5" id="7.5p1">7.5p1</a> (2017-03-20)</h3>
|
||
|
<pre>OpenSSH 7.5 was released on 2017-03-20. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support. OpenSSH also includes
|
||
|
transitional support for the legacy SSH 1.3 and 1.5 protocols
|
||
|
that may be enabled at compile-time.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Future deprecation notice
|
||
|
=========================
|
||
|
|
||
|
We plan on retiring more legacy cryptography in future releases,
|
||
|
specifically:
|
||
|
|
||
|
* In the next major release (expected June-August), removing remaining
|
||
|
support for the SSH v.1 protocol (currently client-only and compile-
|
||
|
time disabled).
|
||
|
|
||
|
* In the same release, removing support for Blowfish and RC4 ciphers
|
||
|
and the RIPE-MD160 HMAC. (These are currently run-time disabled).
|
||
|
|
||
|
* In the same release, removing the remaining CBC ciphers from being
|
||
|
offered by default in the client (These have not been offered in
|
||
|
sshd by default for several years).
|
||
|
|
||
|
* Refusing all RSA keys smaller than 1024 bits (the current minimum
|
||
|
is 768 bits)
|
||
|
|
||
|
This list reflects our current intentions, but please check the final
|
||
|
release notes for future releases.
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* This release deprecates the sshd_config UsePrivilegeSeparation
|
||
|
option, thereby making privilege separation mandatory. Privilege
|
||
|
separation has been on by default for almost 15 years and
|
||
|
sandboxing has been on by default for almost the last five.
|
||
|
|
||
|
* The format of several log messages emitted by the packet code has
|
||
|
changed to include additional information about the user and
|
||
|
their authentication state. Software that monitors ssh/sshd logs
|
||
|
may need to account for these changes. For example:
|
||
|
|
||
|
Connection closed by user x 1.1.1.1 port 1234 [preauth]
|
||
|
Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
|
||
|
Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
|
||
|
|
||
|
Affected messages include connection closure, timeout, remote
|
||
|
disconnection, negotiation failure and some other fatal messages
|
||
|
generated by the packet code.
|
||
|
|
||
|
* [Portable OpenSSH only] This version removes support for building
|
||
|
against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting
|
||
|
versions prior to 1.0.1 over 12 months ago (i.e. they no longer
|
||
|
receive fixes for security bugs).
|
||
|
|
||
|
Changes since OpenSSH 7.4
|
||
|
=========================
|
||
|
|
||
|
This is a bugfix release.
|
||
|
|
||
|
Security
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix weakness in CBC padding oracle countermeasures
|
||
|
that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
|
||
|
Note that the OpenSSH client disables CBC ciphers by default, sshd
|
||
|
offers them as lowest-preference options and will remove them by
|
||
|
default entriely in the next release. Reported by Jean Paul
|
||
|
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
|
||
|
Royal Holloway, University of London.
|
||
|
|
||
|
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
|
||
|
a recursive file transfer could be maniuplated by a hostile server to
|
||
|
perform a path-traversal attack. creating or modifying files outside
|
||
|
of the intended target directory. Reported by Jann Horn of Google
|
||
|
Project Zero.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Support "=-" syntax to easily remove methods from
|
||
|
algorithm lists, e.g. Ciphers=-*cbc. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2671">bz#2671</a>
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.1">sshd(1)</a>: Fix NULL dereference crash when key exchange start
|
||
|
messages are sent out of sequence.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Allow form-feed characters to appear in
|
||
|
configuration files.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix regression in OpenSSH 7.4 support for the
|
||
|
server-sig-algs extension, where SHA2 RSA signature methods were
|
||
|
not being correctly advertised. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2680">bz#2680</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Fix a number of case-sensitivity bugs in
|
||
|
known_hosts processing. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2591">bz#2591</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2685">bz#2685</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Allow ssh to use certificates accompanied by a private key
|
||
|
file but no corresponding plain *.pub public key. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2617">bz#2617</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: When updating hostkeys using the UpdateHostKeys option,
|
||
|
accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
|
||
|
Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
|
||
|
methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
|
||
|
method. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2650">bz#2650</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Detect and report excessively long configuration file
|
||
|
lines. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2651">bz#2651</a>
|
||
|
|
||
|
* Merge a number of fixes found by Coverity and reported via Redhat
|
||
|
and FreeBSD. Includes fixes for some memory and file descriptor
|
||
|
leaks in error paths. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2687">bz#2687</a>
|
||
|
|
||
|
* ssh-keyscan(1): Correctly hash hosts with a port number. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2692">bz#2692</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: When logging long messages to stderr, don't truncate
|
||
|
"\r\n" if the length of the message exceeds the buffer. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2688">bz#2688</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Fully quote [host]:port in generated ProxyJump/-J command-
|
||
|
line; avoid confusion over IPv6 addresses and shells that treat
|
||
|
square bracket characters specially.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Fix corruption of known_hosts when running
|
||
|
"ssh-keygen -H" on a known_hosts containing already-hashed entries.
|
||
|
|
||
|
* Fix various fallout and sharp edges caused by removing SSH protocol
|
||
|
1 support from the server, including the server banner string being
|
||
|
incorrectly terminated with only \n (instead of \r\n), confusing
|
||
|
error messages from ssh-keyscan <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2583">bz#2583</a> and a segfault in sshd
|
||
|
if protocol v.1 was enabled for the client and sshd_config
|
||
|
contained references to legacy keys <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2686">bz#2686</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Free fd_set on connection timeout. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2683">bz#2683</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix Unix domain socket forwarding for root (regression in
|
||
|
OpenSSH 7.4).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: Fix division by zero crash in "df" output when server
|
||
|
returns zero total filesystem blocks/inodes.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Translate OpenSSL errors
|
||
|
encountered during key loading to more meaningful error codes.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2522">bz#2522</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2523">bz#2523</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Sanitise escape sequences in key comments sent to
|
||
|
printf but preserve valid UTF-8 when the locale supports it;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2520">bz#2520</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Return reason for port forwarding failures where
|
||
|
feasible rather than always "administratively prohibited". <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2674">bz#2674</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix deadlock when AuthorizedKeysCommand or
|
||
|
AuthorizedPrincipalsCommand produces a lot of output and a key is
|
||
|
matched early. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2655">bz#2655</a>
|
||
|
|
||
|
* Regression tests: several reliability fixes. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2654">bz#2654</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2658">bz#2658</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2659">bz#2659</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Fix typo in ~C error message for bad port forward
|
||
|
cancellation. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2672">bz#2672</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Show a useful error message when included config files
|
||
|
can't be opened; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2653">bz#2653</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
|
||
|
(previously incorrectly) advertised. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2637">bz#2637</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: Repair accidentally-deleted mention of %k token
|
||
|
in AuthorizedKeysCommand; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2656">bz#2656</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Remove vestiges of previously removed LOGIN_PROGRAM; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2665">bz#2665</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: Relax PKCS#11 whitelist to include libexec and
|
||
|
common 32-bit compatibility library directories.
|
||
|
|
||
|
* sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
|
||
|
response handling.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: Fix regression in 7.4 of deleting PKCS#11-hosted
|
||
|
keys. It was not possible to delete them except by specifying
|
||
|
their full physical path. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2682">bz#2682</a>
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Avoid sandbox errors for Linux S390 systems using an ICA
|
||
|
crypto coprocessor.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix non-exploitable weakness in seccomp-bpf sandbox arg
|
||
|
inspection.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Fix X11 forwarding on OSX where X11 was being started by
|
||
|
launchd. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2341">bz#2341</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: Fix output truncation for various that
|
||
|
contain non-printable characters where the codeset in use is ASCII.
|
||
|
|
||
|
* build: Fix builds that attempt to link a kerberised libldns. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2603">bz#2603</a>
|
||
|
|
||
|
* build: Fix compilation problems caused by unconditionally defining
|
||
|
_XOPEN_SOURCE in wide character detection.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix sandbox violations for clock_gettime VSDO syscall
|
||
|
fallback on some Linux/X32 kernels. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2142">bz#2142</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.5.tar.gz">openssh-7.5.tar.gz</a>) = 81384df377e38551f7659a4c250383d0bbd25341
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz">openssh-7.5p1.tar.gz</a>) = 5e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd
|
||
|
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.5.tar.gz">openssh-7.5.tar.gz</a>) = Gmk8jOdGdKa7NixUN5J+bTMfeum5Vx8Nv+leAdQNq3U=
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz">openssh-7.5p1.tar.gz</a>) = mEbjxfq58FR0ALTSwBeZL5FCIrP9H47ubH3GvF5Z+fA=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
|
||
|
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
|
||
|
Tim Rice and Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.4" id="7.4">OpenSSH 7.4</a>/<a href="txt/release-7.4" id="7.4p1">7.4p1</a> (2016-12-19)</h3>
|
||
|
<pre>OpenSSH 7.4 was released on 2016-12-19. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support. OpenSSH also includes
|
||
|
transitional support for the legacy SSH 1.3 and 1.5 protocols
|
||
|
that may be enabled at compile-time.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Future deprecation notice
|
||
|
=========================
|
||
|
|
||
|
We plan on retiring more legacy cryptography in future releases,
|
||
|
specifically:
|
||
|
|
||
|
* In approximately August 2017, removing remaining support for the
|
||
|
SSH v.1 protocol (client-only and currently compile-time disabled).
|
||
|
|
||
|
* In the same release, removing support for Blowfish and RC4 ciphers
|
||
|
and the RIPE-MD160 HMAC. (These are currently run-time disabled).
|
||
|
|
||
|
* Refusing all RSA keys smaller than 1024 bits (the current minimum
|
||
|
is 768 bits)
|
||
|
|
||
|
* The next release of OpenSSH will remove support for running <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>
|
||
|
with privilege separation disabled.
|
||
|
|
||
|
* The next release of portable OpenSSH will remove support for
|
||
|
OpenSSL version prior to 1.0.1.
|
||
|
|
||
|
This list reflects our current intentions, but please check the final
|
||
|
release notes for future releases.
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* This release removes server support for the SSH v.1 protocol.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Remove 3des-cbc from the client's default proposal. 64-bit
|
||
|
block ciphers are not safe in 2016 and we don't want to wait until
|
||
|
attacks like SWEET32 are extended to SSH. As 3des-cbc was the
|
||
|
only mandatory cipher in the SSH RFCs, this may cause problems
|
||
|
connecting to older devices using the default configuration,
|
||
|
but it's highly likely that such devices already need explicit
|
||
|
configuration for key exchange and hostkey algorithms already
|
||
|
anyway.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Remove support for pre-authentication compression.
|
||
|
Doing compression early in the protocol probably seemed reasonable
|
||
|
in the 1990s, but today it's clearly a bad idea in terms of both
|
||
|
cryptography (cf. multiple compression oracle attacks in TLS) and
|
||
|
attack surface. Pre-auth compression support has been disabled by
|
||
|
default for >10 years. Support remains in the client.
|
||
|
|
||
|
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist
|
||
|
of trusted paths by default. The path whitelist may be specified
|
||
|
at run-time.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: When a forced-command appears in both a certificate and
|
||
|
an authorized keys/principals command= restriction, sshd will now
|
||
|
refuse to accept the certificate unless they are identical.
|
||
|
The previous (documented) behaviour of having the certificate
|
||
|
forced-command override the other could be a bit confusing and
|
||
|
error-prone.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Remove the UseLogin configuration directive and support
|
||
|
for having /bin/login manage login sessions.
|
||
|
|
||
|
Changes since OpenSSH 7.3
|
||
|
=========================
|
||
|
|
||
|
This is primarily a bugfix release.
|
||
|
|
||
|
Security
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: Will now refuse to load PKCS#11 modules from paths
|
||
|
outside a trusted whitelist (run-time configurable). Requests to
|
||
|
load modules could be passed via agent forwarding and an attacker
|
||
|
could attempt to load a hostile PKCS#11 module across the forwarded
|
||
|
agent channel: PKCS#11 modules are shared libraries, so this would
|
||
|
result in code execution on the system running the ssh-agent if the
|
||
|
attacker has control of the forwarded agent-socket (on the host
|
||
|
running the sshd server) and the ability to write to the filesystem
|
||
|
of the host running ssh-agent (usually the host running the ssh
|
||
|
client). Reported by Jann Horn of Project Zero.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: When privilege separation is disabled, forwarded Unix-
|
||
|
domain sockets would be created by <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> with the privileges of
|
||
|
'root' instead of the authenticated user. This release refuses
|
||
|
Unix-domain socket forwarding when privilege separation is disabled
|
||
|
(Privilege separation has been enabled by default for 14 years).
|
||
|
Reported by Jann Horn of Project Zero.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Avoid theoretical leak of host private key material to
|
||
|
privilege-separated child processes via realloc() when reading
|
||
|
keys. No such leak was observed in practice for normal-sized keys,
|
||
|
nor does a leak to the child processes directly expose key material
|
||
|
to unprivileged users. Reported by Jann Horn of Project Zero.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: The shared memory manager used by pre-authentication
|
||
|
compression support had a bounds checks that could be elided by
|
||
|
some optimising compilers. Additionally, this memory manager was
|
||
|
incorrectly accessible when pre-authentication compression was
|
||
|
disabled. This could potentially allow attacks against the
|
||
|
privileged monitor process from the sandboxed privilege-separation
|
||
|
process (a compromise of the latter would be required first).
|
||
|
This release removes support for pre-authentication compression
|
||
|
from <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. Reported by Guido Vranken using the Stack unstable
|
||
|
optimisation identification tool (<a href="http://css.csail.mit.edu/stack/">http://css.csail.mit.edu/stack/</a>)
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix denial-of-service condition where an attacker who
|
||
|
sends multiple KEXINIT messages may consume up to 128MB per
|
||
|
connection. Reported by Shi Lei of Gear Team, Qihoo 360.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Validate address ranges for AllowUser and DenyUsers
|
||
|
directives at configuration load time and refuse to accept invalid
|
||
|
ones. It was previously possible to specify invalid CIDR address
|
||
|
ranges (e.g. user@127.1.2.3/55) and these would always match,
|
||
|
possibly resulting in granting access where it was not intended.
|
||
|
Reported by Laurence Parry.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add a proxy multiplexing mode to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> inspired by the
|
||
|
version in PuTTY by Simon Tatham. This allows a multiplexing
|
||
|
client to communicate with the master process using a subset of
|
||
|
the SSH packet and channels protocol over a Unix-domain socket,
|
||
|
with the main process acting as a proxy that translates channel
|
||
|
IDs, etc. This allows multiplexing mode to run on systems that
|
||
|
lack file- descriptor passing (used by current multiplexing
|
||
|
code) and potentially, in conjunction with Unix-domain socket
|
||
|
forwarding, with the client and multiplexing master process on
|
||
|
different machines. Multiplexing proxy mode may be invoked using
|
||
|
"ssh -O proxy ..."
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add a sshd_config DisableForwarding option that disables
|
||
|
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
|
||
|
as anything else we might implement in the future. Like the
|
||
|
'restrict' authorized_keys flag, this is intended to be a simple
|
||
|
and future-proof way of restricting an account.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Support the "curve25519-sha256" key exchange
|
||
|
method. This is identical to the currently-supported method named
|
||
|
"curve25519-sha256@libssh.org".
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Improve handling of SIGHUP by checking to see if sshd is
|
||
|
already daemonised at startup and skipping the call to daemon(3)
|
||
|
if it is. This ensures that a SIGHUP restart of <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> will
|
||
|
retain the same process-ID as the initial execution. <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> will
|
||
|
also now unlink the PidFile prior to SIGHUP restart and re-create
|
||
|
it after a successful restart, rather than leaving a stale file in
|
||
|
the case of a configuration error. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2641">bz#2641</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Allow ClientAliveInterval and ClientAliveCountMax
|
||
|
directives to appear in sshd_config Match blocks.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add %-escapes to AuthorizedPrincipalsCommand to match
|
||
|
those supported by AuthorizedKeysCommand (key, key type,
|
||
|
fingerprint, etc.) and a few more to provide access to the
|
||
|
contents of the certificate being offered.
|
||
|
|
||
|
* Added regression tests for string matching, address matching and
|
||
|
string sanitisation functions.
|
||
|
|
||
|
* Improved the key exchange fuzzer harness.
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Allow IdentityFile to successfully load and use
|
||
|
certificates that have no corresponding bare public key. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2617">bz#2617</a>
|
||
|
certificate id_rsa-cert.pub (and no id_rsa.pub).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Fix public key authentication when multiple
|
||
|
authentication is in use and publickey is not just the first
|
||
|
method attempted. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2642">bz#2642</a>
|
||
|
|
||
|
* regress: Allow the PuTTY interop tests to run unattended. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2639">bz#2639</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>, <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: improve reporting when attempting to load
|
||
|
keys from PKCS#11 tokens with fewer useless log messages and more
|
||
|
detail in debug messages. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2610">bz#2610</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: When tearing down ControlMaster connections, don't
|
||
|
pollute stderr when LogLevel=quiet.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: On ^Z wait for underlying <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to suspend before
|
||
|
suspending <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> to ensure that <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> restores the terminal mode
|
||
|
correctly if suspended during a password prompt.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Avoid busy-wait when <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> is suspended during a password
|
||
|
prompt.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Correctly report errors during sending of ext-
|
||
|
info messages.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix NULL-deref crash if <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> received an out-of-
|
||
|
sequence NEWKEYS message.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Correct list of supported signature algorithms sent in
|
||
|
the server-sig-algs extension. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2547">bz#2547</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix sending ext_info message if privsep is disabled.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: more strictly enforce the expected ordering of privilege
|
||
|
separation monitor calls used for authentication and allow them
|
||
|
only when their respective authentication methods are enabled
|
||
|
in the configuration
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix uninitialised optlen in getsockopt() call; harmless
|
||
|
on Unix/BSD but potentially crashy on Cygwin.
|
||
|
|
||
|
* Fix false positive reports caused by explicit_bzero(3) not being
|
||
|
recognised as a memory initialiser when compiled with
|
||
|
-fsanitize-memory.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: Use 2001:db8::/32, the official IPv6 subnet for
|
||
|
configuration examples.
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* On environments configured with Turkish locales, fall back to the
|
||
|
C/POSIX locale to avoid errors in configuration parsing caused by
|
||
|
that locale's unique handling of the letters 'i' and 'I'. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2643">bz#2643</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>, <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: Deny ptrace on OS X using
|
||
|
ptrace(PT_DENY_ATTACH, ..)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL.
|
||
|
|
||
|
* Fix compilation for libcrypto compiled without RIPEMD160 support.
|
||
|
|
||
|
* contrib: Add a gnome-ssh-askpass3 with GTK+3 support. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2640">bz#2640</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Improve PRNG reseeding across privilege separation and
|
||
|
force libcrypto to obtain a high-quality seed before chroot or
|
||
|
sandboxing.
|
||
|
|
||
|
* All: Explicitly test for broken strnvis. NetBSD added an strnvis
|
||
|
and unfortunately made it incompatible with the existing one in
|
||
|
OpenBSD and Linux's libbsd (the former having existed for over ten
|
||
|
years). Try to detect this mess, and assume the only safe option
|
||
|
if we're cross compiling.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.4.tar.gz">openssh-7.4.tar.gz</a>) = 1e2073f95d5ead8f2814b4b6c0700bcd533c410f
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz">openssh-7.4p1.tar.gz</a>) = 2330bbf82ed08cf3ac70e0acf00186ef3eeb97e0
|
||
|
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.4.tar.gz">openssh-7.4.tar.gz</a>) = +GEXh7Xr2J87cq1uA97hF9e+3lfOQ2LKxXGdmFXREf0
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz">openssh-7.4p1.tar.gz</a>) = Gx/EoU4gJCkxgZJO0khy5vLgYpPz6JJqN2uK7EgfGdE=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
|
||
|
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
|
||
|
Tim Rice and Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.3" id="7.3">OpenSSH 7.3</a>/<a href="txt/release-7.3" id="7.3p1">7.3p1</a> (2016-08-01)</h3>
|
||
|
<pre>OpenSSH 7.3 was released on 2016-08-01. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support. OpenSSH also includes
|
||
|
transitional support for the legacy SSH 1.3 and 1.5 protocols
|
||
|
that may be enabled at compile-time.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Future deprecation notice
|
||
|
=========================
|
||
|
|
||
|
We plan on retiring more legacy cryptography in a near-future
|
||
|
release, specifically:
|
||
|
|
||
|
* Refusing all RSA keys smaller than 1024 bits (the current minimum
|
||
|
is 768 bits)
|
||
|
* Removing server-side support for the SSH v.1 protocol (currently
|
||
|
compile-time disabled).
|
||
|
* In approximately 1 year, removing all support for the SSH v.1
|
||
|
protocol (currently compile-time disabled).
|
||
|
|
||
|
This list reflects our current intentions, but please check the final
|
||
|
release notes for future releases.
|
||
|
|
||
|
Changes since OpenSSH 7.2
|
||
|
=========================
|
||
|
|
||
|
This is primarily a bugfix release.
|
||
|
|
||
|
Security
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Mitigate a potential denial-of-service attack against
|
||
|
the system's crypt(3) function via <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. An attacker could
|
||
|
send very long passwords that would cause excessive CPU use in
|
||
|
crypt(3). <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now refuses to accept password authentication
|
||
|
requests of length greater than 1024 characters. Independently
|
||
|
reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Mitigate timing differences in password authentication
|
||
|
that could be used to discern valid from invalid account names
|
||
|
when long passwords were sent and particular password hashing
|
||
|
algorithms are in use on the server. CVE-2016-6210, reported by
|
||
|
EddieEzra.Harari at verint.com
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix observable timing weakness in the CBC padding
|
||
|
oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
|
||
|
Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
|
||
|
are disabled by default and only included for legacy compatibility.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Improve operation ordering of MAC verification for
|
||
|
Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
|
||
|
MAC before decrypting any ciphertext. This removes the possibility
|
||
|
of timing differences leaking facts about the plaintext, though no
|
||
|
such leakage has been observed. Reported by Jean Paul Degabriele,
|
||
|
Kenny Paterson, Torben Hansen and Martin Albrecht.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: (portable only) Ignore PAM environment vars when
|
||
|
UseLogin=yes. If PAM is configured to read user-specified
|
||
|
environment variables and UseLogin=yes in sshd_config, then a
|
||
|
hostile local user may attack /bin/login via LD_PRELOAD or
|
||
|
similar environment variables set via PAM. CVE-2015-8325,
|
||
|
found by Shayan Sadigh.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add a ProxyJump option and corresponding -J command-line
|
||
|
flag to allow simplified indirection through a one or more SSH
|
||
|
bastions or "jump hosts".
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add an IdentityAgent option to allow specifying specific
|
||
|
agent sockets instead of accepting one from the environment.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Allow ExitOnForwardFailure and ClearAllForwardings to be
|
||
|
optionally overridden when using ssh -W. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2577">bz#2577</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Implement support for the IUTF8 terminal mode as
|
||
|
per draft-sgtatham-secsh-iutf8-00.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add support for additional fixed Diffie-Hellman
|
||
|
2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: support SHA256 and SHA512 RSA
|
||
|
signatures in certificates;
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add an Include directive for <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> files.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Permit UTF-8 characters in pre-authentication banners sent
|
||
|
from the server. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2058">bz#2058</a>
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Reduce the syslog level of some relatively common
|
||
|
protocol events from LOG_CRIT. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2585">bz#2585</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Refuse AuthenticationMethods="" in configurations and
|
||
|
accept AuthenticationMethods=any for the default behaviour of not
|
||
|
requiring multiple authentication. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2398">bz#2398</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Remove obsolete and misleading "POSSIBLE BREAK-IN
|
||
|
ATTEMPT!" message when forward and reverse DNS don't match. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2585">bz#2585</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Close ControlPersist background process stderr except
|
||
|
in debug mode or when logging to syslog. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1988">bz#1988</a>
|
||
|
|
||
|
* misc: Make PROTOCOL description for direct-streamlocal@openssh.com
|
||
|
channel open messages match deployed code. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2529">bz#2529</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Deduplicate LocalForward and RemoteForward entries to fix
|
||
|
failures when both ExitOnForwardFailure and hostname
|
||
|
canonicalisation are enabled. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2562">bz#2562</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Remove fallback from moduli to obsolete "primes" file
|
||
|
that was deprecated in 2001. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2559">bz#2559</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: Correct description of UseDNS: it affects ssh
|
||
|
hostname processing for authorized_keys, not known_hosts; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2554">bz#2554</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Fix authentication using lone certificate keys in an agent
|
||
|
without corresponding private keys on the filesystem. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2550">bz#2550</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Send ClientAliveInterval pings when a time-based
|
||
|
RekeyLimit is set; previously keepalive packets were not being
|
||
|
sent. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2252">bz#2252</a>
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix compilation by automatically disabling ciphers
|
||
|
not supported by OpenSSL. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2466">bz#2466</a>
|
||
|
|
||
|
* misc: Fix compilation failures on some versions of AIX's compiler
|
||
|
related to the definition of the VA_COPY macro. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2589">bz#2589</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Whitelist more architectures to enable the seccomp-bpf
|
||
|
sandbox. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2590">bz#2590</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>, <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: Disable process tracing on Solaris
|
||
|
using setpflags(__PROC_PROTECT, ...). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2584">bz#2584</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: On Solaris, don't call Solaris setproject() with
|
||
|
UsePAM=yes it's PAM's responsibility. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2425">bz#2425</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.3.tar.gz">openssh-7.3.tar.gz</a>) = b1641e5265d9ec68a9a19decc3a7edd1203cbd33
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.3.tar.gz">openssh-7.3.tar.gz</a>) = vS0X35qrX9OOPBkyDMYhOje/DBwHBVEV7nv5rkzw4vM=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.3p1.tar.gz">openssh-7.3p1.tar.gz</a>) = bfade84283fcba885e2084343ab19a08c7d123a5
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.3p1.tar.gz">openssh-7.3p1.tar.gz</a>) = P/uYmm3KppWUw7VQ1IVaWi4XGMzd5/XjY4e0JCIPvsw=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
|
||
|
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
|
||
|
Tim Rice and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.2p2" id="7.2p2">OpenSSH 7.2p2</a> (2016-03-10)</h3>
|
||
|
<pre>Portable OpenSSH 7.2p2 was released on 2016-03-10. It will be available
|
||
|
from the mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support. OpenSSH also includes
|
||
|
transitional support for the legacy SSH 1.3 and 1.5 protocols that
|
||
|
may be enabled at compile-time.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for
|
||
|
their continued support of the project, especially those who
|
||
|
contributed code or patches, reported bugs, tested snapshots or
|
||
|
donated to the project. More information on donations may be found
|
||
|
at: <a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 7.2p1
|
||
|
===========================
|
||
|
|
||
|
This release fixes a security bug:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: sanitise X11 authentication credentials to avoid xauth
|
||
|
command injection when X11Forwarding is enabled.
|
||
|
|
||
|
Full details of the vulnerability are available at:
|
||
|
<a href="http://www.openssh.com/txt/x11fwd.adv">http://www.openssh.com/txt/x11fwd.adv</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p2.tar.gz">openssh-7.2p2.tar.gz</a>) = 70e35d7d6386fe08abbd823b3a12a3ca44ac6d38
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p2.tar.gz">openssh-7.2p2.tar.gz</a>) = pyeB0aBDh2oiT/GwAy2qQJTYdWWmhSh1nBwsq1SCVIw=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
|
||
|
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
|
||
|
Tim Rice and Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.2" id="7.2">OpenSSH 7.2</a>/<a href="txt/release-7.2" id="7.2p1">7.2p1</a> (2016-02-29)</h3>
|
||
|
<pre>OpenSSH 7.2 was released on 2016-02-29. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support. OpenSSH also includes
|
||
|
transitional support for the legacy SSH 1.3 and 1.5 protocols
|
||
|
that may be enabled at compile-time.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Future deprecation notice
|
||
|
=========================
|
||
|
|
||
|
We plan on retiring more legacy cryptography in a near-future
|
||
|
release, specifically:
|
||
|
|
||
|
* Refusing all RSA keys smaller than 1024 bits (the current minimum
|
||
|
is 768 bits)
|
||
|
|
||
|
This list reflects our current intentions, but please check the final
|
||
|
release notes for future releases.
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
================================
|
||
|
|
||
|
This release disables a number of legacy cryptographic algorithms
|
||
|
by default in ssh:
|
||
|
|
||
|
* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants
|
||
|
and the rijndael-cbc aliases for AES.
|
||
|
|
||
|
* MD5-based and truncated HMAC algorithms.
|
||
|
|
||
|
These algorithms are already disabled by default in sshd.
|
||
|
|
||
|
Changes since OpenSSH 7.1p2
|
||
|
===========================
|
||
|
|
||
|
This is primarily a bugfix release.
|
||
|
|
||
|
Security
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove unfinished and unused roaming code (was
|
||
|
already forcibly disabled in OpenSSH 7.1p2).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: eliminate fallback from untrusted X11 forwarding to
|
||
|
trusted forwarding when the X server disables the SECURITY
|
||
|
extension.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: increase the minimum modulus size supported for
|
||
|
diffie-hellman-group-exchange to 2048 bits.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: pre-auth sandboxing is now enabled by default (previous
|
||
|
releases enabled it for new installations via sshd_config).
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* all: add support for RSA signatures using SHA-256/512 hash
|
||
|
algorithms based on draft-rsa-dsa-sha2-256-03.txt and
|
||
|
draft-ssh-ext-info-04.txt.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add an AddKeysToAgent client option which can be set to
|
||
|
'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When
|
||
|
enabled, a private key that is used during authentication will be
|
||
|
added to ssh-agent if it is running (with confirmation enabled if
|
||
|
set to 'confirm').
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a new authorized_keys option "restrict" that includes
|
||
|
all current and future key restrictions (no-*-forwarding, etc.).
|
||
|
Also add permissive versions of the existing restrictions, e.g.
|
||
|
"no-pty" -> "pty". This simplifies the task of setting up
|
||
|
restricted keys and ensures they are maximally-restricted,
|
||
|
regardless of any permissions we might implement in the future.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add ssh_config CertificateFile option to explicitly list
|
||
|
certificates. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2436">bz#2436</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: allow ssh-keygen to change the key comment for all
|
||
|
supported formats.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: allow fingerprinting from standard input, e.g.
|
||
|
"ssh-keygen -lf -"
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: allow fingerprinting multiple public keys in a
|
||
|
file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1319">bz#1319</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: support "none" as an argument for sshd_config
|
||
|
Foreground and ChrootDirectory. Useful inside Match blocks to
|
||
|
override a global default. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2486">bz#2486</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: support multiple certificates (one per line) and
|
||
|
reading from standard input (using "-f -") for "ssh-keygen -L"
|
||
|
|
||
|
* ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching
|
||
|
certificates instead of plain keys.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
|
||
|
hostname canonicalisation - treat them as already canonical and
|
||
|
remove the trailing '.' before matching ssh_config.
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: existing destination directories should not terminate
|
||
|
recursive uploads (regression in openssh 6.8) <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2528">bz#2528</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: correctly send back SSH2_MSG_UNIMPLEMENTED
|
||
|
replies to unexpected messages during key exchange. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2949">bz#2949</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: refuse attempts to set ConnectionAttempts=0, which does
|
||
|
not make sense and would cause ssh to print an uninitialised stack
|
||
|
variable. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2500">bz#2500</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix errors when attempting to connect to scoped IPv6
|
||
|
addresses with hostname canonicalisation enabled.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: list a couple more options usable in Match blocks.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2489">bz#2489</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix "PubkeyAcceptedKeyTypes +..." inside a Match block.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: expand tilde characters in filenames passed to -i options
|
||
|
before checking whether or not the identity file exists. Avoids
|
||
|
confusion for cases where shell doesn't expand (e.g. "-i ~/file"
|
||
|
vs. "-i~/file"). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2481">bz#2481</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: do not prepend "exec" to the shell command run by "Match
|
||
|
exec" in a config file, which could cause some commands to fail
|
||
|
in certain environments. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2471">bz#2471</a>
|
||
|
|
||
|
* ssh-keyscan(1): fix output for multiple hosts/addrs on one line
|
||
|
when host hashing or a non standard port is in use <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2479">bz#2479</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: skip "Could not chdir to home directory" message when
|
||
|
ChrootDirectory is active. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2485">bz#2485</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: include PubkeyAcceptedKeyTypes in ssh -G config dump.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: avoid changing TunnelForwarding device flags if they are
|
||
|
already what is needed; makes it possible to use tun/tap
|
||
|
networking as non-root user if device permissions and interface
|
||
|
flags are pre-established
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: RekeyLimits could be exceeded by one packet.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2521">bz#2521</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix multiplexing master failure to notice client exit.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: avoid fatal() for PKCS11 tokens that present
|
||
|
empty key IDs. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1773">bz#1773</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: avoid printf of NULL argument. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2535">bz#2535</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow RekeyLimits larger than 4GB. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2521">bz#2521</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix several bugs in (unused) KRL signature
|
||
|
support.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix connections with peers that use the key
|
||
|
exchange guess feature of the protocol. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2515">bz#2515</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: include remote port number in log messages. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2503">bz#2503</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: don't try to load SSHv1 private key when compiled without
|
||
|
SSHv1 support. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2505">bz#2505</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>, <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix incorrect error messages during key
|
||
|
loading and signing errors. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2507">bz#2507</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: don't leave empty temporary files when performing
|
||
|
known_hosts file edits when known_hosts doesn't exist.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: correct packet format for tcpip-forward replies for
|
||
|
requests that don't allocate a port <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2509">bz#2509</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix possible hang on closed output. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2469">bz#2469</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: expand %i in ControlPath to UID. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2449">bz#2449</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix return type of openssh_RSA_verify. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2460">bz#2460</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix some option parsing memory leaks. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2182">bz#2182</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add a some debug output before DNS resolution; it's a
|
||
|
place where ssh could previously silently stall in cases of
|
||
|
unresponsive DNS servers. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2433">bz#2433</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: remove spurious newline in visual hostkey. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2686">bz#2686</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix printing (ssh -G ...) of HostKeyAlgorithms=+...
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix expansion of HostkeyAlgorithms=+...
|
||
|
|
||
|
Documentation
|
||
|
-------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>, <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: update default algorithm lists to
|
||
|
match current reality. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2527">bz#2527</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: mention -Q key-plain and -Q key-cert query options.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2455">bz#2455</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.8">sshd_config(8)</a>: more clearly describe what AuthorizedKeysFile=none
|
||
|
does.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>: better document ExitOnForwardFailure. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2444">bz#2444</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.5">sshd(5)</a>: mention internal DH-GEX fallback groups in manual.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2302">bz#2302</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: better description for MaxSessions option.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2531">bz#2531</a>
|
||
|
|
||
|
Portability
|
||
|
-----------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>, <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Support Illumos/
|
||
|
Solaris fine-grained privileges. Including a pre-auth privsep
|
||
|
sandbox and several pledge() emulations. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2511">bz#2511</a>
|
||
|
|
||
|
* Renovate redhat/openssh.spec, removing deprecated options and
|
||
|
syntax.
|
||
|
|
||
|
* configure: allow --without-ssl-engine with --without-openssl
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix multiple authentication using S/Key. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2502">bz#2502</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: read back from libcrypto RAND_* before dropping
|
||
|
privileges. Avoids sandboxing violations with BoringSSL.
|
||
|
|
||
|
* Fix name collision with system-provided glob(3) functions.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2463">bz#2463</a>
|
||
|
|
||
|
* Adapt Makefile to use ssh-keygen -A when generating host keys.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2459">bz#2459</a>
|
||
|
|
||
|
* configure: correct default value for --with-ssh1 <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2457">bz#2457</a>
|
||
|
|
||
|
* configure: better detection of _res symbol <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2259">bz#2259</a>
|
||
|
|
||
|
* support getrandom() syscall on Linux
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.2.tar.gz">openssh-7.2.tar.gz</a>) = 9567d00fffe655010c087aeb80c830cecbbecca6
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.2.tar.gz">openssh-7.2.tar.gz</a>) = 99GsHA8NwSGuEJhMc7hAOQ510y1xfGx27uJqyw73sCI=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz">openssh-7.2p1.tar.gz</a>) = d30a6fd472199ab5838a7668c0c5fd885fb8d371
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz">openssh-7.2p1.tar.gz</a>) = lzzDey81l+TPWZsJ5gTnnA/l2bb1laJOke0GYoYLSsM=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
|
||
|
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
|
||
|
Tim Rice and Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.1p2" id="7.1p2">OpenSSH 7.1p2</a> (2016-01-14)</h3>
|
||
|
<pre>OpenSSH 7.1p2 was released on 2016-01-14. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support. OpenSSH also includes
|
||
|
transitional support for the legacy SSH 1.3 and 1.5 protocols
|
||
|
that may be enabled at compile-time.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 7.1p1
|
||
|
===========================
|
||
|
|
||
|
* SECURITY: <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: The OpenSSH client code between 5.4 and 7.1
|
||
|
contains experimental support for resuming SSH-connections (roaming).
|
||
|
|
||
|
The matching server code has never been shipped, but the client
|
||
|
code was enabled by default and could be tricked by a malicious
|
||
|
server into leaking client memory to the server, including private
|
||
|
client user keys.
|
||
|
|
||
|
The authentication of the server host key prevents exploitation
|
||
|
by a man-in-the-middle, so this information leak is restricted
|
||
|
to connections to malicious or compromised servers.
|
||
|
|
||
|
MITIGATION: For OpenSSH >= 5.4 the vulnerable code in the client
|
||
|
can be completely disabled by adding 'UseRoaming no' to the gobal
|
||
|
<a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> file, or to user configuration in ~/.ssh/config,
|
||
|
or by passing -oUseRoaming=no on the command line.
|
||
|
|
||
|
PATCH: See below for a patch to disable this feature (Disabling
|
||
|
Roaming in the Source Code).
|
||
|
|
||
|
This problem was reported by the Qualys Security Advisory team.
|
||
|
|
||
|
* SECURITY: Fix an out of-bound read access in the packet handling
|
||
|
code. Reported by Ben Hawkes.
|
||
|
|
||
|
* PROTOCOL: Correctly interpret the 'first_kex_follows' option during
|
||
|
the intial key exchange. Reported by Matt Johnston.
|
||
|
|
||
|
* Further use of explicit_bzero has been added in various buffer
|
||
|
handling code paths to guard against compilers aggressively
|
||
|
doing dead-store removal.
|
||
|
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.1p2.tar.gz">openssh-7.1p2.tar.gz</a>) = 9202f5a2a50c8a55ecfb830609df1e1fde97f758
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.1p2.tar.gz">openssh-7.1p2.tar.gz</a>) = dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
Disabling Roaming in the Source Code:
|
||
|
=====================================
|
||
|
|
||
|
--- readconf.c 30 Jul 2015 00:01:34 -0000 1.239
|
||
|
+++ readconf.c 13 Jan 2016 23:17:23 -0000
|
||
|
@@ -1648,7 +1648,7 @@ initialize_options(Options * options)
|
||
|
options->tun_remote = -1;
|
||
|
options->local_command = NULL;
|
||
|
options->permit_local_command = -1;
|
||
|
- options->use_roaming = -1;
|
||
|
+ options->use_roaming = 0;
|
||
|
options->visual_host_key = -1;
|
||
|
options->ip_qos_interactive = -1;
|
||
|
options->ip_qos_bulk = -1;
|
||
|
@@ -1819,8 +1819,7 @@ fill_default_options(Options * options)
|
||
|
options->tun_remote = SSH_TUNID_ANY;
|
||
|
if (options->permit_local_command == -1)
|
||
|
options->permit_local_command = 0;
|
||
|
- if (options->use_roaming == -1)
|
||
|
- options->use_roaming = 1;
|
||
|
+ options->use_roaming = 0;
|
||
|
if (options->visual_host_key == -1)
|
||
|
options->visual_host_key = 0;
|
||
|
if (options->ip_qos_interactive == -1)
|
||
|
--- ssh.c 30 Jul 2015 00:01:34 -0000 1.420
|
||
|
+++ ssh.c 13 Jan 2016 23:17:23 -0000
|
||
|
@@ -1882,9 +1882,6 @@ ssh_session2(void)
|
||
|
fork_postauth();
|
||
|
}
|
||
|
|
||
|
- if (options.use_roaming)
|
||
|
- request_roaming();
|
||
|
-
|
||
|
return client_loop(tty_flag, tty_flag ?
|
||
|
options.escape_char : SSH_ESCAPECHAR_NONE, id);
|
||
|
}
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.1" id="7.1">OpenSSH 7.1</a>/<a href="txt/release-7.1" id="7.1p1">7.1p1</a> (2015-08-21)</h3>
|
||
|
<pre>OpenSSH 7.1 was released on 2015-08-21. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support. OpenSSH also includes
|
||
|
transitional support for the legacy SSH 1.3 and 1.5 protocols
|
||
|
that may be enabled at compile-time.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Future deprecation notice
|
||
|
=========================
|
||
|
|
||
|
We plan on retiring more legacy cryptography in the next release
|
||
|
including:
|
||
|
|
||
|
* Refusing all RSA keys smaller than 1024 bits (the current minimum
|
||
|
is 768 bits)
|
||
|
|
||
|
* Several ciphers will be disabled by default: blowfish-cbc,
|
||
|
cast128-cbc, all arcfour variants and the rijndael-cbc aliases
|
||
|
for AES.
|
||
|
|
||
|
* MD5-based HMAC algorithms will be disabled by default.
|
||
|
|
||
|
This list reflects our current intentions, but please check the final
|
||
|
release notes for OpenSSH 7.2 when it is released.
|
||
|
|
||
|
Changes since OpenSSH 7.0
|
||
|
=========================
|
||
|
|
||
|
This is a bugfix release.
|
||
|
|
||
|
Security
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: OpenSSH 7.0 contained a logic error in PermitRootLogin=
|
||
|
prohibit-password/without-password that could, depending on
|
||
|
compile-time configuration, permit password authentication to
|
||
|
root while preventing other forms of authentication. This problem
|
||
|
was reported by Mantas Mikulenas.
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add compatibility workarounds for FuTTY
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: refine compatibility workarounds for WinSCP
|
||
|
|
||
|
* Fix a number of memory faults (double-free, free of uninitialised
|
||
|
memory, etc) in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>. Reported by Mateusz
|
||
|
Kocielski.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.1.tar.gz">openssh-7.1.tar.gz</a>) = 06c1db39f33831fe004726e013b2cf84f1889042
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.1.tar.gz">openssh-7.1.tar.gz</a>) = H7U1se9EoBmhkKi2i7lqpMX9QHdDTsgpu7kd5VZUGSY=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.1p1.tar.gz">openssh-7.1p1.tar.gz</a>) = ed22af19f962262c493fcc6ed8c8826b2761d9b6
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.1p1.tar.gz">openssh-7.1p1.tar.gz</a>) = /AptLR0GPVxm3/2VJJPQzaJWytIE9oHeD4TvhbKthCg=
|
||
|
|
||
|
Please note that the SHA256 signatures are base64 encoded and not
|
||
|
hexadecimal (which is the default for most checksum tools). The PGP
|
||
|
key used to sign the releases is available as RELEASE_KEY.asc from
|
||
|
the mirror sites.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-7.0" id="7.0">OpenSSH 7.0</a>/<a href="txt/release-7.0" id="7.0p1">7.0p1</a> (2015-08-11)</h3>
|
||
|
<pre>OpenSSH 7.0 was released on 2015-08-11. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
|
||
|
includes sftp client and server support. OpenSSH also includes
|
||
|
transitional support for the legacy SSH 1.3 and 1.5 protocols
|
||
|
that may be enabled at compile-time.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Future deprecation notice
|
||
|
=========================
|
||
|
|
||
|
We plan on retiring more legacy cryptography in the next release
|
||
|
including:
|
||
|
|
||
|
* Refusing all RSA keys smaller than 1024 bits (the current minimum
|
||
|
is 768 bits)
|
||
|
|
||
|
* Several ciphers will be disabled by default: blowfish-cbc,
|
||
|
cast128-cbc, all arcfour variants and the rijndael-cbc aliases
|
||
|
for AES.
|
||
|
|
||
|
* MD5-based HMAC algorithms will be disabled by default.
|
||
|
|
||
|
This list reflects our current intentions, but please check the final
|
||
|
release notes for OpenSSH 7.1 when it is released.
|
||
|
|
||
|
Changes since OpenSSH 6.9
|
||
|
=========================
|
||
|
|
||
|
This focus of this release is primarily to deprecate weak, legacy
|
||
|
and/or unsafe cryptography.
|
||
|
|
||
|
Security
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
|
||
|
writable. Local attackers may be able to write arbitrary messages
|
||
|
to logged-in users, including terminal escape sequences.
|
||
|
Reported by Nikolay Edigaryev.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Portable OpenSSH only: Fixed a privilege separation
|
||
|
weakness related to PAM support. Attackers who could successfully
|
||
|
compromise the pre-authentication process for remote code
|
||
|
execution and who had valid credentials on the host could
|
||
|
impersonate other users. Reported by Moritz Jodeit.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Portable OpenSSH only: Fixed a use-after-free bug
|
||
|
related to PAM support that was reachable by attackers who could
|
||
|
compromise the pre-authentication process for remote code
|
||
|
execution. Also reported by Moritz Jodeit.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix circumvention of MaxAuthTries using keyboard-
|
||
|
interactive authentication. By specifying a long, repeating
|
||
|
keyboard-interactive "devices" string, an attacker could request
|
||
|
the same authentication method be tried thousands of times in
|
||
|
a single pass. The LoginGraceTime timeout in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> and any
|
||
|
authentication failure delays implemented by the authentication
|
||
|
mechanism itself were still applied. Found by Kingcope.
|
||
|
|
||
|
Potentially-incompatible Changes
|
||
|
--------------------------------
|
||
|
|
||
|
* Support for the legacy SSH version 1 protocol is disabled by
|
||
|
default at compile time.
|
||
|
|
||
|
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
|
||
|
is disabled by default at run-time. It may be re-enabled using
|
||
|
the instructions at <a href="http://www.openssh.com/legacy.html">http://www.openssh.com/legacy.html</a>
|
||
|
|
||
|
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
|
||
|
by default at run-time. These may be re-enabled using the
|
||
|
instructions at <a href="http://www.openssh.com/legacy.html">http://www.openssh.com/legacy.html</a>
|
||
|
|
||
|
* Support for the legacy v00 cert format has been removed.
|
||
|
|
||
|
* The default for the <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> PermitRootLogin option has
|
||
|
changed from "yes" to "prohibit-password".
|
||
|
|
||
|
* PermitRootLogin=without-password/prohibit-password now bans all
|
||
|
interactive authentication methods, allowing only public-key,
|
||
|
hostbased and GSSAPI authentication (previously it permitted
|
||
|
keyboard-interactive and password-less authentication if those
|
||
|
were enabled).
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>: add PubkeyAcceptedKeyTypes option to control which
|
||
|
public key types are available for user authentication.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: add HostKeyAlgorithms option to control which
|
||
|
public key types are offered for host authentications.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: extend Ciphers, MACs, KexAlgorithms,
|
||
|
HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes
|
||
|
options to allow appending to the default set of algorithms
|
||
|
instead of replacing it. Options may now be prefixed with a '+'
|
||
|
to append to the default, e.g. "HostKeyAlgorithms=+ssh-dss".
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: PermitRootLogin now accepts an argument of
|
||
|
'prohibit-password' as a less-ambiguous synonym of 'without-
|
||
|
password'.
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add compatability workarounds for Cisco and more
|
||
|
PuTTY versions. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2424">bz#2424</a>
|
||
|
|
||
|
* Fix some omissions and errors in the PROTOCOL and PROTOCOL.mux
|
||
|
documentation relating to Unix domain socket forwarding;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2421">bz#2421</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2422">bz#2422</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Improve the <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> manual page to include a better
|
||
|
description of Unix domain socket forwarding; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2423">bz#2423</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: skip uninitialised PKCS#11 slots, fixing
|
||
|
failures to load keys when they are present. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2427">bz#2427</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: do not ignore PKCS#11 hosted keys that wth
|
||
|
empty CKA_ID; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2429">bz#2429</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: clarify documentation for UseDNS option; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2045">bz#2045</a>
|
||
|
|
||
|
Portable OpenSSH
|
||
|
----------------
|
||
|
|
||
|
* Check realpath(3) behaviour matches what sftp-server requires and
|
||
|
use a replacement if necessary.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.0.tar.gz">openssh-7.0.tar.gz</a>) = a19ff0bad2a67348b1d01a38a9580236120b7099
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.0.tar.gz">openssh-7.0.tar.gz</a>) = 4F6HV/ZqT465f3sMB2vIkXO+wrYtL5hnqzAymfbZ1Jk=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.0p1.tar.gz">openssh-7.0p1.tar.gz</a>) = d8337c9eab91d360d104f6dd805f8b32089c063c
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.0p1.tar.gz">openssh-7.0p1.tar.gz</a>) = /VkySToZ9MgRU9gS7k4EK0m707dZqz2TRKvswrwUheU=
|
||
|
|
||
|
Please note that the PGP key used to sign releases was recently rotated.
|
||
|
The new key has been signed by the old key to provide continuity. It is
|
||
|
available from the mirror sites as RELEASE_KEY.asc.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-6.9" id="6.9">OpenSSH 6.9</a>/<a href="txt/release-6.9" id="6.9p1">6.9p1</a> (2015-07-01)</h3>
|
||
|
<pre>
|
||
|
OpenSSH 6.9 was released on 2015-07-01. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Future Deprecation Notice
|
||
|
=========================
|
||
|
|
||
|
The 7.0 release of OpenSSH, due for release in late July, will
|
||
|
deprecate several features, some of which may affect compatibility
|
||
|
or existing configurations. The intended changes are as follows:
|
||
|
|
||
|
* The default for the <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> PermitRootLogin option will
|
||
|
change from "yes" to "no".
|
||
|
|
||
|
* Support for the legacy version 1.x of the SSH protocol will be
|
||
|
disabled at compile time by default.
|
||
|
|
||
|
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
|
||
|
will be run-time disabled by default.
|
||
|
|
||
|
* Support for ssh-dss, ssh-dss-cert-* host and user keys will be
|
||
|
run-time disabled by default.
|
||
|
|
||
|
* Support for the legacy v00 cert format will be removed
|
||
|
|
||
|
* Several ciphers will be disabled by default: blowfish-cbc,
|
||
|
cast128-cbc, all arcfour variants and the rijndael-cbc aliases
|
||
|
for AES
|
||
|
|
||
|
* Refusing all RSA keys smaller than 1024 bits (the current minimum
|
||
|
is 768 bits)
|
||
|
|
||
|
This list reflects our current intentions, but please check the final
|
||
|
release notes for OpenSSH 7.0 when it is released.
|
||
|
|
||
|
Changes since OpenSSH 6.8
|
||
|
=========================
|
||
|
|
||
|
This is primarily a bugfix release.
|
||
|
|
||
|
Security
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when forwarding X11 connections with ForwardX11Trusted=no,
|
||
|
connections made after ForwardX11Timeout expired could be permitted
|
||
|
and no longer subject to XSECURITY restrictions because of an
|
||
|
ineffective timeout check in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> coupled with "fail open"
|
||
|
behaviour in the X11 server when clients attempted connections with
|
||
|
expired credentials. This problem was reported by Jann Horn.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: fix weakness of agent locking (ssh-add -x) to
|
||
|
password guessing by implementing an increasing failure delay,
|
||
|
storing a salted hash of the password rather than the password
|
||
|
itself and using a timing-safe comparison function for verifying
|
||
|
unlock attempts. This problem was reported by Ryan Castellucci.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: promote chacha20-poly1305@openssh.com to be the
|
||
|
default cipher
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: support admin-specified arguments to AuthorizedKeysCommand;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2081">bz#2081</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add AuthorizedPrincipalsCommand that allows retrieving
|
||
|
authorized principals information from a subprocess rather than
|
||
|
a file.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: support PKCS#11 devices with external PIN
|
||
|
entry devices <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2240">bz#2240</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow GSSAPI host credential check to be relaxed for
|
||
|
multihomed hosts via GSSAPIStrictAcceptorCheck option; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=928">bz#928</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: support "ssh-keygen -lF hostname" to search
|
||
|
known_hosts and print key hashes rather than full keys.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: add -D flag to leave ssh-agent in foreground without
|
||
|
enabling debug mode; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2381">bz#2381</a>
|
||
|
|
||
|
Bugfixes
|
||
|
--------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD
|
||
|
message and do not try to use it against some 3rd-party SSH
|
||
|
implementations that use it (older PuTTY, WinSCP).
|
||
|
|
||
|
* Many fixes for problems caused by compile-time deactivation of
|
||
|
SSH1 support (including <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2369">bz#2369</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: cap DH-GEX group size at 4Kbits for Cisco
|
||
|
implementations as some would fail when attempting to use group
|
||
|
sizes >4K; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2209">bz#2209</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix out-of-bound read in EscapeChar configuration option
|
||
|
parsing; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2396">bz#2396</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix application of PermitTunnel, LoginGraceTime,
|
||
|
AuthenticationMethods and StreamLocalBindMask options in Match
|
||
|
blocks
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: improve disconnection message on TCP reset;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2257">bz#2257</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: remove failed remote forwards established by muliplexing
|
||
|
from the list of active forwards; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2363">bz#2363</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: make parsing of authorized_keys "environment=" options
|
||
|
independent of PermitUserEnv being enabled; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2329">bz#2329</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix post-auth crash with permitopen=none; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2355">bz#2355</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: allow new-format private keys
|
||
|
to be encrypted with AEAD ciphers; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2366">bz#2366</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow ListenAddress, Port and AddressFamily configuration
|
||
|
options to appear in any order; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=86">bz#86</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: check for and reject missing arguments for VersionAddendum
|
||
|
and ForceCommand; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2281">bz#2281</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: don't treat unknown certificate extensions as
|
||
|
fatal; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2387">bz#2387</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: make stdout and stderr output consistent; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2325">bz#2325</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: mention missing DISPLAY environment in debug log when X11
|
||
|
forwarding requested; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1682">bz#1682</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: correctly record login when UseLogin is set; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=378">bz#378</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add some missing options to sshd -T output and fix output
|
||
|
of VersionAddendum and HostCertificate. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2346">bz#2346</a>
|
||
|
|
||
|
* Document and improve consistency of options that accept a "none"
|
||
|
argument" TrustedUserCAKeys, RevokedKeys (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2382">bz#2382</a>),
|
||
|
AuthorizedPrincipalsFile (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2288">bz#2288</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: include remote username in debug output; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2368">bz#2368</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: avoid compatibility problem with some versions of Tera
|
||
|
Term, which would crash when they received the hostkeys notification
|
||
|
message (hostkeys-00@openssh.com)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: mention ssh-keygen -E as useful when comparing legacy MD5
|
||
|
host key fingerprints; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2332">bz#2332</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: clarify pseudo-terminal request behaviour and use make
|
||
|
manual language consistent; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1716">bz#1716</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: document that the TERM environment variable is not subject
|
||
|
to SendEnv and AcceptEnv; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2386">bz#2386</a>
|
||
|
|
||
|
Portable OpenSSH
|
||
|
----------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Format UsePAM setting when using sshd -T, part of <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2346">bz#2346</a>
|
||
|
|
||
|
* Look for '${host}-ar' before 'ar', making cross-compilation easier;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2352">bz#2352</a>.
|
||
|
|
||
|
* Several portable compilation fixes: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2402">bz#2402</a>, <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2337">bz#2337</a>, <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2370">bz#2370</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/moduli.5">moduli(5)</a>: update DH-GEX moduli
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.9.tar.gz">openssh-6.9.tar.gz</a>) = cd5fcb93411025bbc4b4b57753b622769dfb1e0d
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.9.tar.gz">openssh-6.9.tar.gz</a>) = itCMw0aE/xvrGKWhzRD2UM/9kzIOyFaH2dIWMfX8agQ=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.9p1.tar.gz">openssh-6.9p1.tar.gz</a>) = 86ab57f00d0fd9bf302760f2f6deac1b6e9df265
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.9p1.tar.gz">openssh-6.9p1.tar.gz</a>) = bgdN9TjzV9RAvmz5PcWBoh8i054jbyF/zY6su2yJbP4=
|
||
|
|
||
|
Please note that the PGP key used to sign releases was recently rotated.
|
||
|
The new key has been signed by the old key to provide continuity. It is
|
||
|
available from the mirror sites as RELEASE_KEY.asc.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-6.8" id="6.8">OpenSSH 6.8</a>/<a href="txt/release-6.8" id="6.8p1">6.8p1</a> (2015-03-18)</h3>
|
||
|
<pre>OpenSSH 6.8 was released on 2015-03-18. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 6.7
|
||
|
=========================
|
||
|
|
||
|
This is a major release, containing a number of new features as
|
||
|
well as a large internal re-factoring.
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
--------------------------------
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: UseDNS now defaults to 'no'. Configurations that match
|
||
|
against the client host name (via sshd_config or authorized_keys)
|
||
|
may need to re-enable it or convert to matching against addresses.
|
||
|
|
||
|
New Features
|
||
|
------------
|
||
|
|
||
|
* Much of OpenSSH's internal code has been re-factored to be more
|
||
|
library-like. These changes are mostly not user-visible, but
|
||
|
have greatly improved OpenSSH's testability and internal layout.
|
||
|
|
||
|
* Add FingerprintHash option to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, and equivalent
|
||
|
command-line flags to the other tools to control algorithm used
|
||
|
for key fingerprints. The default changes from MD5 to SHA256 and
|
||
|
format from hex to base64.
|
||
|
|
||
|
Fingerprints now have the hash algorithm prepended. An example of
|
||
|
the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE
|
||
|
Please note that visual host keys will also be different.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Experimental host key rotation support. Add a
|
||
|
protocol extension for a server to inform a client of all its
|
||
|
available host keys after authentication has completed. The client
|
||
|
may record the keys in known_hosts, allowing it to upgrade to better
|
||
|
host key algorithms and a server to gracefully rotate its keys.
|
||
|
|
||
|
The client side of this is controlled by a UpdateHostkeys config
|
||
|
option (default off).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add a ssh_config HostbasedKeyType option to control which
|
||
|
host public key types are tried during host-based authentication.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix connection-killing host key mismatch errors
|
||
|
when sshd offers multiple ECDSA keys of different lengths.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when host name canonicalisation is enabled, try to
|
||
|
parse host names as addresses before looking them up for
|
||
|
canonicalisation. fixes <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2074">bz#2074</a> and avoiding needless DNS
|
||
|
lookups in some cases.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Key Revocation Lists (KRLs) no longer
|
||
|
require OpenSSH to be compiled with OpenSSL support.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, ssh-keysign(8): Make ed25519 keys work for host based
|
||
|
authentication.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: SSH protocol v.1 workaround for the Meyer, et al,
|
||
|
Bleichenbacher Side Channel Attack. Fake up a bignum key before
|
||
|
RSA decryption.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Remember which public keys have been used for
|
||
|
authentication and refuse to accept previously-used keys.
|
||
|
This allows AuthenticationMethods=publickey,publickey to require
|
||
|
that users authenticate using two _different_ public keys.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add sshd_config HostbasedAcceptedKeyTypes and
|
||
|
PubkeyAcceptedKeyTypes options to allow sshd to control what
|
||
|
public key types will be accepted. Currently defaults to all.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Don't count partial authentication success as a failure
|
||
|
against MaxAuthTries.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add RevokedHostKeys option for the client to allow
|
||
|
text-file or KRL-based revocation of host keys.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Permit KRLs that revoke certificates by
|
||
|
serial number or key ID without scoping to a particular CA.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add a "Match canonical" criteria that allows ssh_config
|
||
|
Match blocks to trigger only in the second config pass.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add a -G option to ssh that causes it to parse its
|
||
|
configuration and dump the result to stdout, similar to "sshd -T".
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Allow Match criteria to be negated. E.g. "Match !host".
|
||
|
|
||
|
* The regression test suite has been extended to cover more OpenSSH
|
||
|
features. The unit tests have been expanded and now cover key
|
||
|
exchange.
|
||
|
|
||
|
Bugfixes
|
||
|
|
||
|
* ssh-keyscan(1): ssh-keyscan has been made much more robust again
|
||
|
servers that hang or violate the SSH protocol.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Fix regression <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2306">bz#2306</a>: Key path names were
|
||
|
being lost as comment fields.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Allow ssh_config Port options set in the second config
|
||
|
parse phase to be applied (they were being ignored). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2286">bz#2286</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Tweak config re-parsing with host canonicalisation - make
|
||
|
the second pass through the config files always run when host name
|
||
|
canonicalisation is enabled (and not whenever the host name
|
||
|
changes) <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2267">bz#2267</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Fix passing of wildcard forward bind addresses when
|
||
|
connection multiplexing is in use; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2324">bz#2324</a>;
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Fix broken private key conversion from non-OpenSSH
|
||
|
formats; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2345">bz#2345</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Fix KRL generation bug when multiple CAs are in
|
||
|
use.
|
||
|
|
||
|
* Various fixes to manual pages: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2288">bz#2288</a>, <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2316">bz#2316</a>, <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2273">bz#2273</a>
|
||
|
|
||
|
Portable OpenSSH
|
||
|
|
||
|
* Support --without-openssl at configure time
|
||
|
|
||
|
Disables and removes dependency on OpenSSL. Many features,
|
||
|
including SSH protocol 1 are not supported and the set of crypto
|
||
|
options is greatly restricted. This will only work on systems
|
||
|
with native arc4random or /dev/urandom.
|
||
|
|
||
|
Considered highly experimental for now.
|
||
|
|
||
|
* Support --without-ssh1 option at configure time
|
||
|
|
||
|
Allows disabling support for SSH protocol 1.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix compilation on systems with IPv6 support in utmpx; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2296">bz#2296</a>
|
||
|
|
||
|
* Allow custom service name for sshd on Cygwin. Permits the use of
|
||
|
multiple sshd running with different service names.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.8.tar.gz">openssh-6.8.tar.gz</a>) = 99903c6ca76e0a2c044711017f81127e12459d37
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.8.tar.gz">openssh-6.8.tar.gz</a>) = N1uzVarFbrm2CzAwuDu3sRoszmqpK+5phAChP/QNyuw=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.8p1.tar.gz">openssh-6.8p1.tar.gz</a>) = cdbc51e46a902b30d263b05fdc71340920e91c92
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.8p1.tar.gz">openssh-6.8p1.tar.gz</a>) = P/ZM5z7hJEgLW/dnuYMNfTwDu8tqvnFrePAZLDfOFg4=
|
||
|
|
||
|
Please note that the PGP key used to sign releases was recently rotated.
|
||
|
The new key has been signed by the old key to provide continuity. It is
|
||
|
available from the mirror sites as RELEASE_KEY.asc.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-6.7" id="6.7">OpenSSH 6.7</a>/<a href="txt/release-6.7" id="6.7p1">6.7p1</a> (2014-10-06)</h3>
|
||
|
<pre>OpenSSH 6.7 was released on 2014-10-06. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 6.6
|
||
|
=========================
|
||
|
|
||
|
Potentially-incompatible changes
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: The default set of ciphers and MACs has been altered to
|
||
|
remove unsafe algorithms. In particular, CBC ciphers and arcfour*
|
||
|
are disabled by default.
|
||
|
|
||
|
The full set of algorithms remains available if configured
|
||
|
explicitly via the Ciphers and MACs sshd_config options.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Support for tcpwrappers/libwrap has been removed.
|
||
|
|
||
|
* OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
|
||
|
using the curve25519-sha256@libssh.org KEX exchange method to fail
|
||
|
when connecting with something that implements the specification
|
||
|
correctly. OpenSSH 6.7 disables this KEX method when speaking to
|
||
|
one of the affected versions.
|
||
|
|
||
|
New Features
|
||
|
|
||
|
* Major internal refactoring to begin to make part of OpenSSH usable
|
||
|
as a library. So far the wire parsing, key handling and KRL code
|
||
|
has been refactored. Please note that we do not consider the API
|
||
|
stable yet, nor do we offer the library in separable form.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add support for Unix domain socket forwarding.
|
||
|
A remote TCP port may be forwarded to a local Unix domain socket
|
||
|
and vice versa or both ends may be a Unix domain socket.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Add support for SSHFP DNS records for
|
||
|
ED25519 key types.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: Allow resumption of interrupted uploads.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: When rekeying, skip file/DNS lookups of the hostkey if it
|
||
|
is the same as the one sent during initial key exchange; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2154">bz#2154</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Allow explicit ::1 and 127.0.0.1 forwarding bind
|
||
|
addresses when GatewayPorts=no; allows client to choose address
|
||
|
family; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2222">bz#2222</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add a sshd_config PermitUserRC option to control whether
|
||
|
~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
|
||
|
option; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2160">bz#2160</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add a %C escape sequence for LocalCommand and ControlPath
|
||
|
that expands to a unique identifer based on a hash of the tuple of
|
||
|
(local host, remote user, hostname, port). Helps avoid exceeding
|
||
|
miserly pathname limits for Unix domain sockets in multiplexing
|
||
|
control paths; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2220">bz#2220</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Make the "Too many authentication failures" message
|
||
|
include the user, source address, port and protocol in a format
|
||
|
similar to the authentication success / failure messages; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2199">bz#2199</a>
|
||
|
|
||
|
* Added unit and fuzz tests for refactored code. These are run
|
||
|
automatically in portable OpenSSH via the "make tests" target.
|
||
|
|
||
|
Bugfixes
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix remote forwarding with the same listen port but
|
||
|
different listen address.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Fix inverted test that caused PKCS#11 keys that were
|
||
|
explicitly listed in ssh_config or on the commandline not to be
|
||
|
preferred.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Fix bug in KRL generation: multiple consecutive
|
||
|
revoked certificate serial number ranges could be serialised to an
|
||
|
invalid format. Readers of a broken KRL caused by this bug will
|
||
|
fail closed, so no should-have-been-revoked key will be accepted.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Reflect stdio-forward ("ssh -W host:port ...") failures in
|
||
|
exit status. Previously we were always returning 0; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2255">bz#2255</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Make Ed25519 keys' title fit properly in the
|
||
|
randomart border; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2247">bz#2247</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: Only cleanup agent socket in the main agent process
|
||
|
and not in any subprocesses it may have started (e.g. forked
|
||
|
askpass). Fixes agent sockets being zapped when askpass processes
|
||
|
fatal(); <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2236">bz#2236</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: Make stdout line-buffered; saves partial output getting
|
||
|
lost when ssh-add fatal()s part-way through (e.g. when listing keys
|
||
|
from an agent that supports key types that ssh-add doesn't);
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2234">bz#2234</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: When hashing or removing hosts, don't choke on
|
||
|
@revoked markers and don't remove @cert-authority markers; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2241">bz#2241</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Don't fatal when hostname canonicalisation fails and a
|
||
|
ProxyCommand is in use; continue and allow the ProxyCommand to
|
||
|
connect anyway (e.g. to a host with a name outside the DNS behind
|
||
|
a bastion)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>: When copying local->remote fails during read, don't send
|
||
|
uninitialised heap to the remote end.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: Fix fatal "el_insertstr failed" errors when tab-completing
|
||
|
filenames with a single quote char somewhere in the string;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2238">bz#2238</a>
|
||
|
|
||
|
* ssh-keyscan(1): Scan for Ed25519 keys by default.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: When using VerifyHostKeyDNS with a DNSSEC resolver, down-
|
||
|
convert any certificate keys to plain keys and attempt SSHFP
|
||
|
resolution. Prevents a server from skipping SSHFP lookup and
|
||
|
forcing a new-hostkey dialog by offering only certificate keys.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Avoid crash at exit via NULL pointer reference; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2225">bz#2225</a>
|
||
|
|
||
|
* Fix some strict-alignment errors.
|
||
|
|
||
|
Portable OpenSSH
|
||
|
|
||
|
* Portable OpenSSH now supports building against libressl-portable.
|
||
|
|
||
|
* Portable OpenSSH now requires openssl 0.9.8f or greater. Older
|
||
|
versions are no longer supported.
|
||
|
|
||
|
* In the OpenSSL version check, allow fix version upgrades (but not
|
||
|
downgrades. Debian bug #748150.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: On Cygwin, determine privilege separation user at runtime,
|
||
|
since it may need to be a domain account.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Don't attempt to use vhangup on Linux. It doesn't work for
|
||
|
non-root users, and for them it just messes up the tty settings.
|
||
|
|
||
|
* Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
|
||
|
available. It considers time spent suspended, thereby ensuring
|
||
|
timeouts (e.g. for expiring agent keys) fire correctly. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2228">bz#2228</a>
|
||
|
|
||
|
* Add support for ed25519 to opensshd.init init script.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: On platforms that support it, use prctl() to
|
||
|
prevent sftp-server from accessing /proc/self/{mem,maps}
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.7.tar.gz">openssh-6.7.tar.gz</a>) = 315497b27a0186e4aef67987cfc9f3d9ba561cd8
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.7.tar.gz">openssh-6.7.tar.gz</a>) = /me/hPxDw9Tfd3siNKQubSQph84qiKwftiMsgj6nh5E=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz">openssh-6.7p1.tar.gz</a>) = 14e5fbed710ade334d65925e080d1aaeb9c85bf6
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz">openssh-6.7p1.tar.gz</a>) = svg5Tq6Fjau9732sELma7ADJVGJ1PoA0LlMLu29yVQc=
|
||
|
|
||
|
Please note that the PGP key used to sign releases was recently rotated.
|
||
|
The new key has been signed by the old key to provide continuity. It is
|
||
|
available from the mirror sites as RELEASE_KEY.asc.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-6.6" id="6.6">OpenSSH 6.6</a>/<a href="txt/release-6.6" id="6.6p1">6.6p1</a> (2014-03-15)</h3>
|
||
|
<pre>OpenSSH 6.6 was released on 2014-03-15. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 6.6
|
||
|
=========================
|
||
|
|
||
|
This is primarily a bugfix release.
|
||
|
|
||
|
Security:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: when using environment passing with a <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>
|
||
|
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be
|
||
|
tricked into accepting any enviornment variable that contains the
|
||
|
characters before the wildcard character.
|
||
|
|
||
|
New / changed features:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: this release removes the J-PAKE authentication code.
|
||
|
This code was experimental, never enabled and had been unmaintained
|
||
|
for some time.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when processing Match blocks, skip 'exec' clauses other clauses
|
||
|
predicates failed to match.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: if hostname canonicalisation is enabled and results in the
|
||
|
destination hostname being changed, then re-parse <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> files
|
||
|
using the new destination hostname. This gives 'Host' and 'Match'
|
||
|
directives that use the expanded hostname a chance to be applied.
|
||
|
|
||
|
Bugfixes:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: avoid spurious "getsockname failed: Bad file descriptor" in
|
||
|
ssh -W. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2200">bz#2200</a>, debian#738692
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow the shutdown(2) syscall in seccomp-bpf and systrace
|
||
|
sandbox modes, as it is reachable if the connection is terminated
|
||
|
during the pre-auth phase.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix unsigned overflow that in SSH protocol 1 bignum
|
||
|
parsing. Minimum key length checks render this bug unexploitable to
|
||
|
compromise SSH 1 sessions.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: clarify behaviour of a keyword that appears in
|
||
|
multiple matching Match blocks. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2184">bz#2184</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: avoid unnecessary hostname lookups when canonicalisation is
|
||
|
disabled. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2205">bz#2205</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: avoid sandbox violation crashes in GSSAPI code by caching
|
||
|
the supported list of GSSAPI mechanism OIDs before entering the
|
||
|
sandbox. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2107">bz#2107</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix possible crashes in SOCKS4 parsing caused by assumption
|
||
|
that the SOCKS username is nul-terminated.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix regression for UsePrivilegedPort=yes when BindAddress is
|
||
|
not specified.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix memory leak in ECDSA signature verification.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix matching of 'Host' directives in <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> files
|
||
|
to be case-insensitive again (regression in 6.5).
|
||
|
|
||
|
Portable OpenSSH:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: don't fatal if the FreeBSD Capsicum is offered by the
|
||
|
system headers and libc but is not supported by the kernel.
|
||
|
* Fix build using the HP-UX compiler.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.6.tar.gz">openssh-6.6.tar.gz</a>) = bf932d798324ff2502409d3714d0ad8d65c7e1e7
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.6.tar.gz">openssh-6.6.tar.gz</a>) = jaSJE5aiQRm+91dV6EvVGr/ozo33tbxyjjFSiu+Cy80=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz">openssh-6.6p1.tar.gz</a>) = b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz">openssh-6.6p1.tar.gz</a>) = SMHwZktFNIdQOABMxPNVW4MpwqgcHfSNtcUXgA3iA7s=
|
||
|
|
||
|
Please note that the PGP key used to sign releases was recently rotated.
|
||
|
The new key has been signed by the old key to provide continuity. It is
|
||
|
available from the mirror sites as RELEASE_KEY.asc.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-6.5" id="6.5">OpenSSH 6.5</a>/<a href="txt/release-6.5" id="6.5p1">6.5p1</a> (2014-01-30)</h3>
|
||
|
<pre>Changes since OpenSSH 6.4
|
||
|
=========================
|
||
|
|
||
|
This is a feature-focused release.
|
||
|
|
||
|
New features:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add support for key exchange using elliptic-curve
|
||
|
Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange
|
||
|
method is the default when both the client and server support it.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add support for Ed25519 as a public key type.
|
||
|
Ed25519 is a elliptic curve signature scheme that offers
|
||
|
better security than ECDSA and DSA and good performance. It may be
|
||
|
used for both user and host keys.
|
||
|
|
||
|
* Add a new private key format that uses a bcrypt KDF to better
|
||
|
protect keys at rest. This format is used unconditionally for
|
||
|
Ed25519 keys, but may be requested when generating or saving
|
||
|
existing keys of other types via the -o <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> option.
|
||
|
We intend to make the new format the default in the near future.
|
||
|
Details of the new format are in the PROTOCOL.key file.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add a new transport cipher
|
||
|
"chacha20-poly1305@openssh.com" that combines Daniel Bernstein's
|
||
|
ChaCha20 stream cipher and Poly1305 MAC to build an authenticated
|
||
|
encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Refuse RSA keys from old proprietary clients and
|
||
|
servers that use the obsolete RSA+MD5 signature scheme. It will
|
||
|
still be possible to connect with these clients/servers but only
|
||
|
DSA keys will be accepted, and OpenSSH will refuse connection
|
||
|
entirely in a future release.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Refuse old proprietary clients and servers that
|
||
|
use a weaker key exchange hash calculation.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Increase the size of the Diffie-Hellman groups requested
|
||
|
for each symmetric key size. New values from NIST Special
|
||
|
Publication 800-57 with the upper limit specified by <a href="https://tools.ietf.org/html/rfc4419">RFC4419</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: Support PKCS#11 tokens that only provide
|
||
|
X.509 certs instead of raw public keys (requested as <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1908">bz#1908</a>).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add a <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> "Match" keyword that allows
|
||
|
conditional configuration to be applied by matching on hostname,
|
||
|
user and result of arbitrary commands.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add support for client-side hostname canonicalisation
|
||
|
using a set of DNS suffixes and rules in <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>. This
|
||
|
allows unqualified names to be canonicalised to fully-qualified
|
||
|
domain names to eliminate ambiguity when looking up keys in
|
||
|
known_hosts or checking host certificate names.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: Add the ability to whitelist and/or blacklist sftp
|
||
|
protocol requests by name.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: Add a sftp "fsync@openssh.com" to support calling
|
||
|
fsync(2) on an open file handle.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add a <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> PermitTTY to disallow TTY allocation,
|
||
|
mirroring the longstanding no-pty authorized_keys option.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Add a ssh_config ProxyUseFDPass option that supports the
|
||
|
use of ProxyCommands that establish a connection and then pass a
|
||
|
connected file descriptor back to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>. This allows the
|
||
|
ProxyCommand to exit rather than staying around to transfer data.
|
||
|
|
||
|
Bugfixes:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix potential stack exhaustion caused by nested
|
||
|
certificates.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1211">bz#1211</a>: make BindAddress work with UsePrivilegedPort.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2137">bz#2137</a>: fix the progress meter for resumed transfer.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2187">bz#2187</a>: do not request smartcard PIN when removing
|
||
|
keys from ssh-agent.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2139">bz#2139</a>: fix re-exec fallback when original sshd binary
|
||
|
cannot be executed.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Make relative-specified certificate expiry times
|
||
|
relative to current time and not the validity start time.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2161">bz#2161</a>: fix AuthorizedKeysCommand inside a Match block.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2129">bz#2129</a>: symlinking a file would incorrectly canonicalise
|
||
|
the target path.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2175">bz#2175</a>: fix a use-after-free in the PKCS#11 agent
|
||
|
helper executable.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Improve logging of sessions to include the user name,
|
||
|
remote host and port, the session type (shell, command, etc.) and
|
||
|
allocated TTY (if any).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1297">bz#1297</a>: tell the client (via a debug message) when
|
||
|
their preferred listen address has been overridden by the
|
||
|
server's GatewayPorts setting.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2162">bz#2162</a>: include report port in bad protocol banner
|
||
|
message.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2163">bz#2163</a>: fix memory leak in error path in do_readdir().
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2171">bz#2171</a>: don't leak file descriptor on error.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Include the local address and port in "Connection from
|
||
|
..." message (only shown at loglevel>=verbose).
|
||
|
|
||
|
Portable OpenSSH:
|
||
|
|
||
|
* Please note that this is the last version of Portable OpenSSH that
|
||
|
will support versions of OpenSSL prior to 0.9.6. Support (i.e.
|
||
|
SSH_OLD_EVP) will be removed following the 6.5p1 release.
|
||
|
|
||
|
* Portable OpenSSH will attempt compile and link as a Position
|
||
|
Independent Executable on Linux, OS X and OpenBSD on recent gcc-
|
||
|
like compilers. Other platforms and older/other compilers may
|
||
|
request this using the --with-pie configure flag.
|
||
|
|
||
|
* A number of other toolchain-related hardening options are used
|
||
|
automatically if available, including -ftrapv to abort on signed
|
||
|
integer overflow and options to write-protect dynamic linking
|
||
|
information. The use of these options may be disabled using the
|
||
|
--without-hardening configure flag.
|
||
|
|
||
|
* If the toolchain supports it, one of the -fstack-protector-strong,
|
||
|
-fstack-protector-all or -fstack-protector compilation flag are
|
||
|
used to add guards to mitigate attacks based on stack overflows.
|
||
|
The use of these options may be disabled using the
|
||
|
--without-stackprotect configure option.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add support for pre-authentication sandboxing using the
|
||
|
Capsicum API introduced in FreeBSD 10.
|
||
|
|
||
|
* Switch to a ChaCha20-based arc4random() PRNG for platforms that do
|
||
|
not provide their own.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2156">bz#2156</a>: restore Linux oom_adj setting when handling
|
||
|
SIGHUP to maintain behaviour over retart.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2032">bz#2032</a>: use local username in krb5_kuserok check rather
|
||
|
than full client name which may be of form user@REALM.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Test for both the presence of ECC NID numbers in
|
||
|
OpenSSL and that they actually work. Fedora (at least) has
|
||
|
NID_secp521r1 that doesn't work.
|
||
|
|
||
|
* <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2173">bz#2173</a>: use pkg-config --libs to include correct -L location for
|
||
|
libedit.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.5.tar.gz">openssh-6.5.tar.gz</a>) = 0a375e20d895670489a9241f8faa57670214fbed
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.5.tar.gz">openssh-6.5.tar.gz</a>) = sK5q2rB0o5JCbEmbeE/6N9DtJkT81dwmeuhogT4i900=
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.5p1.tar.gz">openssh-6.5p1.tar.gz</a>) = 3363a72b4fee91b29cf2024ff633c17f6cd2f86d
|
||
|
- SHA256 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.5p1.tar.gz">openssh-6.5p1.tar.gz</a>) = oRle1V25RSUtWhcw1KKipcHJpqoB7y5a91CpYmI9kCc=
|
||
|
|
||
|
Please note that the PGP key used to sign releases has been rotated.
|
||
|
The new key has been signed by the old key to provide continuity. It
|
||
|
is available from the mirror sites as RELEASE_KEY.asc.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-6.4" id="6.4">OpenSSH 6.4</a>/<a href="txt/release-6.4" id="6.4p1">6.4p1</a> (2013-11-08)</h3>
|
||
|
<pre>Changes since OpenSSH 6.3
|
||
|
=========================
|
||
|
|
||
|
This release fixes a security bug:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix a memory corruption problem triggered during rekeying
|
||
|
when an AES-GCM cipher is selected. Full details of the vulnerability
|
||
|
are available at: <a href="http://www.openssh.com/txt/gcmrekey.adv">http://www.openssh.com/txt/gcmrekey.adv</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.4.tar.gz">openssh-6.4.tar.gz</a>) = 4caf1a50eb3a3da821c16298c4aaa576fe24210c
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.4p1.tar.gz">openssh-6.4p1.tar.gz</a>) = cf5fe0eb118d7e4f9296fbc5d6884965885fc55d
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-6.3" id="6.3">OpenSSH 6.3</a>/<a href="txt/release-6.3" id="6.3p1">6.3p1</a> (2013-09-13)</h3>
|
||
|
<pre>Changes since OpenSSH 6.2
|
||
|
=========================
|
||
|
|
||
|
This release is predominantly a bugfix release:
|
||
|
|
||
|
Features:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> support to <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>; allows encrypted hostkeys,
|
||
|
or hostkeys on smartcards.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow optional time-based rekeying via a second argument
|
||
|
to the existing RekeyLimit option. RekeyLimit is now supported in
|
||
|
sshd_config as well as on the client.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: standardise logging of information during user authentication.
|
||
|
|
||
|
The presented key/cert and the remote username (if available) is now
|
||
|
logged in the authentication success/failure message on the same log
|
||
|
line as the local username, remote host/port and protocol in use.
|
||
|
Certificates contents and the key fingerprint of the signing CA are
|
||
|
logged too.
|
||
|
|
||
|
Including all relevant information on a single line simplifies log
|
||
|
analysis as it is no longer necessary to relate information scattered
|
||
|
across multiple log entries.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add the ability to query which ciphers, MAC algorithms, key
|
||
|
types and key exchange methods are supported in the binary.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: support ProxyCommand=- to allow support cases where stdin and
|
||
|
stdout already point to the proxy.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: allow IdentityFile=none
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add -E option to ssh and sshd to append debugging logs
|
||
|
to a specified file instead of stderr or syslog.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: add support for resuming partial downloads using the "reget"
|
||
|
command and on the sftp commandline or on the "get" commandline using
|
||
|
the "-a" (append) option.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: add an "IgnoreUnknown" configuration option to selectively
|
||
|
suppress errors arising from unknown configuration directives.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add support for submethods to be appended to required
|
||
|
authentication methods listed via AuthenticationMethods.
|
||
|
|
||
|
Bugfixes:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix refusal to accept certificate if a key of a different type
|
||
|
to the CA key appeared in authorized_keys before the CA key.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Use a monotonic time source for timers so
|
||
|
that things like keepalives and rekeying will work properly over clock
|
||
|
steps.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: update progressmeter when data is acknowledged, not when it's
|
||
|
sent. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2108">bz#2108</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: improve error messages when the current user does
|
||
|
not exist in /etc/passwd; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2125">bz#2125</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: reset the order in which public keys are tried after partial
|
||
|
authentication success.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: clean up socket files after SIGINT when in debug mode;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2120">bz#2120</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and others: avoid confusing error messages in the case of broken
|
||
|
system resolver configurations; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2122">bz#2122</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: set TCP nodelay for connections started with -N; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2124">bz#2124</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: correct manual for permission requirements on ~/.ssh/config;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2078">bz#2078</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix ControlPersist timeout not triggering in cases where TCP
|
||
|
connections have hung. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1917">bz#1917</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: properly deatch a ControlPersist master from its controlling
|
||
|
terminal.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: avoid crashes in libedit when it has been compiled with multi-
|
||
|
byte character support. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1990">bz#1990</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: when running sshd -D, close stderr unless we have explicitly
|
||
|
requested logging to stderr. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1976">bz#1976</a>,
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix incomplete bzero; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2100">bz#2100</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: log and error and exit if ChrootDirectory is specified and
|
||
|
running without root privileges.
|
||
|
|
||
|
* Many improvements to the regression test suite. In particular log files
|
||
|
are now saved from ssh and sshd after failures.
|
||
|
|
||
|
* Fix a number of memory leaks. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1967">bz#1967</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2096">bz#2096</a> and others
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix public key authentication when a :style is appended to
|
||
|
the requested username.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: do not fatally exit when attempting to cleanup multiplexing-
|
||
|
created channels that are incompletely opened. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2079">bz#2079</a>
|
||
|
|
||
|
Portable OpenSSH:
|
||
|
|
||
|
* Major overhaul of contrib/cygwin/README
|
||
|
|
||
|
* Fix unaligned accesses in umac.c for strict-alignment architectures.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2101">bz#2101</a>
|
||
|
|
||
|
* Enable -Wsizeof-pointer-memaccess if the compiler supports it. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2100">bz#2100</a>
|
||
|
|
||
|
* Fix broken incorrect commandline reporting errors. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1448">bz#1448</a>
|
||
|
|
||
|
* Only include SHA256 and ECC-based key exchange methods if libcrypto has
|
||
|
the required support.
|
||
|
|
||
|
* Fix crash in SOCKS5 dynamic forwarding code on strict-alignment
|
||
|
architectures.
|
||
|
|
||
|
* A number of portability fixes for Android:
|
||
|
* Don't try to use lastlog on Android; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2111">bz#2111</a>
|
||
|
* Fall back to using openssl's DES_crypt function on platorms that don't
|
||
|
have a native crypt() function; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2112">bz#2112</a>
|
||
|
* Test for fd_mask, howmany and NFDBITS rather than trying to enumerate
|
||
|
the plaforms that don't have them. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2085">bz#2085</a>
|
||
|
* Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2085">bz#2085</a>
|
||
|
* Add a null implementation of endgrent for platforms that don't have
|
||
|
it (eg Android) <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2087">bz#2087</a>
|
||
|
* Support platforms, such as Android, that lack struct passwd.pw_gecos.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2086">bz#2086</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.3.tar.gz">openssh-6.3.tar.gz</a>) = 8a6ef99ffc80c19e9afe9fe1e857370f6adcf450
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.3p1.tar.gz">openssh-6.3p1.tar.gz</a>) = 70845ca79474258cab29dbefae13d93e41a83ccb
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-6.2p2" id="6.2p2">OpenSSH 6.2p2</a> (2013-05-16)</h3>
|
||
|
<pre>
|
||
|
Changes since OpenSSH 6.2p1
|
||
|
===========================
|
||
|
|
||
|
This is a bugfix release:
|
||
|
|
||
|
Bugfixes:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Only warn for missing identity files that were explicitly
|
||
|
specified.
|
||
|
|
||
|
* Fix bug in contributed contrib/ssh-copy-id script that could result in
|
||
|
"rm *" being called on mktemp failure. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2105">bz#2105</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Quiet disconnect notifications on the server from error() back
|
||
|
to logit() from error() for normal, client-initiated disconnections.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2057">bz#2057</a>
|
||
|
|
||
|
* Avoid conflicting definitions of __int64 on Cygwin
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.2p2.tar.gz">openssh-6.2p2.tar.gz</a>) = c2b4909eba6f5ec6f9f75866c202db47f3b501ba
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-6.2" id="6.2">OpenSSH 6.2</a>/<a href="txt/release-6.2" id="6.2p1">6.2p1</a> (2013-03-22)</h3>
|
||
|
<pre>
|
||
|
Changes since OpenSSH 6.1
|
||
|
=========================
|
||
|
|
||
|
This release introduces a number of new features:
|
||
|
|
||
|
Features:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Added support for AES-GCM authenticated encryption in
|
||
|
SSH protocol 2. The new cipher is available as aes128-gcm@openssh.com
|
||
|
and aes256-gcm@openssh.com. It uses an identical packet format to the
|
||
|
AES-GCM mode specified in <a href="https://tools.ietf.org/html/rfc5647">RFC 5647</a>, but uses simpler and different
|
||
|
selection rules during key exchange.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Added support for encrypt-then-mac (EtM) MAC modes
|
||
|
for SSH protocol 2. These modes alter the packet format and compute
|
||
|
the MAC over the packet length and encrypted packet rather than over
|
||
|
the plaintext data. These modes are considered more secure and are
|
||
|
used by default when available.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Added support for the UMAC-128 MAC as
|
||
|
"umac-128@openssh.com" and "umac-128-etm@openssh.com". The latter
|
||
|
being an encrypt-then-mac mode.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Added support for multiple required authentication in SSH
|
||
|
protocol 2 via an AuthenticationMethods option. This option lists
|
||
|
one or more comma-separated lists of authentication method names.
|
||
|
Successful completion of all the methods in any list is required for
|
||
|
authentication to complete. This allows, for example, requiring a
|
||
|
user having to authenticate via public key or GSSAPI before they
|
||
|
are offered password authentication.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>/<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Added support for Key Revocation Lists
|
||
|
(KRLs), a compact binary format to represent lists of revoked keys
|
||
|
and certificates that take as little as one bit per certificate when
|
||
|
revoking by serial number. KRLs may be generated using <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>
|
||
|
and are loaded into <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> via the existing RevokedKeys sshd_config
|
||
|
option.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: IdentitiesOnly now applies to keys obtained from a
|
||
|
PKCS11Provider. This allows control of which keys are offered from
|
||
|
tokens using IdentityFile.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>'s AllowTcpForwarding now accepts "local"
|
||
|
and "remote" in addition to its previous "yes"/"no" keywords to allow
|
||
|
the server to specify whether just local or remote TCP forwarding is
|
||
|
enabled.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Added a <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> option AuthorizedKeysCommand to
|
||
|
support fetching authorized_keys from a command in addition to (or
|
||
|
instead of) from the filesystem. The command is run under an account
|
||
|
specified by an AuthorizedKeysCommandUser <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> option.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: Now supports a -d option to allow the starting
|
||
|
directory to be something other than the user's home directory.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Now allows fingerprinting of keys hosted in PKCS#11
|
||
|
tokens using "ssh-keygen -lD pkcs11_provider".
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: When SSH protocol 2 only is selected (the default), <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
|
||
|
now immediately sends its SSH protocol banner to the server without
|
||
|
waiting to receive the server's banner, saving time when connecting.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Added ~v and ~V escape sequences to raise and lower the
|
||
|
logging level respectively.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Made the escape command help (~?) context sensitive so that
|
||
|
only commands that will work in the current session are shown.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: When deleting host lines from known_hosts using
|
||
|
"ssh-keygen -R host", <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> now prints details of which lines
|
||
|
were removed.
|
||
|
|
||
|
Bugfixes:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Force a clean shutdown of ControlMaster client sessions when
|
||
|
the ~. escape sequence is used. This means that ~. should now work in
|
||
|
mux clients even if the server is no longer responding.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Correctly detect errors during local TCP forward setup in
|
||
|
multiplexed clients. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2055">bz#2055</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: Made deleting explicit keys "ssh-add -d" symmetric with
|
||
|
adding keys with respect to certificates. It now tries to delete the
|
||
|
corresponding certificate and respects the -k option to allow deleting
|
||
|
of the key only.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: Fix a number of parsing and command-editing bugs, including
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1956">bz#1956</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: When muxmaster is run with -N, ensured that it shuts down
|
||
|
gracefully when a client sends it "-O stop" rather than hanging around.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1985">bz#1985</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: When screening moduli candidates, append to the file
|
||
|
rather than overwriting to allow resumption. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1957">bz#1957</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Record "Received disconnect" messages at ERROR rather than
|
||
|
INFO priority. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2057">bz#2057</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Loudly warn if explicitly-provided private key is unreadable.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1981">bz#1981</a>
|
||
|
|
||
|
Portable OpenSSH:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: The Linux seccomp-filter sandbox is now supported on ARM
|
||
|
platforms where the kernel supports it.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: The seccomp-filter sandbox will not be enabled if the system
|
||
|
headers support it at compile time, regardless of whether it can be
|
||
|
enabled then. If the run-time system does not support seccomp-filter,
|
||
|
sshd will fall back to the rlimit pseudo-sandbox.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Don't link in the Kerberos libraries. They aren't necessary
|
||
|
on the client, just on <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2072">bz#2072</a>
|
||
|
|
||
|
* Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI
|
||
|
library. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2073">bz#2073</a>
|
||
|
|
||
|
* Fix compilation on systems with openssl-1.0.0-fips.
|
||
|
|
||
|
* Fix a number of errors in the RPM spec files.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.2.tar.gz">openssh-6.2.tar.gz</a>) = b3f6cd774d345f22f6d0038cc9464cce131a0676
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.2p1.tar.gz">openssh-6.2p1.tar.gz</a>) = 8824708c617cc781b2bb29fa20bd905fd3d2a43d
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-6.1" id="6.1">OpenSSH 6.1</a>/<a href="txt/release-6.1" id="6.1p1">6.1p1</a> (2012-08-29)</h3>
|
||
|
<pre>OpenSSH 6.1 was released on 2012-08-29. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 6.0
|
||
|
=========================
|
||
|
|
||
|
This is primarily a bugfix release.
|
||
|
|
||
|
Features:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: This release turns on pre-auth sandboxing sshd by default for
|
||
|
new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Add options to specify starting line number and number of
|
||
|
lines to process when screening moduli candidates, allowing processing
|
||
|
of different parts of a candidate moduli file in parallel
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: The Match directive now supports matching on the local (listen)
|
||
|
address and port upon which the incoming connection was received via
|
||
|
LocalAddress and LocalPort clauses.
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Extend sshd_config Match directive to allow setting AcceptEnv
|
||
|
and {Allow,Deny}{Users,Groups}
|
||
|
* Add support for <a href="https://tools.ietf.org/html/rfc6594">RFC6594</a> SSHFP DNS records for ECDSA key types. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1978">bz#1978</a>
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Allow conversion of RSA1 keys to public PEM and PKCS8
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Allow the sshd_config PermitOpen directive to accept "none" as
|
||
|
an argument to refuse all port-forwarding requests.
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Support "none" as an argument for AuthorizedPrincipalsFile
|
||
|
* ssh-keyscan(1): Look for ECDSA keys by default. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1971">bz#1971</a>
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add "VersionAddendum" to sshd_config to allow server operators
|
||
|
to append some arbitrary text to the server SSH protocol banner.
|
||
|
|
||
|
Bugfixes:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Don't spin in accept() in situations of file
|
||
|
descriptor exhaustion. Instead back off for a while.
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as
|
||
|
they were removed from the specification. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2023">bz#2023</a>,
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Handle long comments in config files better. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2025">bz#2025</a>
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Delay setting tty_flag so RequestTTY options are correctly
|
||
|
picked up. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1995">bz#1995</a>
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Fix handling of /etc/nologin incorrectly being applied to root
|
||
|
on platforms that use login_cap.
|
||
|
|
||
|
Portable OpenSSH:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Allow sshd pre-auth sandboxing to fall-back to the rlimit
|
||
|
sandbox from the Linux SECCOMP filter sandbox when the latter is
|
||
|
not available in the kernel.
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Fix NULL dereference when built with LDNS and using DNSSEC to
|
||
|
retrieve a CNAME SSHFP record.
|
||
|
* Fix cross-compilation problems related to pkg-config. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1996">bz#1996</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.1.tar.gz">openssh-6.1.tar.gz</a>) = 7ed5b491cfebcaee2273d1f872314107273c2167
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.1p1.tar.gz">openssh-6.1p1.tar.gz</a>) = 751c92c912310c3aa9cadc113e14458f843fc7b3
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-6.0" id="6.0">OpenSSH 6.0</a>/<a href="txt/release-6.0" id="6.0p1">6.0p1</a> (2012-04-22)</h3>
|
||
|
<pre>OpenSSH 6.0 was released on 2012-04-22. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 5.9
|
||
|
=========================
|
||
|
|
||
|
This is primarily a bugfix release.
|
||
|
|
||
|
Features:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Add optional checkpoints for moduli screening
|
||
|
* <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>: new -k option to load plain keys (skipping certificates)
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Add wildcard support to PermitOpen, allowing things like
|
||
|
"PermitOpen localhost:*". <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1857">bz #1857</a>
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: support for cancelling local and remote port forwards via the
|
||
|
multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host"
|
||
|
to request the cancellation of the specified forwardings
|
||
|
* support cancellation of local/dynamic forwardings from ~C commandline
|
||
|
|
||
|
Bugfixes:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: ensure that $DISPLAY contains only valid characters before
|
||
|
using it to extract xauth data so that it can't be used to play local
|
||
|
shell metacharacter games.
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: unbreak remote portforwarding with dynamic allocated listen ports
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>: uppress adding '--' to remote commandlines when the first
|
||
|
argument does not start with '-'. saves breakage on some
|
||
|
difficult-to-upgrade embedded/router platforms
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix typo in IPQoS parsing: there is no "AF14" class,
|
||
|
but there is an "AF21" class
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during
|
||
|
rekeying
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: skip attempting to create ~/.ssh when -F is passed
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: unbreak stdio forwarding when ControlPersist is in use; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1943">bz#1943</a>
|
||
|
* <a href="https://man.openbsd.org/sshd.1">sshd(1)</a>: send tty break to pty master instead of (probably already
|
||
|
closed) slave side; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1859">bz#1859</a>
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: silence error spam for "ls */foo" in directory with files;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1683">bz#1683</a>
|
||
|
* Fixed a number of memory and file descriptor leaks
|
||
|
|
||
|
Portable OpenSSH:
|
||
|
|
||
|
* Add a new privilege separation sandbox implementation for Linux's
|
||
|
new seccomp sandbox, automatically enabled on platforms that support
|
||
|
it. (Note: privilege separation sandboxing is still experimental)
|
||
|
* Fix compilation problems on FreeBSD, where libutil contained openpty()
|
||
|
but not login().
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: don't fail in -A on platforms that don't support ECC
|
||
|
* Add optional support for LDNS, a BSD licensed DNS resolver library
|
||
|
which supports DNSSEC
|
||
|
* Relax OpenSSL version check to allow running OpenSSH binaries on
|
||
|
systems with OpenSSL libraries with a newer "fix" or "patch" level
|
||
|
than the binaries were originally compiled on (previous check only
|
||
|
allowed movement within "patch" releases). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1991">bz#1991</a>
|
||
|
* Fix builds using contributed Redhat spec file. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1992">bz#1992</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-6.0.tar.gz">openssh-6.0.tar.gz</a>) = 5d30aba0423c44e89924bb44c5d2153635506a9f
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.0p1.tar.gz">openssh-6.0p1.tar.gz</a>) = f691e53ef83417031a2854b8b1b661c9c08e4422
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-5.9" id="5.9">OpenSSH 5.9</a>/<a href="txt/release-5.9" id="5.9p1">5.9p1</a> (2011-09-06)</h3>
|
||
|
<pre>OpenSSH 5.9 was released on 2011-09-06. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 5.8
|
||
|
=========================
|
||
|
|
||
|
Features:
|
||
|
|
||
|
* Introduce sandboxing of the pre-auth privsep child using an optional
|
||
|
<a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> "UsePrivilegeSeparation=sandbox" mode that enables
|
||
|
mandatory restrictions on the syscalls the privsep child can perform.
|
||
|
This intention is to prevent a compromised privsep child from being
|
||
|
used to attack other hosts (by opening sockets and proxying) or
|
||
|
probing local kernel attack surface.
|
||
|
|
||
|
Three concrete sandbox implementation are provided (selected at
|
||
|
configure time): systrace, seatbelt and rlimit.
|
||
|
|
||
|
The systrace sandbox uses systrace(4) in unsupervised "fast-path"
|
||
|
mode, where a list of permitted syscalls is supplied. Any syscall not
|
||
|
on the list results in SIGKILL being sent to the privsep child. Note
|
||
|
that this requires a kernel with the new SYSTR_POLICY_KILL option
|
||
|
(only OpenBSD has this mode at present).
|
||
|
|
||
|
The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a
|
||
|
strict (kSBXProfilePureComputation) policy that disables access to
|
||
|
filesystem and network resources.
|
||
|
|
||
|
The rlimit sandbox is a fallback choice for platforms that don't
|
||
|
support a better one; it uses setrlimit() to reset the hard-limit
|
||
|
of file descriptors and processes to zero, which should prevent
|
||
|
the privsep child from forking or opening new network connections.
|
||
|
|
||
|
Sandboxing of the privilege separated child process is currently
|
||
|
experimental but should become the default in a future release.
|
||
|
Native sandboxes for other platforms are welcome (e.g. Capsicum,
|
||
|
Linux pid/net namespaces, etc.)
|
||
|
|
||
|
* Add new SHA256-based HMAC transport integrity modes from
|
||
|
<a href="http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt">http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt</a>
|
||
|
These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
|
||
|
and hmac-sha2-512-96, and are available by default in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and
|
||
|
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>
|
||
|
|
||
|
* The pre-authentication <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> privilege separation slave process
|
||
|
now logs via a socket shared with the master process, avoiding the
|
||
|
need to maintain /dev/log inside the chroot.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> now warns when a server refuses X11 forwarding
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>'s AuthorizedKeysFile now accepts multiple paths,
|
||
|
separated by whitespace. The undocumented AuthorizedKeysFile2
|
||
|
option is deprecated (though the default for AuthorizedKeysFile
|
||
|
includes .ssh/authorized_keys2)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>: similarly deprecate UserKnownHostsFile2 and
|
||
|
GlobalKnownHostsFile2 by making UserKnownHostsFile and
|
||
|
GlobalKnownHostsFile accept multiple options and default to
|
||
|
include known_hosts2
|
||
|
|
||
|
* Retain key comments when loading v.2 keys. These will be visible
|
||
|
in "ssh-add -l" and other places. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=439">bz#439</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: set IPv6 traffic class from IPQoS (as well as
|
||
|
IPv4 ToS/DSCP). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1855">bz#1855</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>'s ControlPath option now expands %L to the host
|
||
|
portion of the destination host name.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> "Host" options now support negated Host matching, e.g.
|
||
|
|
||
|
Host *.example.org !c.example.org
|
||
|
User mekmitasdigoat
|
||
|
|
||
|
Will match "a.example.org", "b.example.org", but not "c.example.org"
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>: a new RequestTTY option provides control over when a
|
||
|
TTY is requested for a connection, similar to the existing -t/-tt/-T
|
||
|
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a> commandline options.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: allow GSSAPI authentication to detect when a server-side
|
||
|
failure causes authentication failure and don't count such failures
|
||
|
against MaxAuthTries; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1244">bz#1244</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: Add -A option. For each of the key types (rsa1, rsa,
|
||
|
dsa and ecdsa) for which host keys do not exist, generate the host
|
||
|
keys with the default key file path, an empty passphrase, default
|
||
|
bits for the key type, and default comment. This is useful for
|
||
|
system initialisation scripts.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Allow graceful shutdown of multiplexing: request that a mux
|
||
|
server removes its listener socket and refuse future multiplexing
|
||
|
requests but don't kill existing connections. This may be requested
|
||
|
using "ssh -O stop ..."
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a> now accepts keys piped from standard input. E.g.
|
||
|
"ssh-add - < /path/to/key"
|
||
|
|
||
|
* ssh-keysign(8) now signs hostbased authentication
|
||
|
challenges correctly using ECDSA keys; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1858">bz#1858</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: document that sftp accepts square brackets to delimit
|
||
|
addresses (useful for IPv6); <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1847">bz#1847</a>a
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: when using session multiplexing, the master process will
|
||
|
change its process title to reflect the control path in use and
|
||
|
when a ControlPersist-ed master is waiting to close; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1883">bz#1883</a> and
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1911">bz#1911</a>
|
||
|
|
||
|
* Other minor bugs fixed: 1849 1861 1862 1869 1875 1878 1879 1892
|
||
|
1900 1905 1913
|
||
|
|
||
|
Portable OpenSSH Bugfixes:
|
||
|
|
||
|
* Fix a compilation error in the SELinux support code. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1851">bz#1851</a>
|
||
|
|
||
|
* This release removes support for ssh-rand-helper. OpenSSH now
|
||
|
obtains its random numbers directly from OpenSSL or from
|
||
|
a PRNGd/EGD instance specified at configure time.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now resets the SELinux process execution context before
|
||
|
executing passwd for password changes; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1891">bz#1891</a>
|
||
|
|
||
|
* Since gcc >= 4.x ignores all -Wno-options options, test only the
|
||
|
corresponding -W-option when trying to determine whether it is
|
||
|
accepted; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1901">bz#1901</a>
|
||
|
|
||
|
* Add ECDSA key generation to the Cygwin ssh-{host,user}-config
|
||
|
scripts.
|
||
|
|
||
|
* Updated .spec and init files for Linux; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1920">bz#1920</a>
|
||
|
|
||
|
* Improved SELinux error messages in context change failures and
|
||
|
suppress error messages when attempting to change from the
|
||
|
"unconfined_t" type; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1924">bz#1924</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1919">bz#1919</a>
|
||
|
|
||
|
* Fix build errors on platforms without dlopen(); <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1929">bz#1929</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-5.9.tar.gz">openssh-5.9.tar.gz</a>) = bc0cb728bbc394769f9a2ce5b8cd99dc41e12632
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz">openssh-5.9p1.tar.gz</a>) = ac4e0055421e9543f0af5da607a72cf5922dcc56
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-5.8p2" id="5.8p2">OpenSSH 5.8p2</a> (2011-05-03)</h3>
|
||
|
<pre>Portable OpenSSH 5.8p2 was released on 2011-05-03. It will be available
|
||
|
from the mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 5.8p1
|
||
|
===========================
|
||
|
|
||
|
Security:
|
||
|
|
||
|
* Fix local private host key compromise on platforms without host-
|
||
|
level randomness support (e.g. /dev/random) reported by Tomas Mraz
|
||
|
|
||
|
On hosts that did not have a randomness source configured in
|
||
|
OpenSSL and were not configured to use EGD/PRNGd (using the
|
||
|
--with-prngd-socket configure option), the ssh-rand-helper command
|
||
|
was being implicitly executed by ssh-keysign with open file
|
||
|
descriptors to the host private keys. An attacker could use
|
||
|
ptrace(2) to attach to ssh-rand-helper and exfiltrate the keys.
|
||
|
|
||
|
Most modern operating systems are not vulnerable. In particular,
|
||
|
*BSD, Linux, OS X and Cygwin do not use ssh-rand-helper.
|
||
|
|
||
|
A full advisory for this issue is available at:
|
||
|
<a href="http://www.openssh.com/txt/portable-keysign-rand-helper.adv">http://www.openssh.com/txt/portable-keysign-rand-helper.adv</a>
|
||
|
|
||
|
Portable OpenSSH Bugfixes:
|
||
|
|
||
|
* Fix compilation failure when enabling SELinux support.
|
||
|
|
||
|
* Revised Cygwin ssh-{host,user}-config that include ECDSA key
|
||
|
support.
|
||
|
|
||
|
* Revised Cygwin ssh-host-config to be more thorough in error checking
|
||
|
and reporting.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.8p2.tar.gz">openssh-5.8p2.tar.gz</a>) = 64798328d310e4f06c9f01228107520adbc8b3e5
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-5.8" id="5.8">OpenSSH 5.8</a>/<a href="txt/release-5.8" id="5.8p1">5.8p1</a> (2011-02-04)</h3>
|
||
|
<pre>OpenSSH 5.8 was released on 2011-02-04. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 5.7
|
||
|
=========================
|
||
|
|
||
|
Security:
|
||
|
|
||
|
* Fix vulnerability in legacy certificate signing introduced in
|
||
|
OpenSSH-5.6 and found by Mateusz Kocielski.
|
||
|
|
||
|
Legacy certificates signed by OpenSSH 5.6 or 5.7 included data from
|
||
|
the stack in place of a random nonce field. The contents of the stack
|
||
|
do not appear to contain private data at this point, but this cannot
|
||
|
be stated with certainty for all platform, library and compiler
|
||
|
combinations. In particular, there exists a risk that some bytes from
|
||
|
the privileged CA key may be accidentally included.
|
||
|
|
||
|
A full advisory for this issue is available at:
|
||
|
<a href="http://www.openssh.com/txt/legacy-cert.adv">http://www.openssh.com/txt/legacy-cert.adv</a>
|
||
|
|
||
|
Portable OpenSSH Bugfixes:
|
||
|
|
||
|
* Fix compilation failure when enableing SELinux support.
|
||
|
|
||
|
* Do not attempt to call SELinux functions when SELinux is disabled.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1851">bz#1851</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-5.8.tar.gz">openssh-5.8.tar.gz</a>) = 205dece2c8b41c69b082eb65320d359987aae25b
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.8p1.tar.gz">openssh-5.8p1.tar.gz</a>) = adebb2faa9aba2a3a3c8b401b2b19677ab53f0de
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-5.7" id="5.7">OpenSSH 5.7</a>/<a href="txt/release-5.7" id="5.7p1">5.7p1</a> (2011-01-24)</h3>
|
||
|
<pre>OpenSSH 5.7 was released on 2011-01-24. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 5.6
|
||
|
=========================
|
||
|
|
||
|
Features:
|
||
|
|
||
|
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
|
||
|
and host/user keys (ECDSA) as specified by <a href="https://tools.ietf.org/html/rfc5656">RFC5656</a>. ECDH and ECDSA
|
||
|
offer better performance than plain DH and DSA at the same equivalent
|
||
|
symmetric key length, as well as much shorter keys.
|
||
|
|
||
|
Only the mandatory sections of <a href="https://tools.ietf.org/html/rfc5656">RFC5656</a> are implemented, specifically
|
||
|
the three REQUIRED curves nistp256, nistp384 and nistp521 and only
|
||
|
ECDH and ECDSA. Point compression (optional in <a href="https://tools.ietf.org/html/rfc5656">RFC5656</a>) is NOT
|
||
|
implemented.
|
||
|
|
||
|
Certificate host and user keys using the new ECDSA key types are
|
||
|
supported - an ECDSA key may be certified, and an ECDSA key may act
|
||
|
as a CA to sign certificates.
|
||
|
|
||
|
ECDH in a 256 bit curve field is the preferred key agreement
|
||
|
algorithm when both the client and server support it. ECDSA host
|
||
|
keys are preferred when learning a host's keys for the first time,
|
||
|
or can be learned using ssh-keyscan(1).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>/<a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: add a protocol extension to support a hard
|
||
|
link operation. It is available through the "ln" command in the
|
||
|
client. The old "ln" behaviour of creating a symlink is available
|
||
|
using its "-s" option or through the preexisting "symlink" command
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>: Add a new -3 option to scp: Copies between two remote hosts
|
||
|
are transferred through the local host. Without this option the
|
||
|
data is copied directly between the two remote hosts.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: automatically order the hostkeys requested by the client
|
||
|
based on which hostkeys are already recorded in known_hosts. This
|
||
|
avoids hostkey warnings when connecting to servers with new ECDSA
|
||
|
keys, since these are now preferred when learning hostkeys for the
|
||
|
first time.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a new IPQoS option to specify arbitrary
|
||
|
TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1733">bz#1733</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: the sftp client is now significantly faster at performing
|
||
|
directory listings, using OpenBSD glob(3) extensions to preserve
|
||
|
the results of stat(3) operations performed in the course of its
|
||
|
execution rather than performing expensive round trips to fetch
|
||
|
them again afterwards.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: "atomically" create the listening mux socket by binding it on
|
||
|
a temporary name and then linking it into position after listen() has
|
||
|
succeeded. This allows the mux clients to determine that the server
|
||
|
socket is either ready or stale without races. stale server sockets
|
||
|
are now automatically removed. (also fixes <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1711">bz#1711</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: add a KexAlgorithms knob to the client and server
|
||
|
configuration to allow selection of which key exchange methods are
|
||
|
used by <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> and their order of preference.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>/<a href="https://man.openbsd.org/scp.1">scp(1)</a>: factor out bandwidth limiting code from <a href="https://man.openbsd.org/scp.1">scp(1)</a> into
|
||
|
a generic bandwidth limiter that can be attached using the atomicio
|
||
|
callback mechanism and use it to add a bandwidth limit option to
|
||
|
<a href="https://man.openbsd.org/sftp.1">sftp(1)</a>. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1147">bz#1147</a>
|
||
|
|
||
|
BugFixes:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>/<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>: honour $TMPDIR for client xauth and ssh-agent
|
||
|
temporary directories. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1809">bz#1809</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: avoid NULL deref on receiving a channel request on an unknown
|
||
|
or invalid channel; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1842">bz#1842</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove a debug() that pollutes stderr on client connecting
|
||
|
to a server in debug mode; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1719">bz#1719</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a>: pass through ssh command-line flags and options when doing
|
||
|
remote-remote transfers, e.g. to enable agent forwarding which is
|
||
|
particularly useful in this case; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1837">bz#1837</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>: umask should be parsed as octal
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: escape '[' in filename tab-completion
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: Typo in confirmation message. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1827">bz#1827</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: prevent free() of string in .rodata when overriding
|
||
|
AuthorizedKeys in a Match block
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Use default shell /bin/sh if $SHELL is ""
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: kill proxy command on fatal() (we already killed it on
|
||
|
clean exit);
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: install a SIGCHLD handler to reap expiried child process;
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1812">bz#1812</a>
|
||
|
|
||
|
* Support building against openssl-1.0.0a
|
||
|
|
||
|
Portable OpenSSH Bugfixes:
|
||
|
|
||
|
* Use mandoc as preferred manpage formatter if it is present, followed
|
||
|
by nroff and groff respectively.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Relax permission requirement on btmp logs to allow group
|
||
|
read/write
|
||
|
|
||
|
* <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1840">bz#1840</a>: fix warning when configuring --with-ssl-engine
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Use correct uid_t/pid_t types instead of int. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1817">bz#1817</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1824">bz#1824</a>: Add Solaris Project support.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Check is_selinux_enabled for exact return code since it can
|
||
|
apparently return -1 under some conditions.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-5.7.tar.gz">openssh-5.7.tar.gz</a>) = 67cb91772a33fb3a004b39bcdb9148218365494c
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.7p1.tar.gz">openssh-5.7p1.tar.gz</a>) = 423e27475f06e1055847dfff7f61e1ac632b5372
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-5.6" id="5.6">OpenSSH 5.6</a>/<a href="txt/release-5.6" id="5.6p1">5.6p1</a> (2010-08-23)</h3>
|
||
|
<pre>OpenSSH 5.6 was released on 2010-08-23. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 5.5
|
||
|
=========================
|
||
|
|
||
|
Features:
|
||
|
|
||
|
* Added a ControlPersist option to <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> that automatically
|
||
|
starts a background <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> multiplex master when connecting. This
|
||
|
connection can stay alive indefinitely, or can be set to
|
||
|
automatically close after a user-specified duration of inactivity.
|
||
|
|
||
|
* Hostbased authentication may now use certificate host keys. CA keys
|
||
|
must be specified in a known_hosts file using the @cert-authority
|
||
|
marker as described in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> now supports signing certificate using a CA key that
|
||
|
has been stored in a PKCS#11 token.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> will now log the hostname and address that we connected to at
|
||
|
LogLevel=verbose after authentication is successful to mitigate
|
||
|
"phishing" attacks by servers with trusted keys that accept
|
||
|
authentication silently and automatically before presenting fake
|
||
|
password/passphrase prompts.
|
||
|
|
||
|
Note that, for such an attack to be successful, the user must have
|
||
|
disabled StrictHostKeyChecking (enabled by default) or an attacker
|
||
|
must have access to a trusted host key for the destination server.
|
||
|
|
||
|
* Expand %h to the hostname in ssh_config Hostname options. While this
|
||
|
sounds useless, it is actually handy for working with unqualified
|
||
|
hostnames:
|
||
|
|
||
|
Host *.*
|
||
|
Hostname %h
|
||
|
Host *
|
||
|
Hostname %h.example.org
|
||
|
|
||
|
* Allow <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> to import (-i) and export (-e) of PEM and PKCS#8
|
||
|
keys in addition to <a href="https://tools.ietf.org/html/rfc4716">RFC4716</a> (SSH.COM) encodings via a new -m option
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1749">bz#1749</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> will now queue debug messages for bad ownership or
|
||
|
permissions on the user's keyfiles encountered during authentication
|
||
|
and will send them after authentication has successfully completed.
|
||
|
These messages may be viewed in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> at LogLevel=debug or higher.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> connection multiplexing now supports remote forwarding with
|
||
|
dynamic port allocation and can report the allocated port back to
|
||
|
the user:
|
||
|
|
||
|
LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now supports indirection in matching of principal names
|
||
|
listed in certificates. By default, if a certificate has an
|
||
|
embedded principals list then the username on the server must match
|
||
|
one of the names in the list for it to be accepted for
|
||
|
authentication.
|
||
|
|
||
|
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now has a new AuthorizedPrincipalsFile option to specify a
|
||
|
file containing a list of names that may be accepted in place of the
|
||
|
username when authorizing a certificate trusted via the
|
||
|
<a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> TrustedCAKeys option. Similarly, authentication
|
||
|
using a CA trusted in ~/.ssh/authorized_keys now accepts a
|
||
|
principals="name1[,name2,...]" to specify a list of permitted names.
|
||
|
|
||
|
If either option is absent, the current behaviour of requiring the
|
||
|
username to appear in principals continues to apply. These options
|
||
|
are useful for role accounts, disjoint account namespaces and
|
||
|
"user@realm"-style naming policies in certificates.
|
||
|
|
||
|
* Additional <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> options are now valid inside Match blocks:
|
||
|
|
||
|
AuthorizedKeysFile
|
||
|
AuthorizedPrincipalsFile
|
||
|
HostbasedUsesNameFromPacketOnly
|
||
|
PermitTunnel
|
||
|
|
||
|
* Revised the format of certificate keys. The new format, identified as
|
||
|
ssh-{dss,rsa}-cert-v01@openssh.com includes the following changes:
|
||
|
|
||
|
- Adding a serial number field. This may be specified by the CA at
|
||
|
the time of certificate signing.
|
||
|
|
||
|
- Moving the nonce field to the beginning of the certificate where
|
||
|
it can better protect against chosen-prefix attacks on the
|
||
|
signature hash (currently infeasible against the SHA1 hash used)
|
||
|
|
||
|
- Renaming the "constraints" field to "critical options"
|
||
|
|
||
|
- Addng a new non-critical "extensions" field. The "permit-*"
|
||
|
options are now extensions, rather than critical options to
|
||
|
permit non-OpenSSH implementation of this key format to degrade
|
||
|
gracefully when encountering keys with options they do not
|
||
|
recognize.
|
||
|
|
||
|
The older format is still supported for authentication and may still
|
||
|
be used when signing certificates (use "ssh-keygen -t v00 ...").
|
||
|
The v00 format, introduced in OpenSSH 5.4, will be supported for at
|
||
|
least one year from this release, after which it will be deprecated
|
||
|
and removed.
|
||
|
|
||
|
BugFixes:
|
||
|
|
||
|
* The PKCS#11 code now retries a lookup for a private key if there is
|
||
|
no matching key with CKA_SIGN attribute enabled; this fixes fixes
|
||
|
MuscleCard support (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1736">bz#1736</a>)
|
||
|
|
||
|
* Unbreak strdelim() skipping past quoted strings (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1757">bz#1757</a>). For
|
||
|
example, the following directive was not parsed correctly:
|
||
|
|
||
|
AllowUsers "blah blah" blah
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: fix swapped args in upload_dir_internal(), breaking
|
||
|
recursive upload depth checks and causing verbose printing of
|
||
|
transfers to always be turned on (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1797">bz#1797</a>)
|
||
|
|
||
|
* Fix a longstanding problem where if you suspend <a href="https://man.openbsd.org/scp.1">scp(1)</a> at the
|
||
|
password/passphrase prompt the terminal mode is not restored.
|
||
|
|
||
|
* Fix a PKCS#11 crash on some smartcards by validating the length
|
||
|
returned for C_GetAttributValue (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1773">bz#1773</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: fix ls in working directories that contain globbing
|
||
|
characters in their pathnames (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1655">bz#1655</a>)
|
||
|
|
||
|
* Print warning for missing home directory when ChrootDirectory=none
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1564">bz#1564</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>: fix a memory leak in do_realpath() error path (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1771">bz#1771</a>)
|
||
|
|
||
|
* ssk-keygen(1): Standardise error messages when attempting to open
|
||
|
private key files to include "progname: filename: error reason"
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1783">bz#1783</a>)
|
||
|
|
||
|
* Replace verbose and overflow-prone Linebuf code with
|
||
|
read_keyfile_line() (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1565">bz#1565</a>)
|
||
|
|
||
|
* Include the user name on "subsystem request for ..." log messages
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: remove hardcoded limit of 100 permitopen clauses
|
||
|
and port forwards per direction (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1327">bz#1327</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: ignore stderr output from subsystems to avoid hangs if a
|
||
|
subsystem or shell initialisation writes to stderr (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1750">bz#1750</a>)
|
||
|
|
||
|
* Skip the initial check for access with an empty password when
|
||
|
PermitEmptyPasswords=no (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1638">bz#1638</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: fix logspam when key options (from="..." especially) deny
|
||
|
non-matching keys (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1765">bz#1765</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: display a more helpful error message when $HOME is
|
||
|
inaccessible while trying to create .ssh directory (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1740">bz#1740</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: fix hang when terminating a mux slave using ~. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1758">bz#1758</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>: refuse to generate keys longer than
|
||
|
OPENSSL_[RD]SA_MAX_MODULUS_BITS, since we would refuse to use
|
||
|
them anyway (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1516">bz#1516</a>)
|
||
|
|
||
|
* Suppress spurious tty warning when using -O and stdin is not a tty
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1746">bz#1746</a>)
|
||
|
|
||
|
* Kill channel when pty allocation requests fail. Fixed stuck client
|
||
|
if the server refuses pty allocation (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1698">bz#1698</a>)
|
||
|
|
||
|
Portable OpenSSH Bugfixes:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: increase the maximum username length for login recording
|
||
|
to 512 characters (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1579">bz#1579</a>)
|
||
|
|
||
|
* Initialize the values to be returned from PAM to sane values in
|
||
|
case the PAM method doesn't write to them. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1795">bz#1795</a>)
|
||
|
|
||
|
* Let configure find OpenSSL libraries in a lib64 subdirectory.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1756">bz#1756</a>)
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-5.6.tar.gz">openssh-5.6.tar.gz</a>) = fa5ac394b874d6709031306b6ac5c48399697f7f
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.6p1.tar.gz">openssh-5.6p1.tar.gz</a>) = 347dd39c91c3529f41dae63714d452fb95efea1e
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-5.5" id="5.5">OpenSSH 5.5</a>/<a href="txt/release-5.5" id="5.5p1">5.5p1</a> (2010-04-16)</h3>
|
||
|
<pre>
|
||
|
OpenSSH 5.5 was released on 2010-04-16. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed code
|
||
|
or patches, reported bugs, tested snapshots or donated to the project.
|
||
|
More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
This is a bugfix release.
|
||
|
|
||
|
Changes since OpenSSH 5.4
|
||
|
=========================
|
||
|
|
||
|
* Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths
|
||
|
|
||
|
* Fix compilation failures on platforms that lack dlopen()
|
||
|
|
||
|
* Include a language tag when sending a protocol 2 disconnection message.
|
||
|
|
||
|
* Make logging of certificates used for user authentication more clear and
|
||
|
consistent between CAs specified using TrustedUserCAKeys and
|
||
|
authorized_keys
|
||
|
|
||
|
Portable OpenSSH:
|
||
|
|
||
|
* Allow contrib/ssh-copy-id to fail gracefully when there are no keys in
|
||
|
the ssh-agent. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1723">bz#1723</a>
|
||
|
|
||
|
* Explicitly link libX11 into contrib/gnome-ssh-askpass2. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1725">bz#1725</a>
|
||
|
|
||
|
* Allow ChrootDirectory to work in SELinux platforms. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1726">bz#1726</a>
|
||
|
|
||
|
* Add configure.ac stanza for Haiku OS. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1741">bz#1741</a>
|
||
|
|
||
|
* Enable utmpx support on FreeBSD where possible. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1732">bz#1732</a>
|
||
|
|
||
|
* Use pkg-config to determine libedit linker flags where possible. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1744">bz#1744</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-5.5.tar.gz">openssh-5.5.tar.gz</a>) = 59864a048b09ad1b6e65a74d5d385d8189ab8c74
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.5p1.tar.gz">openssh-5.5p1.tar.gz</a>) = 361c6335e74809b26ea096b34062ba8ff6c97cd6
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-5.4" id="5.4">OpenSSH 5.4</a>/<a href="txt/release-5.4" id="5.4p1">5.4p1</a> (2010-03-08)</h3>
|
||
|
<pre>
|
||
|
OpenSSH 5.4 was released on 2010-03-08. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed code
|
||
|
or patches, reported bugs, tested snapshots or donated to the project.
|
||
|
More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
This is a major feature and bugfix release.
|
||
|
|
||
|
Changes since OpenSSH 5.3
|
||
|
=========================
|
||
|
|
||
|
Features:
|
||
|
|
||
|
* After a transition period of about 10 years, this release disables
|
||
|
SSH protocol 1 by default. Clients and servers that need to use the
|
||
|
legacy protocol must explicitly enable it in ssh_config / sshd_config
|
||
|
or on the command-line.
|
||
|
|
||
|
* Remove the libsectok/OpenSC-based smartcard code and add support for
|
||
|
PKCS#11 tokens. This support is automatically enabled on all
|
||
|
platforms that support dlopen(3) and was inspired by patches written
|
||
|
by Alon Bar-Lev. Details in the <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a> manpages.
|
||
|
|
||
|
* Add support for certificate authentication of users and hosts using a
|
||
|
new, minimal OpenSSH certificate format (not X.509). Certificates
|
||
|
contain a public key, identity information and some validity
|
||
|
constraints and are signed with a standard SSH public key using
|
||
|
<a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>. CA keys may be marked as trusted in authorized_keys
|
||
|
or via a TrustedUserCAKeys option in <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> (for user
|
||
|
authentication), or in known_hosts (for host authentication).
|
||
|
|
||
|
Documentation for certificate support may be found in <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>,
|
||
|
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a> and <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and a description of the protocol extensions in
|
||
|
PROTOCOL.certkeys.
|
||
|
|
||
|
* Added a 'netcat mode' to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>: "ssh -W host:port ..." This connects
|
||
|
stdio on the client to a single port forward on the server. This
|
||
|
allows, for example, using ssh as a ProxyCommand to route connections
|
||
|
via intermediate servers. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1618">bz#1618</a>
|
||
|
|
||
|
* Add the ability to revoke keys in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> and <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>. User keys may
|
||
|
be revoked using a new <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> option "RevokedKeys". Host keys
|
||
|
are revoked through known_hosts (details in the <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> man page).
|
||
|
Revoked keys cannot be used for user or host authentication and will
|
||
|
trigger a warning if used.
|
||
|
|
||
|
* Rewrite the <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> multiplexing support to support non-blocking
|
||
|
operation of the mux master, improve the resilience of the master to
|
||
|
malformed messages sent to it by the slave and add support for
|
||
|
requesting port- forwardings via the multiplex protocol. The new
|
||
|
stdio-to-local forward mode ("ssh -W host:port ...") is also
|
||
|
supported. The revised multiplexing protocol is documented in the
|
||
|
file PROTOCOL.mux in the source distribution.
|
||
|
|
||
|
* Add a 'read-only' mode to <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a> that disables open in write
|
||
|
mode and all other fs-modifying protocol methods. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=430">bz#430</a>
|
||
|
|
||
|
* Allow setting an explicit umask on the <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a> commandline to
|
||
|
override whatever default the user has. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1229">bz#1229</a>
|
||
|
|
||
|
* Many improvements to the <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> client, many of which were
|
||
|
implemented by Carlos Silva through the Google Summer of Code
|
||
|
program:
|
||
|
- Support the "-h" (human-readable units) flag for ls
|
||
|
- Implement tab-completion of commands, local and remote filenames
|
||
|
- Support most of <a href="https://man.openbsd.org/scp.1">scp(1)</a>'s commandline arguments in <a href="https://man.openbsd.org/sftp.1">sftp(1)</a>, as a
|
||
|
first step towards making <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> a drop-in replacement for <a href="https://man.openbsd.org/scp.1">scp(1)</a>.
|
||
|
Note that the rarely-used "-P sftp_server_path" option has been
|
||
|
moved to "-D sftp_server_path" to make way for "-P port" to match
|
||
|
<a href="https://man.openbsd.org/scp.1">scp(1)</a>.
|
||
|
- Add recursive transfer support for get/put and on the commandline
|
||
|
|
||
|
* New RSA keys will be generated with a public exponent of RSA_F4 ==
|
||
|
(2**16)+1 == 65537 instead of the previous value 35.
|
||
|
|
||
|
* Passphrase-protected SSH protocol 2 private keys are now protected
|
||
|
with AES-128 instead of 3DES. This applied to newly-generated keys
|
||
|
as well as keys that are reencrypted (e.g. by changing their
|
||
|
passphrase).
|
||
|
|
||
|
Bugfixes:
|
||
|
|
||
|
* Hold authentication debug messages until after successful
|
||
|
authentication. Fixes a minor information leak of environment
|
||
|
variables specified in authorized_keys if an attacker happens to
|
||
|
know the public key in use.
|
||
|
* When using ChrootDirectory, make sure we test for the existence of
|
||
|
the user's shell inside the chroot and not outside (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1679">bz#1679</a>)
|
||
|
* Cache user and group name lookups in sftp-server using
|
||
|
user_from_[ug]id(3) to improve performance on hosts where these
|
||
|
operations are slow (e.g. NIS or LDAP). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1495">bz#1495</a>
|
||
|
* Fix problem that prevented passphrase reading from being interrupted
|
||
|
in some circumstances; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1590">bz#1590</a>
|
||
|
* Ignore and log any Protocol 1 keys where the claimed size is not
|
||
|
equal to the actual size.
|
||
|
* Make HostBased authentication work with a ProxyCommand. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1569">bz#1569</a>
|
||
|
* Avoid run-time failures when specifying hostkeys via a relative
|
||
|
path by prepending the current working directory in these cases.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1290">bz#1290</a>
|
||
|
* Do not prompt for a passphrase if we fail to open a keyfile, and log
|
||
|
the reason why the open failed to debug. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1693">bz#1693</a>
|
||
|
* Document that the PubkeyAuthentication directive is allowed in a
|
||
|
<a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> Match block. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1577">bz#1577</a>
|
||
|
* When converting keys, truncate key comments at 72 chars as per
|
||
|
<a href="https://tools.ietf.org/html/rfc4716">RFC4716</a>. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1630">bz#1630</a>
|
||
|
* Do not allow logins if /etc/nologin exists but is not readable by the
|
||
|
user logging in.
|
||
|
* Output a debug log if <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> can't open an existing authorized_keys.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1694">bz#1694</a>
|
||
|
* Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we
|
||
|
usually don't actually have a tty to read/set; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1686">bz#1686</a>
|
||
|
* Prevent sftp from crashing when given a "-" without a command.
|
||
|
Also, allow whitespace to follow a "-". <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1691">bz#1691</a>
|
||
|
* After sshd receives a SIGHUP, ignore subsequent HUPs while sshd
|
||
|
re-execs itself. Prevents two HUPs in quick succession from resulting
|
||
|
in sshd dying. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1692">bz#1692</a>
|
||
|
* Clarify in <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> that StrictModes does not apply to
|
||
|
ChrootDirectory. Permissions and ownership are always checked when
|
||
|
chrooting. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1532">bz#1532</a>
|
||
|
* Set close-on-exec on various descriptors so they don't get leaked to
|
||
|
child processes. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1643">bz#1643</a>
|
||
|
* Fix very rare race condition in x11/agent channel allocation: don't
|
||
|
read after the end of the select read/write fdset and make sure a
|
||
|
reused FD is not touched before the pre-handlers are called.
|
||
|
* Fix incorrect exit status when multiplexing and channel ID 0 is
|
||
|
recycled. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1570">bz#1570</a>
|
||
|
* Fail with an error when an attempt is made to connect to a server
|
||
|
with ForceCommand=internal-sftp with a shell session (i.e. not a
|
||
|
subsystem session). Avoids stuck client when attempting to ssh to
|
||
|
such a service. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1606">bz#1606</a>:
|
||
|
* Warn but do not fail if stat()ing the subsystem binary fails. This
|
||
|
helps with chrootdirectory+forcecommand=sftp-server and restricted
|
||
|
shells. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1599">bz #1599</a>
|
||
|
* Change "Connecting to host..." message to "Connected to host."
|
||
|
and delay it until after the sftp protocol connection has been
|
||
|
established. Avoids confusing sequence of messages when the
|
||
|
underlying ssh connection experiences problems. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1588">bz#1588</a>
|
||
|
* Use the HostKeyAlias rather than the hostname specified on the
|
||
|
commandline when prompting for passwords. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1039">bz#1039</a>
|
||
|
* Correct off-by-one in percent_expand(): we would fatal() when trying
|
||
|
to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to
|
||
|
actually work. Note that nothing in OpenSSH actually uses close to
|
||
|
this limit at present. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1607">bz#1607</a>
|
||
|
* Fix passing of empty options from <a href="https://man.openbsd.org/scp.1">scp(1)</a> and <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> to the
|
||
|
underlying <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>. Also add support for the stop option "--".
|
||
|
* Fix an incorrect magic number and typo in PROTOCOL; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1688">bz#1688</a>
|
||
|
* Don't escape backslashes when displaying the SSH2 banner. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1533">bz#1533</a>
|
||
|
* Don't unnecessarily dup() the in and out fds for sftp-server. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1566">bz#1566</a>
|
||
|
* Force use of the correct hash function for random-art signature
|
||
|
display as it was inheriting the wrong one when bubblebabble
|
||
|
signatures were activated. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1611">bz#1611</a>
|
||
|
* Do not fall back to adding keys without constraints (ssh-add -c /
|
||
|
-t ...) when the agent refuses the constrained add request. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1612">bz#1612</a>
|
||
|
* Fix a race condition in ssh-agent that could result in a wedged or
|
||
|
spinning agent. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1633">bz#1633</a>
|
||
|
* Flush stdio before exec() to ensure that everying (motd
|
||
|
in particular) has made it out before the streams go away. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1596">bz#1596</a>
|
||
|
* Set FD_CLOEXEC on in/out sockets in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1706">bz#1706</a>
|
||
|
|
||
|
Portable OpenSSH Bugfixes:
|
||
|
|
||
|
* Use system's kerberos principal name on AIX if it's available.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1583">bz#1583</a>
|
||
|
* Disable OOM-killing of the listening sshd on Linux. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1470">bz#1470</a>
|
||
|
* Use pkg-config for opensc config if it's available. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1160">bz#1160</a>
|
||
|
* Unbreak Redhat spec to allow building without askpass. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1677">bz#1677</a>
|
||
|
* If PidFile is set in sshd_config, use it in SMF init file. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1628">bz#1628</a>
|
||
|
* Print error and usage() when ssh-rand-helper is passed command-
|
||
|
line arguments as none are supported. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1568">bz#1568</a>
|
||
|
* Add missing setsockopt() to set IPV6_V6ONLY for local forwarding
|
||
|
with GatwayPorts=yes. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1648">bz#1648</a>
|
||
|
* Make GNOME 2 askpass dialog desktop-modal. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1645">bz#1645</a>
|
||
|
* If SELinux is enabled set the security context to "sftpd_t" before
|
||
|
running the internal sftp server. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1637">bz#1637</a>
|
||
|
* Correctly check libselinux for necessary SELinux functions; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1713">bz#1713</a>
|
||
|
* Unbreak builds on Redhat using the supplied openssh.spec; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1731">bz#1731</a>
|
||
|
* Fix incorrect privilege dropping order on AIX that prevented
|
||
|
chroot operation; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1567">bz#1567</a>
|
||
|
* Call aix_setauthdb/aix_restoredb at the correct times on AIX to
|
||
|
prevent authentication failure; <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1710">bz#1710</a>
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-5.4.tar.gz">openssh-5.4.tar.gz</a>) = 1776832d902f7b4c7863afd41a5ec7a14efe95d6
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.4p1.tar.gz">openssh-5.4p1.tar.gz</a>) = 2a3042372f08afb1415ceaec8178213276a36302
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-5.3" id="5.3">OpenSSH 5.3</a>/<a href="txt/release-5.3" id="5.3p1">5.3p1</a> (2009-10-01)</h3>
|
||
|
<pre>OpenSSH 5.3 was released on 2009-10-01. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
This release marks the 10th anniversary of the OpenSSH project.
|
||
|
We would like to thank the OpenSSH community for their support,
|
||
|
especially those who will continue to contribute code or patches,
|
||
|
report bugs, test snapshots or donate to the project during the
|
||
|
next 10 years. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
This is a bugfix release, no new features have been added.
|
||
|
|
||
|
Changes since OpenSSH 5.2
|
||
|
=========================
|
||
|
|
||
|
General Bugfixes:
|
||
|
|
||
|
* Do not limit home directory paths to 256 characters. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1615">bz#1615</a>
|
||
|
|
||
|
* Several minor documentation and correctness fixes.
|
||
|
|
||
|
Portable OpenSSH Bugfixes:
|
||
|
|
||
|
* This release removes for support for very old versions of Cygwin and
|
||
|
for Windows 95/98/ME
|
||
|
|
||
|
* Move the deletion of PAM credentials on logout to after the session
|
||
|
close. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1534">bz#1534</a>
|
||
|
|
||
|
* Make PrintLastLog work on AIX. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1595">bz#1595</a>
|
||
|
|
||
|
* Avoid compile errors on FreeBSD from conflicts in glob.h. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1634">bz#1634</a>
|
||
|
|
||
|
* Delay dropping of root privileges on AIX so chroot and pam_open_session
|
||
|
work correctly. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1249">bz#1249</a> and <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1567">bz#1567</a>
|
||
|
|
||
|
* Increase client IO buffer on Cygwin to 64K, realising a significant
|
||
|
performance improvement.
|
||
|
|
||
|
* Roll back <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1241">bz#1241</a> (better handling for expired passwords on Tru64).
|
||
|
The change broke password logins on some configurations.
|
||
|
|
||
|
* Accept ENOSYS as a fallback error when attempting atomic
|
||
|
rename(). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1535">bz#1535</a>
|
||
|
|
||
|
* Fix passing of variables to recursive make(1) invocations on Solaris.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1505">bz#1505</a>
|
||
|
|
||
|
* Skip the tcgetattr call on the pty master on Solaris, since it never
|
||
|
succeeds and can hang if large amounts of data is sent to the slave
|
||
|
(eg a copy-paste). <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1528">bz#1528</a>
|
||
|
|
||
|
* Fix detection of krb5-config. <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1639">bz#1639</a>
|
||
|
|
||
|
* Fix test for server-assigned remote forwarding port for non-root users.
|
||
|
<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1578">bz#1578</a>
|
||
|
|
||
|
* Fix detection of libresolv on OSX 10.6.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-5.3.tar.gz">openssh-5.3.tar.gz</a>) = f1b9a280565e916c1f84fd4d944313ec926242a2
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.3p1.tar.gz">openssh-5.3p1.tar.gz</a>) = d411fde2584ef6022187f565360b2c63a05602b5
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-5.2" id="5.2">OpenSSH 5.2</a>/<a href="txt/release-5.2" id="5.2p1">5.2p1</a> (2009-02-23)</h3>
|
||
|
<pre>OpenSSH 5.2 was released on 2009-02-23. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We have also recently completed another Internet SSH usage scan, the
|
||
|
results of which may be found at <a href="http://www.openssh.com/usage.html">http://www.openssh.com/usage.html</a>
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
The focus of this release has been on bugfixes as the previous
|
||
|
openssh-5.1 release introduced many new features and made some
|
||
|
invasive changes.
|
||
|
|
||
|
Changes since OpenSSH 5.1
|
||
|
=========================
|
||
|
|
||
|
Security:
|
||
|
|
||
|
* This release changes the default cipher order to prefer the AES CTR
|
||
|
modes and the revised "arcfour256" mode to CBC mode ciphers that are
|
||
|
susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
|
||
|
|
||
|
* This release also adds countermeasures to mitigate CPNI-957037-style
|
||
|
attacks against the SSH protocol's use of CBC-mode ciphers. Upon
|
||
|
detection of an invalid packet length or Message Authentication
|
||
|
Code, ssh/sshd will continue reading up to the maximum supported
|
||
|
packet length rather than immediately terminating the connection.
|
||
|
This eliminates most of the known differences in behaviour that
|
||
|
leaked information about the plaintext of injected data which formed
|
||
|
the basis of this attack. We believe that these attacks are rendered
|
||
|
infeasible by these changes.
|
||
|
|
||
|
New features:
|
||
|
|
||
|
* Added a -y option to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to force logging to syslog rather than
|
||
|
stderr, which is useful when running daemonised (ssh -f)
|
||
|
|
||
|
* The <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> ForceCommand directive now accepts commandline
|
||
|
arguments for the internal-sftp server.
|
||
|
|
||
|
* The <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> ~C escape commandline now support runtime creation of
|
||
|
dynamic (-D) port forwards.
|
||
|
|
||
|
* Support the SOCKS4A protocol in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> dynamic (-D) forwards.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1482">bz#1482</a>)
|
||
|
|
||
|
* Support remote port forwarding with a listen port of '0'. This
|
||
|
informs the server that it should dynamically allocate a listen
|
||
|
port and report it back to the client. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1003">bz#1003</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now supports setting PermitEmptyPasswords and
|
||
|
AllowAgentForwarding in Match blocks
|
||
|
|
||
|
Bug and documentation fixes
|
||
|
|
||
|
* Repair a <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> crash introduced in openssh-5.1 when the client is
|
||
|
sent a zero-length banner (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1496">bz#1496</a>)
|
||
|
|
||
|
* Due to interoperability problems with certain
|
||
|
broken SSH implementations, the eow@openssh.com and
|
||
|
no-more-sessions@openssh.com protocol extensions are now only sent
|
||
|
to peers that identify themselves as OpenSSH.
|
||
|
|
||
|
* Make <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> send the correct channel number for
|
||
|
SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to
|
||
|
avoid triggering 'Non-public channel' error messages on <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> in
|
||
|
openssh-5.1.
|
||
|
|
||
|
* Avoid printing 'Non-public channel' warnings in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, since the
|
||
|
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a> has sent incorrect channel numbers since ~2004 (this reverts
|
||
|
a behaviour introduced in openssh-5.1).
|
||
|
|
||
|
* Avoid double-free in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> ~C escape -L handler (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1539">bz#1539</a>)
|
||
|
|
||
|
* Correct fail-on-error behaviour in <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> batchmode for remote
|
||
|
stat operations. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1541">bz#1541</a>)
|
||
|
|
||
|
* Disable nonfunctional <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> ~C escape handler in multiplex slave
|
||
|
connections. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1543">bz#1543</a>)
|
||
|
|
||
|
* Avoid hang in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> when attempting to connect to a server that
|
||
|
has MaxSessions=0 set.
|
||
|
|
||
|
* Multiple fixes to <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> configuration test (-T) mode
|
||
|
|
||
|
* Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418,
|
||
|
1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
|
||
|
|
||
|
* Many manual page improvements.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-5.2.tar.gz">openssh-5.2.tar.gz</a>) = 260074ed466e95f054ac05a4406f613d08575217
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz">openssh-5.2p1.tar.gz</a>) = 8273a0237db98179fbdc412207ff8eb14ff3d6de
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-5.1" id="5.1">OpenSSH 5.1</a>/<a href="txt/release-5.1" id="5.1p1">5.1p1</a> (2008-07-22)</h3>
|
||
|
<pre>OpenSSH 5.1 was released on 2008-07-22. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We have also recently completed another Internet SSH usage scan, the
|
||
|
results of which may be found at <a href="http://www.openssh.com/usage.html">http://www.openssh.com/usage.html</a>
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots or donated to the
|
||
|
project. More information on donations may be found at:
|
||
|
<a href="http://www.openssh.com/donations.html">http://www.openssh.com/donations.html</a>
|
||
|
|
||
|
Changes since OpenSSH 5.0
|
||
|
=========================
|
||
|
|
||
|
Security:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: Avoid X11 man-in-the-middle attack on HP/UX (and possibly
|
||
|
other platforms) when X11UseLocalhost=no
|
||
|
|
||
|
When attempting to bind(2) to a port that has previously been bound
|
||
|
with SO_REUSEADDR set, most operating systems check that either the
|
||
|
effective user-id matches the previous bind (common on BSD-derived
|
||
|
systems) or that the bind addresses do not overlap (Linux and
|
||
|
Solaris).
|
||
|
|
||
|
Some operating systems, such as HP/UX, do not perform these checks
|
||
|
and are vulnerable to an X11 man-in-the-middle attack when the
|
||
|
<a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> option X11UseLocalhost has been set to "no" - an
|
||
|
attacker may establish a more-specific bind, which will be used in
|
||
|
preference to sshd's wildcard listener.
|
||
|
|
||
|
Modern BSD operating systems, Linux, OS X and Solaris implement the
|
||
|
above checks and are not vulnerable to this attack, nor are systems
|
||
|
where the X11UseLocalhost has been left at the default value of
|
||
|
"yes".
|
||
|
|
||
|
Portable OpenSSH 5.1 avoids this problem for all operating systems
|
||
|
by not setting SO_REUSEADDR when X11UseLocalhost is set to no.
|
||
|
|
||
|
This vulnerability was reported by sway2004009 AT hotmail.com.
|
||
|
|
||
|
New features:
|
||
|
|
||
|
* Introduce experimental SSH Fingerprint ASCII Visualisation to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
|
||
|
and <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>. Visual fingerprinnt display is controlled by a new
|
||
|
<a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> option "VisualHostKey". The intent is to render
|
||
|
SSH host keys in a visual form that is amenable to easy recall and
|
||
|
rejection of changed host keys. This technique inspired by the
|
||
|
graphical hash visualisation schemes known as "random art[*]", and
|
||
|
by Dan Kaminsky's musings at 23C3 in Berlin.
|
||
|
|
||
|
Fingerprint visualisation in is currently disabled by default, as the
|
||
|
algorithm used to generate the random art is still subject to change.
|
||
|
|
||
|
[*] "Hash Visualization: a New Technique to improve Real-World
|
||
|
Security", Perrig A. and Song D., 1999, International Workshop on
|
||
|
Cryptographic Techniques and E-Commerce (CrypTEC '99)
|
||
|
<a href="http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf">http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> now supports CIDR address/masklen matching in "Match
|
||
|
address" blocks, with a fallback to classic wildcard matching. For
|
||
|
example:
|
||
|
Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
|
||
|
PasswordAuthentication yes
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now supports CIDR matching in ~/.ssh/authorized_keys
|
||
|
from="..." restrictions, also with a fallback to classic wildcard
|
||
|
matching.
|
||
|
|
||
|
* Added an extended test mode (-T) to <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> to request that it write
|
||
|
its effective configuration to stdout and exit. Extended test mode
|
||
|
also supports the specification of connection parameters (username,
|
||
|
source address and hostname) to test the application of
|
||
|
<a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> Match rules.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> now prints the number of bytes transferred and the overall
|
||
|
connection throughput for SSH protocol 2 sessions when in verbose
|
||
|
mode (previously these statistics were displayed for protocol 1
|
||
|
connections only).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a> now supports extension methods statvfs@openssh.com and
|
||
|
fstatvfs@openssh.com that implement statvfs(2)-like operations.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1399">bz#1399</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> now has a "df" command to the sftp client that uses the
|
||
|
statvfs@openssh.com to produce a df(1)-like display of filesystem
|
||
|
space and inode utilisation (requires statvfs@openssh.com support on
|
||
|
the server)
|
||
|
|
||
|
* Added a MaxSessions option to <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> to allow control of the
|
||
|
number of multiplexed sessions supported over a single TCP connection.
|
||
|
This allows increasing the number of allowed sessions above the
|
||
|
previous default of 10, disabling connection multiplexing
|
||
|
(MaxSessions=1) or disallowing login/shell/subsystem sessions
|
||
|
entirely (MaxSessions=0).
|
||
|
|
||
|
* Added a no-more-sessions@openssh.com global request extension that is
|
||
|
sent from <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> when the client knows that it will never
|
||
|
request another session (i.e. when session multiplexing is disabled).
|
||
|
This allows a server to disallow further session requests and
|
||
|
terminate the session in cases where the client has been hijacked.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> now supports the use of the -l option in combination
|
||
|
with -F to search for a host in ~/.ssh/known_hosts and display its
|
||
|
fingerprint.
|
||
|
|
||
|
* ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of
|
||
|
"rsa1".
|
||
|
|
||
|
* Added an AllowAgentForwarding option to <a href="https://man.openbsd.org/sshd_config.8">sshd_config(8)</a> to control
|
||
|
whether authentication agent forwarding is permitted. Note that this
|
||
|
is a loose control, as a client may install their own unofficial
|
||
|
forwarder.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: avoid unnecessary malloc/copy/free when receiving
|
||
|
network data, resulting in a ~10% speedup
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> will now try additional addresses when connecting
|
||
|
to a port forward destination whose DNS name resolves to more than
|
||
|
one address. The previous behaviour was to try the only first address
|
||
|
and give up if that failed. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=383">bz#383</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now support signalling that channels are
|
||
|
half-closed for writing, through a channel protocol extension
|
||
|
notification "eow@openssh.com". This allows propagation of closed
|
||
|
file descriptors, so that commands such as:
|
||
|
"ssh -2 localhost od /bin/ls | true"
|
||
|
do not send unnecessary data over the wire. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=85">bz#85</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: increased the default size of ssh protocol 1 ephemeral keys
|
||
|
from 768 to 1024 bits.
|
||
|
|
||
|
* When <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> has been requested to fork after authentication
|
||
|
("ssh -f") with ExitOnForwardFailure enabled, delay the fork until
|
||
|
after replies for any -R forwards have been seen. Allows for robust
|
||
|
detection of -R forward failure when using -f. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=92">bz#92</a>)
|
||
|
|
||
|
* "Match group" blocks in <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> now support negation of
|
||
|
groups. E.g. "Match group staff,!guests" (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1315">bz#1315</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> and <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a> now allow chmod-like operations to set
|
||
|
set[ug]id/sticky bits. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1310">bz#1310</a>)
|
||
|
|
||
|
* The MaxAuthTries option is now permitted in <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> match
|
||
|
blocks.
|
||
|
|
||
|
* Multiplexed <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> sessions now support a subset of the ~ escapes
|
||
|
that are available to a primary connection. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1331">bz#1331</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> connection multiplexing will now fall back to creating a new
|
||
|
connection in most error cases. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1439">bz#1439</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1329">bz#1329</a>)
|
||
|
|
||
|
* Added some basic interoperability tests against Twisted Conch.
|
||
|
|
||
|
* Documented OpenSSH's extensions to and deviations from the published
|
||
|
SSH protocols (the PROTOCOL file in the distribution)
|
||
|
|
||
|
* Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
|
||
|
|
||
|
Bug and documentation fixes
|
||
|
|
||
|
* Make <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> deal more gracefully with channel requests that fail.
|
||
|
Previously it would optimistically assume that requests would always
|
||
|
succeed, which could cause hangs if they did not (e.g. when the
|
||
|
server runs out of file descriptors). (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1384">bz#1384</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> now reports multiplexing errors via the multiplex slave's
|
||
|
stderr where possible (subject to LogLevel in the mux master).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now send terminate protocol banners with CR+LF for
|
||
|
protocol 2 to comply with <a href="https://tools.ietf.org/html/rfc4253">RFC 4253</a>. Previously they were terminated
|
||
|
with CR alone. Protocol 1 banners remain CR terminated. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1443">bz#1443</a>)
|
||
|
|
||
|
* Merged duplicate authentication file checks in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> and refuse to
|
||
|
read authorised_keys and .shosts from non-regular files. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1438">bz#1438</a>)
|
||
|
|
||
|
* Ensure that <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>'s umask disallows at least group and world write,
|
||
|
even if a more permissive one has been inherited. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1433">bz#1433</a>)
|
||
|
|
||
|
* Suppress the warning message from <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> when changing to a
|
||
|
non-existent user home directory after chrooting. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1461">bz#1461</a>)
|
||
|
|
||
|
* Mention that <a href="https://man.openbsd.org/scp.1">scp(1)</a> follows symlinks when performing recursive
|
||
|
copies. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1466">bz#1466</a>)
|
||
|
|
||
|
* Prevent <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> from erroneously applying public key restrictions
|
||
|
leaned from ~/.ssh/authorized_keys to other authentication methods
|
||
|
when public key authentication subsequently fails. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1472">bz#1472</a>)
|
||
|
|
||
|
* Fix protocol keepalive timeouts - in some cases, keepalive packets
|
||
|
were being sent, but the connection was not being closed when the
|
||
|
limit for missing replies was exceeded. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1465">bz#1465</a>)
|
||
|
|
||
|
* Fix <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> sending invalid TTY modes when a TTY was forced (ssh -tt)
|
||
|
but stdin was not a TTY. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1199">bz#1199</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> will now exit with a non-zero exit status if
|
||
|
ExitOnForwardFailure was set and forwardings were disabled due to a
|
||
|
failed host key check.
|
||
|
|
||
|
* Fix MaxAuthTries tests to disallow a free authentication try to
|
||
|
clients that skipped the protocol 2 "none" authentication method.
|
||
|
(part of <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1432">bz#1432</a>)
|
||
|
|
||
|
* Make keepalive timeouts apply while synchronously waiting
|
||
|
for a packet, particularly during key renegotiation. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1363">bz#1363</a>)
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> has been audited to eliminate fd leaks and calls to fatal()
|
||
|
in conditions of file descriptor exhaustion.
|
||
|
|
||
|
Portable OpenSSH-specific bugfixes
|
||
|
|
||
|
* Avoid a <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> hang-on-exit on Solaris caused by depending on the
|
||
|
success of isatty() on a PTY master (undefined behaviour). Probably
|
||
|
affected other platforms too. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1463">bz#1463</a>)
|
||
|
|
||
|
* Fixed test for locked accounts on HP/UX with shadowed
|
||
|
passwords disabled. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1083">bz#1083</a>)
|
||
|
|
||
|
* Disable poll() fallback in atomiciov for Tru64. readv
|
||
|
doesn't seem to be a comparable object there, which lead to
|
||
|
compilation errors. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1386">bz#1386</a>)
|
||
|
|
||
|
* Fall back to racy rename if link returns EXDEV. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1447">bz#1447</a>)
|
||
|
|
||
|
* Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on
|
||
|
some platforms (HP nonstop) it is a distinct errno. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1467">bz#1467</a>)
|
||
|
|
||
|
* Avoid NULL dereferences in ancient sigaction replacement
|
||
|
code. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1240">bz#1240</a>)
|
||
|
|
||
|
* Avoid linking against libgssapi, which despite its name
|
||
|
doesn't seem to implement all of GSSAPI. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1276">bz#1276</a>)
|
||
|
|
||
|
* Use explicit noreturn attribute instead of __dead, fixing
|
||
|
compilation problems on Interix. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1112">bz#1112</a>)
|
||
|
|
||
|
* Added support password expiry on Tru64 SIA systems. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1241">bz#1241</a>)
|
||
|
|
||
|
* Fixed an UMAC alignment problem that manifested on Itanium
|
||
|
platforms. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1462">bz#1462</a>)
|
||
|
|
||
|
* The <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a> manual now describes the requirements for
|
||
|
transfer logging in chroot environments. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1488">bz#1488</a>)
|
||
|
|
||
|
* Strip trailing dot from hostnames when the <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>
|
||
|
HostbasedUsesNameFromPacketOnly option is set. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1200">bz#1200</a>)
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-5.1.tar.gz">openssh-5.1.tar.gz</a>) = 1e5b43844ed015e4fbbbe25cfad6f5377c60e759
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.1p1.tar.gz">openssh-5.1p1.tar.gz</a>) = 877ea5b283060fe0160e376ea645e8e168047ff5
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
Security bugs should be reported directly to openssh@openssh.com
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-5.0" id="5.0">OpenSSH 5.0</a>/<a href="txt/release-5.0" id="5.0p1">5.0p1</a> (2008-04-03)</h3>
|
||
|
<pre>OpenSSH 5.0 was released on 2008-04-03. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
We apologise for any inconvenience resulting from this release
|
||
|
being made so shortly after 4.9. Unfortunately we only learned of
|
||
|
the below security issue from the public CVE report. The Debian
|
||
|
OpenSSH maintainers responsible for handling the initial report of
|
||
|
this bug failed to report it via either the private OpenSSH security
|
||
|
contact list (openssh@openssh.com) or the portable OpenSSH Bugzilla
|
||
|
(<a href="http://bugzilla.mindrot.org/)">http://bugzilla.mindrot.org/)</a>.
|
||
|
We ask anyone wishing to report security bugs in OpenSSH to please use
|
||
|
the openssh@openssh.com contact and to practice responsible disclosure.
|
||
|
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots and purchased
|
||
|
T-shirts or posters.
|
||
|
|
||
|
T-shirt, poster and CD sales directly support the project. Pictures
|
||
|
and more information can be found at:
|
||
|
<a href="http://www.openbsd.org/tshirts.html">http://www.openbsd.org/tshirts.html</a> and
|
||
|
<a href="http://www.openbsd.org/orders.html">http://www.openbsd.org/orders.html</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Changes since OpenSSH 4.9:
|
||
|
============================
|
||
|
|
||
|
Security:
|
||
|
|
||
|
* CVE-2008-1483: Avoid possible hijacking of X11-forwarded connections
|
||
|
by refusing to listen on a port unless all address families bind
|
||
|
successfully.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-5.0.tar.gz">openssh-5.0.tar.gz</a>) = 729fb3168edf6a68408223b5ed82e59d13b57c47
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.0p1.tar.gz">openssh-5.0p1.tar.gz</a>) = 121cea3a730c0b0353334b6f46f438de30ab4928
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-4.9" id="4.9">OpenSSH 4.9</a>/<a href="txt/release-4.9" id="4.9p1">4.9p1</a> (2008-03-31)</h3>
|
||
|
<pre>OpenSSH 4.9 was released on 2008-03-31. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots and purchased
|
||
|
T-shirts or posters.
|
||
|
|
||
|
T-shirt, poster and CD sales directly support the project. Pictures
|
||
|
and more information can be found at:
|
||
|
<a href="http://www.openbsd.org/tshirts.html">http://www.openbsd.org/tshirts.html</a> and
|
||
|
<a href="http://www.openbsd.org/orders.html">http://www.openbsd.org/orders.html</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Note that OpenSSH 4.8 was an OpenBSD-only release shipped with the
|
||
|
OpenBSD 4.3 CD.
|
||
|
|
||
|
Changes since OpenSSH 4.7:
|
||
|
============================
|
||
|
|
||
|
Security:
|
||
|
|
||
|
* Disable execution of ~/.ssh/rc for sessions where a command has been
|
||
|
forced by the sshd_config ForceCommand directive. Users who had
|
||
|
write access to this file could use it to execute abritrary commands.
|
||
|
This behaviour was documented, but was an unsafe default and an extra
|
||
|
hassle for administrators.
|
||
|
|
||
|
New features:
|
||
|
|
||
|
* Added chroot(2) support for <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, controlled by a new option
|
||
|
"ChrootDirectory". Please refer to <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> for details, and
|
||
|
please use this feature carefully. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=177">bz#177</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1352">bz#1352</a>)
|
||
|
* Linked <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a> into <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. The internal sftp server is
|
||
|
used when the command "internal-sftp" is specified in a Subsystem
|
||
|
or ForceCommand declaration. When used with ChrootDirectory, the
|
||
|
internal sftp server requires no special configuration of files
|
||
|
inside the chroot environment. Please refer to <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> for
|
||
|
more information.
|
||
|
* Added a "no-user-rc" option for authorized_keys to disable execution
|
||
|
of ~/.ssh/rc
|
||
|
* Added a protocol extension method "posix-rename@openssh.com" for
|
||
|
<a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a> to perform POSIX atomic rename() operations.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1400">bz#1400</a>)
|
||
|
* Removed the fixed limit of 100 file handles in <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>. The
|
||
|
server will now dynamically allocate handles up to the number of
|
||
|
available file descriptors. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1397">bz#1397</a>)
|
||
|
* <a href="https://man.openbsd.org/ssh.8">ssh(8)</a> will now skip generation of SSH protocol 1 ephemeral server
|
||
|
keys when in inetd mode and protocol 2 connections are negotiated.
|
||
|
This speeds up protocol 2 connections to inetd-mode servers that
|
||
|
also allow Protocol 1 (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=440">bz#440</a>)
|
||
|
* Accept the PermitRootLogin directive in a <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> Match
|
||
|
block. Allows for, e.g. permitting root only from the local
|
||
|
network.
|
||
|
* Reworked <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> argument splitting and escaping to be more
|
||
|
internally consistent (i.e. between sftp commands) and more
|
||
|
consistent with sh(1). Please note that this will change the
|
||
|
interpretation of some quoted strings, especially those with
|
||
|
embedded backslash escape sequences. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=778">bz#778</a>)
|
||
|
* Support "Banner=none" in <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> to disable sending of a
|
||
|
pre-login banner (e.g. in a Match block).
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> ProxyCommands are now executed with $SHELL rather than
|
||
|
/bin/sh.
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>'s ConnectTimeout option is now applied to both the TCP
|
||
|
connection and the SSH banner exchange (previously it just covered
|
||
|
the TCP connection). This allows callers of <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to better detect
|
||
|
and deal with stuck servers that accept a TCP connection but don't
|
||
|
progress the protocol, and also makes ConnectTimeout useful for
|
||
|
connections via a ProxyCommand.
|
||
|
* Many new regression tests, including interop tests against PuTTY's
|
||
|
plink.
|
||
|
* Support BSM auditing on Mac OS X
|
||
|
|
||
|
The following bugs have been fixed in this release:
|
||
|
|
||
|
- <a href="https://man.openbsd.org/scp.1">scp(1)</a> incorrectly reported "stalled" on slow copies. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=799">bz#799</a>)
|
||
|
- <a href="https://man.openbsd.org/scp.1">scp(1)</a> date underflow for timestamps before epoch. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=828">bz#828</a>)
|
||
|
- <a href="https://man.openbsd.org/scp.1">scp(1)</a> and <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> progressmeter type fixes. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=842">bz#842</a>)
|
||
|
- SSH2_MSG_UNIMPLEMENTED packets did not correctly reset the client
|
||
|
keepalive logic, causing disconnections on servers that did not
|
||
|
explicitly implement "keepalive@openssh.com". (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1307">bz#1307</a>)
|
||
|
- <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> used the obsolete SIG DNS RRtype for host keys in DNS,
|
||
|
instead of the current standard RRSIG. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1317">bz#1317</a>)
|
||
|
- Extract magic buffer size constants in <a href="https://man.openbsd.org/scp.1">scp(1)</a> to #defines.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1333">bz#1333</a>)
|
||
|
- Correctly drain ACKs when a <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> upload write fails midway,
|
||
|
avoids a fatal() exit from what should be a recoverable condition.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1354">bz#1354</a>)
|
||
|
- Avoid pointer arithmetic and strict aliasing warnings. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1355">bz#1355</a>)
|
||
|
- Fixed packet size advertisements. Previously TCP and agent
|
||
|
forwarding incorrectly advertised the channel window size as the
|
||
|
packet size, causing fatal errors under some conditions. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1360">bz#1360</a>)
|
||
|
- Document KbdInteractiveAuthentication in <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1367">bz#1367</a>)
|
||
|
- Fixed <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> file handle leak on download when the local file
|
||
|
could not be opened. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1375">bz#1375</a>)
|
||
|
- Fixed <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> selective host key hashing (i.e.
|
||
|
"ssh-keygen -HF hostname") to not include any IP address in the
|
||
|
data to be hashed. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1376">bz#1376</a>)
|
||
|
- Fix clobbering of struct passwd from multiple getpwid calls,
|
||
|
resulting in fatal errors inside tilde_expand_filename. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1377">bz#1377</a>)
|
||
|
- Fix parsing of port-forwarding specifications to correctly
|
||
|
detect errors in either specified port number. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1378">bz#1378</a>)
|
||
|
- Fix memory leak in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> ~ escape commandline handling. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1379">bz#1379</a>)
|
||
|
- Make <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> skip listening on the IPv6 wildcard address when a
|
||
|
binding address of 0.0.0.0 is used against an old SSH server that
|
||
|
does not support the <a href="https://tools.ietf.org/html/rfc4254">RFC4254</a> syntax for wildcard bind addresses.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1381">bz#1381</a>)
|
||
|
- Remove extra backslashes in the RB_PROTOTYPE macro definition.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1385">bz#1385</a>)
|
||
|
- Support <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> RekeyLimits up to the maximum allowed by the
|
||
|
protocol: 2**32-1. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1390">bz#1390</a>)
|
||
|
- Enable IPV6_V6ONLY socket option on <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> listen socket, as is
|
||
|
already done for X11/TCP forwarding sockets. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1392">bz#1392</a>)
|
||
|
- Fix FD leak that could hang a <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> connection multiplexing
|
||
|
master. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1398">bz#1398</a>)
|
||
|
- Improve error messages when hostname resolution fails due to a
|
||
|
system error. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1417">bz#1417</a>)
|
||
|
- Make <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> -q option documentation consistent with reality.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1427">bz#1427</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1429">bz#1429</a>)
|
||
|
|
||
|
Portable OpenSSH bugs fixed:
|
||
|
|
||
|
- Fixed <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> PAM support not calling pam_session_close(), or
|
||
|
failing to call it with root privileges. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=926">bz#926</a>)
|
||
|
- Made <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> use configuration-specified SyslogFacility for
|
||
|
hosts_access(3) messages for denied connections. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1042">bz#1042</a>)
|
||
|
- Implement getgrouplist(3) for AIX, enabling NSS LDAP to work on
|
||
|
this platform. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1081">bz#1081</a>)
|
||
|
- Fix compilation errors on AIX due to misdefinition of LLONG_MAX.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1347">bz#1347</a>)
|
||
|
- Force use of local glob(3) implementation on Mac OS X and FreeBSD,
|
||
|
as the platform versions lack features or have unexpected
|
||
|
behaviour. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1407">bz#1407</a>)
|
||
|
- Reduce stdout/stderr noise from ssh-copy-id. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1431">bz#1431</a>)
|
||
|
- Fix activation of OpenSSL engine support when requested in
|
||
|
configure. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1437">bz#1437</a>)
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.9.tar.gz">openssh-4.9.tar.gz</a>) = fa7d1b3dcb093bd0dfc643b33b1a57a26f459373
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.9p1.tar.gz">openssh-4.9p1.tar.gz</a>) = 91575878883065bd777f82b47e0d481ac69ee7fe
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-4.8" id="4.8">OpenSSH 4.8</a>/<a href="txt/release-4.8" id="4.8p1">4.8p1</a> (2008-03-31)</h3>
|
||
|
<pre>OpenSSH 4.8 was an OpenBSD-only release, included on the OpenBSD 4.3
|
||
|
CD only.
|
||
|
|
||
|
Changes since OpenSSH 4.8:
|
||
|
============================
|
||
|
|
||
|
New features:
|
||
|
|
||
|
* Added chroot(2) support for <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, controlled by a new option
|
||
|
"ChrootDirectory". Please refer to <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> for details, and
|
||
|
please use this feature carefully. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=177">bz#177</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1352">bz#1352</a>)
|
||
|
* Linked <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a> into <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. The internal sftp server is
|
||
|
used when the command "internal-sftp" is specified in a Subsystem
|
||
|
or ForceCommand declaration. When used with ChrootDirectory, the
|
||
|
internal sftp server requires no special configuration of files
|
||
|
inside the chroot environment. Please refer to <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> for
|
||
|
more information.
|
||
|
* Added a protocol extension method "posix-rename@openssh.com" for
|
||
|
<a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a> to perform POSIX atomic rename() operations.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1400">bz#1400</a>)
|
||
|
* Removed the fixed limit of 100 file handles in <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>. The
|
||
|
server will now dynamically allocate handles up to the number of
|
||
|
available file descriptors. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1397">bz#1397</a>)
|
||
|
* <a href="https://man.openbsd.org/ssh.8">ssh(8)</a> will now skip generation of SSH protocol 1 ephemeral server
|
||
|
keys when in inetd mode and protocol 2 connections are negotiated.
|
||
|
This speeds up protocol 2 connections to inetd-mode servers that
|
||
|
also allow Protocol 1 (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=440">bz#440</a>)
|
||
|
* Accept the PermitRootLogin directive in a <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> Match
|
||
|
block. Allows for, e.g. permitting root only from the local
|
||
|
network.
|
||
|
* Reworked <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> argument splitting and escaping to be more
|
||
|
internally consistent (i.e. between sftp commands) and more
|
||
|
consistent with sh(1). Please note that this will change the
|
||
|
interpretation of some quoted strings, especially those with
|
||
|
embedded backslash escape sequences. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=778">bz#778</a>)
|
||
|
* Support "Banner=none" in <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> to disable sending of a
|
||
|
pre-login banner (e.g. in a Match block).
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> ProxyCommands are now executed with $SHELL rather than
|
||
|
/bin/sh.
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>'s ConnectTimeout option is now applied to both the TCP
|
||
|
connection and the SSH banner exchange (previously it just covered
|
||
|
the TCP connection). This allows callers of <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to better detect
|
||
|
and deal with stuck servers that accept a TCP connection but don't
|
||
|
progress the protocol, and also makes ConnectTimeout useful for
|
||
|
connections via a ProxyCommand.
|
||
|
* Many new regression tests, including interop tests against PuTTY's
|
||
|
plink.
|
||
|
* Support BSM auditing on Mac OS X
|
||
|
|
||
|
The following bugs have been fixed in this release:
|
||
|
|
||
|
- <a href="https://man.openbsd.org/scp.1">scp(1)</a> incorrectly reported "stalled" on slow copies. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=799">bz#799</a>)
|
||
|
- <a href="https://man.openbsd.org/scp.1">scp(1)</a> date underflow for timestamps before epoch. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=828">bz#828</a>)
|
||
|
- <a href="https://man.openbsd.org/scp.1">scp(1)</a> and <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> progressmeter type fixes. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=842">bz#842</a>)
|
||
|
- SSH2_MSG_UNIMPLEMENTED packets did not correctly reset the client
|
||
|
keepalive logic, causing disconnections on servers that did not
|
||
|
explicitly implement "keepalive@openssh.com". (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1307">bz#1307</a>)
|
||
|
- <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> used the obsolete SIG DNS RRtype for host keys in DNS,
|
||
|
instead of the current standard RRSIG. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1317">bz#1317</a>)
|
||
|
- Extract magic buffer size constants in <a href="https://man.openbsd.org/scp.1">scp(1)</a> to #defines.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1333">bz#1333</a>)
|
||
|
- Correctly drain ACKs when a <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> upload write fails midway,
|
||
|
avoids a fatal() exit from what should be a recoverable condition.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1354">bz#1354</a>)
|
||
|
- Avoid pointer arithmetic and strict aliasing warnings. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1355">bz#1355</a>)
|
||
|
- Fixed packet size advertisements. Previously TCP and agent
|
||
|
forwarding incorrectly advertised the channel window size as the
|
||
|
packet size, causing fatal errors under some conditions. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1360">bz#1360</a>)
|
||
|
- Document KbdInteractiveAuthentication in <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1367">bz#1367</a>)
|
||
|
- Fixed <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> file handle leak on download when the local file
|
||
|
could not be opened. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1375">bz#1375</a>)
|
||
|
- Fixed <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> selective host key hashing (i.e.
|
||
|
"ssh-keygen -HF hostname") to not include any IP address in the
|
||
|
data to be hashed. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1376">bz#1376</a>)
|
||
|
- Fix clobbering of struct passwd from multiple getpwid calls,
|
||
|
resulting in fatal errors inside tilde_expand_filename. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1377">bz#1377</a>)
|
||
|
- Fix parsing of port-forwarding specifications to correctly
|
||
|
detect errors in either specified port number. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1378">bz#1378</a>)
|
||
|
- Fix memory leak in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> ~ escape commandline handling. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1379">bz#1379</a>)
|
||
|
- Make <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> skip listening on the IPv6 wildcard address when a
|
||
|
binding address of 0.0.0.0 is used against an old SSH server that
|
||
|
does not support the <a href="https://tools.ietf.org/html/rfc4254">RFC4254</a> syntax for wildcard bind addresses.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1381">bz#1381</a>)
|
||
|
- Remove extra backslashes in the RB_PROTOTYPE macro definition.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1385">bz#1385</a>)
|
||
|
- Support <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> RekeyLimits up to the maximum allowed by the
|
||
|
protocol: 2**32-1. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1390">bz#1390</a>)
|
||
|
- Enable IPV6_V6ONLY socket option on <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> listen socket, as is
|
||
|
already done for X11/TCP forwarding sockets. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1392">bz#1392</a>)
|
||
|
- Fix FD leak that could hang a <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> connection multiplexing
|
||
|
master. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1398">bz#1398</a>)
|
||
|
- Improve error messages when hostname resolution fails due to a
|
||
|
system error. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1417">bz#1417</a>)
|
||
|
- Make <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> -q option documentation consistent with reality.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1427">bz#1427</a> <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1429">bz#1429</a>)
|
||
|
|
||
|
Portable OpenSSH bugs fixed:
|
||
|
|
||
|
- Fixed <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> PAM support not calling pam_session_close(), or
|
||
|
failing to call it with root privileges. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=926">bz#926</a>)
|
||
|
- Made <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> use configuration-specified SyslogFacility for
|
||
|
hosts_access(3) messages for denied connections. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1042">bz#1042</a>)
|
||
|
- Implement getgrouplist(3) for AIX, enabling NSS LDAP to work on
|
||
|
this platform. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1081">bz#1081</a>)
|
||
|
- Fix compilation errors on AIX due to misdefinition of LLONG_MAX.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1347">bz#1347</a>)
|
||
|
- Force use of local glob(3) implementation on Mac OS X and FreeBSD,
|
||
|
as the platform versions lack features or have unexpected
|
||
|
behaviour. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1407">bz#1407</a>)
|
||
|
- Reduce stdout/stderr noise from ssh-copy-id. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1431">bz#1431</a>)
|
||
|
- Fix activation of OpenSSL engine support when requested in
|
||
|
configure. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1437">bz#1437</a>)
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-4.7" id="4.7">OpenSSH 4.7</a>/<a href="txt/release-4.7" id="4.7p1">4.7p1</a> (2007-09-05)</h3>
|
||
|
<pre>OpenSSH 4.7 was released on 2007-09-05. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots and purchased
|
||
|
T-shirts or posters.
|
||
|
|
||
|
T-shirt, poster and CD sales directly support the project. Pictures
|
||
|
and more information can be found at:
|
||
|
<a href="http://www.openbsd.org/tshirts.html">http://www.openbsd.org/tshirts.html</a> and
|
||
|
<a href="http://www.openbsd.org/orders.html">http://www.openbsd.org/orders.html</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Changes since OpenSSH 4.6:
|
||
|
============================
|
||
|
|
||
|
Security bugs resolved in this release:
|
||
|
|
||
|
* Prevent <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> from using a trusted X11 cookie if creation of an
|
||
|
untrusted cookie fails; found and fixed by Jan Pechanec.
|
||
|
|
||
|
Other changes, new functionality and fixes in this release:
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> in new installations defaults to SSH Protocol 2 only.
|
||
|
Existing installations are unchanged.
|
||
|
|
||
|
* The SSH channel window size has been increased, and both <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
|
||
|
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now send window updates more aggressively. These improves
|
||
|
performance on high-BDP (Bandwidth Delay Product) networks.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now preserve MAC contexts between packets, which
|
||
|
saves 2 hash calls per packet and results in 12-16% speedup for
|
||
|
arcfour256/hmac-md5.
|
||
|
|
||
|
* A new MAC algorithm has been added, UMAC-64 (<a href="https://tools.ietf.org/html/rfc4418">RFC4418</a>) as
|
||
|
"umac-64@openssh.com". UMAC-64 has been measured to be
|
||
|
approximately 20% faster than HMAC-MD5.
|
||
|
|
||
|
* A -K flag was added to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to set GSSAPIAuthentication=Yes
|
||
|
|
||
|
* Failure to establish a <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> TunnelForward is now treated as a
|
||
|
fatal error when the ExitOnForwardFailure option is set.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> returns a sensible exit status if the control master goes
|
||
|
away without passing the full exit status. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1261">bz #1261</a>)
|
||
|
|
||
|
* The following bugs have been fixed in this release:
|
||
|
|
||
|
- When using a ProxyCommand in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, set the outgoing hostname with
|
||
|
gethostname(2), allowing hostbased authentication to work (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=616">bz #616</a>)
|
||
|
- Make <a href="https://man.openbsd.org/scp.1">scp(1)</a> skip FIFOs rather than hanging (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=856">bz #856</a>)
|
||
|
- Encode non-printing characters in <a href="https://man.openbsd.org/scp.1">scp(1)</a> filenames.
|
||
|
these could cause copies to be aborted with a "protocol error"
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=891">bz #891</a>)
|
||
|
- Handle SIGINT in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> privilege separation child process to
|
||
|
ensure that wtmp and lastlog records are correctly updated
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1196">bz #1196</a>)
|
||
|
- Report GSSAPI mechanism in errors, for libraries that support
|
||
|
multiple mechanisms (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1220">bz #1220</a>)
|
||
|
- Improve documentation for <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>'s -d option (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1224">bz #1224</a>)
|
||
|
- Rearrange and tidy GSSAPI code, removing server-only code being
|
||
|
linked into the client. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1225">bz #1225</a>)
|
||
|
- Delay execution of <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>'s LocalCommand until after all forwadings
|
||
|
have been established. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1232">bz #1232</a>)
|
||
|
- In <a href="https://man.openbsd.org/scp.1">scp(1)</a>, do not truncate non-regular files (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1236">bz #1236</a>)
|
||
|
- Improve exit message from ControlMaster clients. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1262">bz #1262</a>)
|
||
|
- Prevent <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a> from reading until it runs out of buffer
|
||
|
space, whereupon it would exit with a fatal error. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1286">bz #1286</a>)
|
||
|
|
||
|
* Portable OpenSSH bugs fixed:
|
||
|
|
||
|
- Fix multiple inclusion of paths.h on AIX 5.1 systems. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1243">bz #1243</a>)
|
||
|
- Implement getpeereid for Solaris using getpeerucred. Solaris
|
||
|
systems will now refuse <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> and <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> ControlMaster
|
||
|
clients from different, non-root users (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1287">bz #1287</a>)
|
||
|
- Fix compilation warnings by including string.h if found. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1294">bz #1294</a>)
|
||
|
- Remove redefinition of _res in getrrsetbyname.c for platforms that
|
||
|
already define it. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1299">bz #1299</a>)
|
||
|
- Fix spurious "chan_read_failed for istate 3" errors from <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>,
|
||
|
a side-effect of the "hang on exit" fix introduced in 4.6p1.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1306">bz #1306</a>)
|
||
|
- pam_end() was not being called if authentication failed (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1322">bz #1322</a>)
|
||
|
- Fix SELinux support when SELinux is in permissive mode. Previously
|
||
|
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a> was treating SELinux errors as always fatal. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1325">bz #1325</a>)
|
||
|
- Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before
|
||
|
pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys.
|
||
|
(<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1339">bz #1339</a>)
|
||
|
- Fix privilege separation on QNX - pre-auth only, this platform does
|
||
|
not support file descriptior passing needed for post-auth privilege
|
||
|
separation. (<a href="https://bugzilla.mindrot.org/show_bug.cgi?id=1343">bz #1343</a>)
|
||
|
|
||
|
Thanks to everyone who has contributed patches, reported bugs and
|
||
|
tested releases.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.7.tar.gz">openssh-4.7.tar.gz</a>) = 9ebaab9b31e01bd0d04425dc23536bcc78f8d990
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.7p1.tar.gz">openssh-4.7p1.tar.gz</a>) = 58357db9e64ba6382bef3d73d1d386fcdc0508f4
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-4.6" id="4.6">OpenSSH 4.6</a>/<a href="txt/release-4.6" id="4.6p1">4.6p1</a> (2007-03-09)</h3>
|
||
|
<pre>OpenSSH 4.6 was released on 2007-03-09. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots and purchased
|
||
|
T-shirts or posters.
|
||
|
|
||
|
T-shirt, poster and CD sales directly support the project. Pictures
|
||
|
and more information can be found at:
|
||
|
<a href="http://www.openbsd.org/tshirts.html">http://www.openbsd.org/tshirts.html</a> and
|
||
|
<a href="http://www.openbsd.org/orders.html">http://www.openbsd.org/orders.html</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Changes since OpenSSH 4.5:
|
||
|
============================
|
||
|
|
||
|
* sshd now allows the enabling and disabling of authentication
|
||
|
methods on a per user, group, host and network basis via the
|
||
|
Match directive in sshd_config.
|
||
|
|
||
|
* The following bugs have been fixed in this release:
|
||
|
|
||
|
- Clear SIGALRM when restarting due to SIGHUP. Prevents stray
|
||
|
signal from taking down sshd if a connection was pending at
|
||
|
the time SIGHUP was received
|
||
|
- sftp returned a zero exit status when upload failed due to write
|
||
|
errors (bugzilla #1252)
|
||
|
- fixed an inconsistent check for a terminal when displaying scp
|
||
|
progress meter (bugzilla #1265)
|
||
|
- Parsing of time values in Match blocks was incorrectly applied
|
||
|
to the global configuration (bugzilla #1275)
|
||
|
- Allow multiple forwarding options to work when specified in a
|
||
|
PermitOpen directive (bugzilla #1267)
|
||
|
- Interoperate with ssh.com versions that do not support binding
|
||
|
remote port forwarding sessions to a hostname (bugzilla #1019)
|
||
|
|
||
|
* Portable OpenSSH bugs fixed:
|
||
|
|
||
|
- "hang on exit" when background processes are running at the time
|
||
|
of exit on a ttyful/login session (bugzilla #52)
|
||
|
- Fix typos in the ssh-rand-helper(8) man page (bugzilla #1259)
|
||
|
- Check that some SIG records have been returned in getrrsetbyname
|
||
|
(bugzilla #1281)
|
||
|
- Fix contrib/findssl for platforms that lack "which" (bugzilla
|
||
|
#1237)
|
||
|
- Work around bug in OpenSSL 0.9.8e that broke aes256-ctr,
|
||
|
aes192-ctr, arcfour256 (bugzilla #1291)
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.6.tar.gz">openssh-4.6.tar.gz</a>) = c1700845be464a769428f34ef727c1f530728afc
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.6p1.tar.gz">openssh-4.6p1.tar.gz</a>) = b2aefeb1861b4688b1777436035239ec32a47da8
|
||
|
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-4.5" id="4.5">OpenSSH 4.5</a>/<a href="txt/release-4.5" id="4.5p1">4.5p1</a> (2006-11-07)</h3>
|
||
|
<pre>OpenSSH 4.5 was released on 2006-11-07. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots and purchased
|
||
|
T-shirts or posters.
|
||
|
|
||
|
T-shirt, poster and CD sales directly support the project. Pictures
|
||
|
and more information can be found at:
|
||
|
<a href="http://www.openbsd.org/tshirts.html">http://www.openbsd.org/tshirts.html</a> and
|
||
|
<a href="http://www.openbsd.org/orders.html">http://www.openbsd.org/orders.html</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Changes since OpenSSH 4.4:
|
||
|
============================
|
||
|
|
||
|
This is a bugfix only release. No new features have been added.
|
||
|
|
||
|
Security bugs resolved in this release:
|
||
|
|
||
|
* Fix a bug in the sshd privilege separation monitor that weakened its
|
||
|
verification of successful authentication. This bug is not known to
|
||
|
be exploitable in the absence of additional vulnerabilities.
|
||
|
|
||
|
This release includes the following non-security fixes:
|
||
|
|
||
|
* Several compilation fixes for portable OpenSSH
|
||
|
|
||
|
* Fixes to Solaris SMF/process contract support (bugzilla #1255)
|
||
|
|
||
|
Thanks to everyone who has contributed patches, reported bugs and
|
||
|
tested releases.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.5.tar.gz">openssh-4.5.tar.gz</a>) = def3de1557181062d788695b9371d02635af39fb
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.5p1.tar.gz">openssh-4.5p1.tar.gz</a>) = 2eefcbbeb9e4fa16fa4500dec107d1a09d3d02d7
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-4.4" id="4.4">OpenSSH 4.4</a>/<a href="txt/release-4.4" id="4.4p1">4.4p1</a> (2006-09-27)</h3>
|
||
|
<pre>OpenSSH 4.4 was released on 2006-09-27. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots and purchased
|
||
|
T-shirts or posters.
|
||
|
|
||
|
T-shirt, poster and CD sales directly support the project. Pictures
|
||
|
and more information can be found at:
|
||
|
<a href="http://www.openbsd.org/tshirts.html">http://www.openbsd.org/tshirts.html</a> and
|
||
|
<a href="http://www.openbsd.org/orders.html">http://www.openbsd.org/orders.html</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Changes since OpenSSH 4.3:
|
||
|
============================
|
||
|
|
||
|
Security bugs resolved in this release:
|
||
|
|
||
|
* Fix a pre-authentication denial of service found by Tavis Ormandy,
|
||
|
that would cause <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> to spin until the login grace time
|
||
|
expired.
|
||
|
|
||
|
* Fix an unsafe signal hander reported by Mark Dowd. The signal
|
||
|
handler was vulnerable to a race condition that could be exploited
|
||
|
to perform a pre-authentication denial of service. On portable
|
||
|
OpenSSH, this vulnerability could theoretically lead to
|
||
|
pre-authentication remote code execution if GSSAPI authentication
|
||
|
is enabled, but the likelihood of successful exploitation appears
|
||
|
remote.
|
||
|
|
||
|
* On portable OpenSSH, fix a GSSAPI authentication abort that could
|
||
|
be used to determine the validity of usernames on some platforms.
|
||
|
|
||
|
This release includes the following new functionality and fixes:
|
||
|
|
||
|
* Implemented conditional configuration in <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> using the
|
||
|
"Match" directive. This allows some configuration options to be
|
||
|
selectively overridden if specific criteria (based on user, group,
|
||
|
hostname and/or address) are met. So far a useful subset of post-
|
||
|
authentication options are supported and more are expected to be
|
||
|
added in future releases.
|
||
|
|
||
|
* Add support for Diffie-Hellman group exchange key agreement with a
|
||
|
final hash of SHA256.
|
||
|
|
||
|
* Added a "ForceCommand" directive to <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>. Similar to the
|
||
|
command="..." option accepted in ~/.ssh/authorized_keys, this forces
|
||
|
the execution of the specified command regardless of what the user
|
||
|
requested. This is very useful in conjunction with the new "Match"
|
||
|
option.
|
||
|
|
||
|
* Add a "PermitOpen" directive to <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>. This mirrors the
|
||
|
permitopen="..." authorized_keys option, allowing fine-grained
|
||
|
control over the port-forwardings that a user is allowed to
|
||
|
establish.
|
||
|
|
||
|
* Add optional logging of transactions to <a href="https://man.openbsd.org/sftp-server.8">sftp-server(8)</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> will now record port numbers for hosts stored in
|
||
|
~/.ssh/authorized_keys when a non-standard port has been requested.
|
||
|
|
||
|
* Add an "ExitOnForwardFailure" option to cause <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> to exit (with
|
||
|
a non-zero exit code) when requested port forwardings could not be
|
||
|
established.
|
||
|
|
||
|
* Extend <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> "SubSystem" declarations to allow the
|
||
|
specification of command-line arguments.
|
||
|
|
||
|
* Replacement of all integer overflow susceptible invocations of
|
||
|
malloc(3) and realloc(3) with overflow-checking equivalents.
|
||
|
|
||
|
* Many manpage fixes and improvements
|
||
|
|
||
|
* New portable OpenSSH-specific features:
|
||
|
|
||
|
- Add optional support for SELinux, controlled using the
|
||
|
--with-selinux configure option (experimental)
|
||
|
|
||
|
- Add optional support for Solaris process contracts, enabled
|
||
|
using the --with-solaris-contracts configure option (experimental)
|
||
|
This option will also include SMF metadata in Solaris packages
|
||
|
built using the "make package" target
|
||
|
|
||
|
- Add optional support for OpenSSL hardware accelerators (engines),
|
||
|
enabled using the --with-ssl-engine configure option.
|
||
|
|
||
|
* Bugs from <a href="http://bugzilla.mindrot.org">http://bugzilla.mindrot.org</a> fixed:
|
||
|
#482 - readconf doesn't accept paths with spaces in them.
|
||
|
#906 - syslog messages from sshd [net] lost.
|
||
|
#975 - Kerberos authentication timing can leak information
|
||
|
about account validity.
|
||
|
#981 - Flow stop in SSH2.
|
||
|
#1102 - C program 'write' with zero length hangs.
|
||
|
#1129 - sshd hangs for command-only invocations due to
|
||
|
fork/child signals.
|
||
|
#1131 - error "buffer_append_space:alloc not supported"
|
||
|
#1138 - Passphrase asked for (but ignored) if key file permissions
|
||
|
too liberal..
|
||
|
#1156 - Closes connection after C-c is pressed on QNX.
|
||
|
#1157 - ssh-keygen doesn't handle DOS line breaks.
|
||
|
#1159 - %u and %h not handled in IdentityFile.
|
||
|
#1161 - scp -r fails.
|
||
|
#1162 - Inappropriate sequence of syslog messages.
|
||
|
#1166 - openssh-4.3p1 has some issues compiling.
|
||
|
#1171 - configure can't always figure out LLONG_MAX..
|
||
|
#1173 - scp reports lost connection for very large files.
|
||
|
#1177 - Incorrect sshrc file location in Makefile.in.
|
||
|
#1179 - sshd incorrectly rejects connections due to IP options.
|
||
|
#1181 - configure should detect when openssl-0.9.8x needs -ldl.
|
||
|
#1186 - ssh tries multiple times to open unprotected keys.
|
||
|
#1188 - keyboard-interactive should not allow retry after
|
||
|
pam_acct_mgmt fails.
|
||
|
#1193 - Open ssh will not allow changing of passwords on usernames
|
||
|
greater than 8 characters..
|
||
|
#1201 - Bind address information is not specified in command line
|
||
|
help messages.
|
||
|
#1203 - configure.ac is missing an open [.
|
||
|
#1207 - sshd does not clear unsuccessful login count on
|
||
|
non-interactive logins.
|
||
|
#1218 - GSSAPI client code permits SPNEGO usage.
|
||
|
#1221 - Banner only suppressed at log level = QUIET (used to be
|
||
|
at log level < INFO).
|
||
|
|
||
|
* Fixes to memory and file descriptor leaks reported by the Coverity
|
||
|
static analysis tool
|
||
|
|
||
|
* Fixes to inconsistent pointer checks reported by the Stanford
|
||
|
SATURN tool
|
||
|
|
||
|
Thanks to everyone who has contributed patches, reported bugs and
|
||
|
tested releases.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.4.tar.gz">openssh-4.4.tar.gz</a>) = 2294b5e5a591420aa05ff607c1890ab622ace878
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.4p1.tar.gz">openssh-4.4p1.tar.gz</a>) = 6a52b1dee1c2c9862923c0008d201d98a7fd9d6c
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-4.3p2" id="4.3p2">OpenSSH 4.3p2</a> (2006-02-11)</h3>
|
||
|
<pre>Portable OpenSSH 4.3p2 was released on 2006-02-11. It will be available
|
||
|
from the mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We have also recently completed another Internet SSH usage scan, the
|
||
|
results of which may be found at <a href="http://www.openssh.com/usage.html">http://www.openssh.com/usage.html</a>
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots and purchased
|
||
|
T-shirts or posters.
|
||
|
|
||
|
T-shirt, poster and CD sales directly support the project. Pictures
|
||
|
and more information can be found at:
|
||
|
<a href="http://www.openbsd.org/tshirts.html">http://www.openbsd.org/tshirts.html</a> and
|
||
|
<a href="http://www.openbsd.org/orders.html">http://www.openbsd.org/orders.html</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Changes since Portable OpenSSH 4.3p1:
|
||
|
====================================
|
||
|
|
||
|
This is a release of Portable OpenSSH only, to resolve some
|
||
|
portability bugs. There are no new features, only fixes:
|
||
|
|
||
|
* Explicitly test for egrep in ./configure, fixing a problem in 4.3p1
|
||
|
that caused some platforms to fail to detect the available fields
|
||
|
in utmp/wtmp/lastlog records. This bug manifested as missing or
|
||
|
empty login/logout records (as seen by last(1), etc.)
|
||
|
|
||
|
* Fix for logout records not being updated on platforms without
|
||
|
support for post-authentication privilege separation (e.g. Cygwin)
|
||
|
|
||
|
* Fixed compilation problems on Ultrix, NewsOS and QNX
|
||
|
|
||
|
Thanks to everyone who has contributed patches, reported bugs or test
|
||
|
releases.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.3p2.tar.gz">openssh-4.3p2.tar.gz</a>) = 2b5b0751fd578283ba7b106025c0ba391fd72f1f
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-4.3" id="4.3">OpenSSH 4.3</a>/<a href="txt/release-4.3" id="4.3p1">4.3p1</a> (2006-02-01)</h3>
|
||
|
<pre>OpenSSH 4.3 was released on 2006-02-01. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We have also recently completed another Internet SSH usage scan, the
|
||
|
results of which may be found at <a href="http://www.openssh.com/usage.html">http://www.openssh.com/usage.html</a>
|
||
|
|
||
|
Once again, we would like to thank the OpenSSH community for their
|
||
|
continued support of the project, especially those who contributed
|
||
|
code or patches, reported bugs, tested snapshots and purchased
|
||
|
T-shirts or posters.
|
||
|
|
||
|
T-shirt, poster and CD sales directly support the project. Pictures
|
||
|
and more information can be found at:
|
||
|
<a href="http://www.openbsd.org/tshirts.html">http://www.openbsd.org/tshirts.html</a> and
|
||
|
<a href="http://www.openbsd.org/orders.html">http://www.openbsd.org/orders.html</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Changes since OpenSSH 4.2:
|
||
|
============================
|
||
|
|
||
|
Security bugs resolved in this release:
|
||
|
|
||
|
* CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
|
||
|
subshell to perform local to local, and remote to remote copy
|
||
|
operations. This subshell exposed filenames to shell expansion
|
||
|
twice; allowing a local attacker to create filenames containing
|
||
|
shell metacharacters that, if matched by a wildcard, could lead
|
||
|
to execution of attacker-specified commands with the privilege of
|
||
|
the user running scp (Bugzilla #1094)
|
||
|
|
||
|
This is primarily a bug-fix release, only one new feature has been
|
||
|
added:
|
||
|
|
||
|
* Add support for tunneling arbitrary network packets over a
|
||
|
connection between an OpenSSH client and server via tun(4) virtual
|
||
|
network interfaces. This allows the use of OpenSSH (4.3+) to create
|
||
|
a true VPN between the client and server providing real network
|
||
|
connectivity at layer 2 or 3. This feature is experimental and is
|
||
|
currently supported on OpenBSD, Linux, NetBSD (IPv4 only) and
|
||
|
FreeBSD. Other operating systems with tun/tap interface capability
|
||
|
may be added in future portable OpenSSH releases. Please refer to
|
||
|
the README.tun file in the source distribution for further details
|
||
|
and usage examples.
|
||
|
|
||
|
Some of the other bugs resolved and internal improvements are:
|
||
|
|
||
|
* Reduce default key length for new DSA keys generated by ssh-keygen
|
||
|
back to 1024 bits. DSA is not specified for longer lengths and does
|
||
|
not fully benefit from simply making keys longer. As per FIPS 186-2
|
||
|
Change Notice 1, ssh-keygen will refuse to generate a new DSA key
|
||
|
smaller or larger than 1024 bits
|
||
|
|
||
|
* Fixed X forwarding failing to start when a the X11 client is executed
|
||
|
in background at the time of session exit (Bugzilla #1086)
|
||
|
|
||
|
* Change ssh-keygen to generate a protocol 2 RSA key when invoked
|
||
|
without arguments (Bugzilla #1064)
|
||
|
|
||
|
* Fix timing variance for valid vs. invalid accounts when attempting
|
||
|
Kerberos authentication (Bugzilla #975)
|
||
|
|
||
|
* Ensure that ssh always returns code 255 on internal error (Bugzilla
|
||
|
#1137)
|
||
|
|
||
|
* Cleanup wtmp files on SIGTERM when not using privsep (Bugzilla #1029)
|
||
|
|
||
|
* Set SO_REUSEADDR on X11 listeners to avoid problems caused by
|
||
|
lingering sockets from previous session (X11 applications can
|
||
|
sometimes not connect to 127.0.0.1:60xx) (Bugzilla #1076)
|
||
|
|
||
|
* Ensure that fds 0, 1 and 2 are always attached in all programs, by
|
||
|
duping /dev/null to them if necessary.
|
||
|
|
||
|
* Xauth list invocation had bogus "." argument (Bugzilla #1082)
|
||
|
|
||
|
* Remove internal assumptions on key exchange hash algorithm and output
|
||
|
length, preparing OpenSSH for KEX methods with alternate hashes.
|
||
|
|
||
|
* Ignore junk sent by a server before it sends the "SSH-" banner
|
||
|
(Bugzilla #1067)
|
||
|
|
||
|
* The manpages has been significantly improves and rearranged, in
|
||
|
addition to other specific manpage fixes:
|
||
|
#1037 - Man page entries for -L and -R should mention -g.
|
||
|
#1077 - Descriptions for "ssh -D" and DynamicForward should mention
|
||
|
they can specify "bind_address" optionally.
|
||
|
#1088 - Incorrect descriptions in ssh_config man page for
|
||
|
ControlMaster=no.
|
||
|
#1121 - Several corrections for ssh_agent manpages
|
||
|
|
||
|
* Lots of cleanups, including fixes to memory leaks on error paths
|
||
|
(Bugzilla #1109, #1110, #1111 and more) and possible crashes (#1092)
|
||
|
|
||
|
* Portable OpenSSH-specific fixes:
|
||
|
|
||
|
- Pass random seed during re-exec for each connection: speeds up
|
||
|
processing of new connections on platforms using the OpenSSH's
|
||
|
builtin entropy collector (ssh-rand-helper)
|
||
|
|
||
|
- PAM fixes and improvements:
|
||
|
#1045 - Missing option for ignoring the /etc/nologin file
|
||
|
#1087 - Show PAM password expiry message from LDAP on login
|
||
|
#1028 - Forward final non-query conversations to client
|
||
|
#1126 - Prevent user from being forced to change an expired
|
||
|
password repeatedly on AIX in some PAM configurations.
|
||
|
#1045 - Do not check /etc/nologin when PAM is enabled, instead
|
||
|
allow PAM to handle it. Note that on platforms using
|
||
|
PAM, the pam_nologin module should be used in sshd's
|
||
|
session stack in order to maintain past behaviour
|
||
|
|
||
|
- Portability-related fixes:
|
||
|
#989 - Fix multiplexing regress test on Solaris
|
||
|
#1097 - Cross-compile fixes.
|
||
|
#1096 - ssh-keygen broken on HPUX.
|
||
|
#1098 - $MAIL being set incorrectly for HPUX server login.
|
||
|
#1104 - Compile error on Tru64 Unix 4.0f
|
||
|
#1106 - Updated .spec file and startup for SuSE.
|
||
|
#1122 - Use _GNU_SOURCE define in favor of __USE_GNU, fixing
|
||
|
compilation problems on glibc 2.4
|
||
|
|
||
|
Thanks to everyone who has contributed patches, reported bugs or test
|
||
|
releases.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.3.tar.gz">openssh-4.3.tar.gz</a>) = 0cb66e56805d66b51511455423bab88aa58a1455
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.3p1.tar.gz">openssh-4.3p1.tar.gz</a>) = b1f379127829e7e820955b2825130edd1601ba59
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
|
||
|
Ben Lindstrom.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-4.2" id="4.2">OpenSSH 4.2</a>/<a href="txt/release-4.2" id="4.2p1">4.2p1</a> (2005-09-01)</h3>
|
||
|
<pre>OpenSSH 4.2 was released on 2005-09-01. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support of the project, especially those who contributed source,
|
||
|
reported bugs, tested snapshots and purchased T-shirts or posters.
|
||
|
|
||
|
T-shirt, poster and CD sales directly support the project. Pictures
|
||
|
and more information can be found at:
|
||
|
<a href="http://www.openbsd.org/tshirts.html">http://www.openbsd.org/tshirts.html</a> and
|
||
|
<a href="http://www.openbsd.org/orders.html">http://www.openbsd.org/orders.html</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Changes since OpenSSH 4.1:
|
||
|
============================
|
||
|
|
||
|
- SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused
|
||
|
GatewayPorts to be incorrectly activated for dynamic ("-D") port
|
||
|
forwardings when no listen address was explicitly specified.
|
||
|
|
||
|
- SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI
|
||
|
credentials to be delegated to users who log in with methods
|
||
|
other than GSSAPI authentication (e.g. public key) when the
|
||
|
client requests it. This behaviour has been changed in OpenSSH
|
||
|
4.2 to only delegate credentials to users who authenticate
|
||
|
using the GSSAPI method. This eliminates the risk of credentials
|
||
|
being inadvertently exposed to an untrusted user/host (though
|
||
|
users should not activate GSSAPIDelegateCredentials to begin
|
||
|
with when the remote user or host is untrusted)
|
||
|
|
||
|
- Added a new compression method that delays the start of zlib
|
||
|
compression until the user has been authenticated successfully.
|
||
|
The new method ("Compression delayed") is on by default in the
|
||
|
server. This eliminates the risk of any zlib vulnerability
|
||
|
leading to a compromise of the server from unauthenticated users.
|
||
|
|
||
|
NB. Older OpenSSH (<3.5) versions have a bug that will cause them
|
||
|
to refuse to connect to any server that does not offer compression
|
||
|
when the client has compression requested. Since the new "delayed"
|
||
|
server mode isn't supported by these older clients, they will
|
||
|
refuse to connect to a new server unless compression is disabled
|
||
|
(on the client end) or the original compression method is enabled
|
||
|
on the server ("Compression yes" in sshd_config)
|
||
|
|
||
|
- Another round of proactive changes for signed vs unsigned integer
|
||
|
bugs has been completed, including changing the atomicio() API to
|
||
|
encourage safer programming. This work is ongoing.
|
||
|
|
||
|
- Added support for the improved arcfour cipher modes from
|
||
|
draft-harris-ssh-arcfour-fixes-02. The improves the cipher's
|
||
|
resistance to a number of attacks by discarding early keystream
|
||
|
output.
|
||
|
|
||
|
- Increase the default size of new RSA/DSA keys generated by
|
||
|
ssh-keygen from 1024 to 2048 bits.
|
||
|
|
||
|
- Many bugfixes and improvements to connection multiplexing,
|
||
|
including:
|
||
|
|
||
|
- Added ControlMaster=auto/autoask options to support opportunistic
|
||
|
multiplexing (see the <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> manpage for details).
|
||
|
|
||
|
- The client will now gracefully fallback to starting a new TCP
|
||
|
connection if it cannot connect to a specified multiplexing
|
||
|
control socket
|
||
|
|
||
|
- Added %h (target hostname), %p (target port) and %r (remote
|
||
|
username) expansion sequences to ControlPath. Also allow
|
||
|
ControlPath=none to disable connection multiplexing.
|
||
|
|
||
|
- Implemented support for X11 and agent forwarding over multiplexed
|
||
|
connections. Because of protocol limitations, the slave
|
||
|
connections inherit the master's DISPLAY and SSH_AUTH_SOCK rather
|
||
|
than distinctly forwarding their own.
|
||
|
|
||
|
- Portable OpenSSH: Added support for long passwords (> 8-char) on
|
||
|
UnixWare 7.
|
||
|
|
||
|
- The following bugs from <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a> were closed:
|
||
|
|
||
|
#471 - Misleading error message if /dev/tty perms wrong
|
||
|
#623 - Don't use $HOME in manpages
|
||
|
#829 - Don't allocate a tty if -n option is set
|
||
|
#1025 - Correctly handle disabled special character in ttymodes
|
||
|
#1033 - Fix compile-time warnings
|
||
|
#1046 - AIX 5.3 Garbage on Login
|
||
|
#1054 - Don't terminate connection on getpeername() failure
|
||
|
#1076 - GSSAPIDelegateCredentials issue mentioned above
|
||
|
|
||
|
- Lots of other improvements and fixes. Please refer to the ChangeLog
|
||
|
for details
|
||
|
|
||
|
Thanks to everyone who has contributed patches, problem or test reports.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.2.tar.gz">openssh-4.2.tar.gz</a>) = d2bd777986a30e446268ceeb24cddbf2edf51b21
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.2p1.tar.gz">openssh-4.2p1.tar.gz</a>) = 5e7231cfa8ec673ea856ce291b78fac8b380eb78
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-4.1" id="4.1">OpenSSH 4.1</a>/<a href="txt/release-4.1" id="4.1p1">4.1p1</a> (2005-05-26)</h3>
|
||
|
<pre>OpenSSH 4.1 was released on 2005-05-26. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support to the project, especially those who contributed source and
|
||
|
bought T-shirts or posters.
|
||
|
|
||
|
We have a new design of T-shirt available, more info on
|
||
|
<a href="http://www.openbsd.org/tshirts.html#18">http://www.openbsd.org/tshirts.html#18</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
|
||
|
Changes since OpenSSH 4.0:
|
||
|
============================
|
||
|
|
||
|
* This is a bugfix release, no new features have been added. Some notable
|
||
|
fixes are:
|
||
|
|
||
|
- Fix segfault when using forwardings configured in <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> and
|
||
|
ClearAllForwardings (bugzilla #996)
|
||
|
|
||
|
- Limit input buffer size for channels. A peer could send more data
|
||
|
than the buffer code was willing to accept. This would cause OpenSSH
|
||
|
to abort the connection (bugzilla #896)
|
||
|
|
||
|
* Several improvements to the regression tests
|
||
|
|
||
|
* Portable OpenSSH:
|
||
|
|
||
|
- OpenSSH will now always normalise IPv4 in IPv6 mapped addresses back to
|
||
|
IPv4 addresses. This means that IPv4 addresses in log messages on IPv6
|
||
|
enabled machines will no longer be prefixed by "::ffff:" and AllowUsers,
|
||
|
DenyUsers, AllowGroups, DenyGroups will match IPv4-style addresses only
|
||
|
for 4-in-6 mapped connections. This ensures a consistent representation
|
||
|
of IPv4 addresses regardless of whether or not the machine is IPv6
|
||
|
enabled.
|
||
|
|
||
|
* Other bugfixes, including bugzilla #950, #997, #998, #999, #1005, #1006,
|
||
|
#1024, and #1038
|
||
|
|
||
|
Changes since OpenSSH 3.9:
|
||
|
============================
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> now allows the optional specification of an address to bind to
|
||
|
in port forwarding connections (local, remote and dynamic). Please
|
||
|
refer to the documentation for the -L and -R options in the <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
|
||
|
manual page and the LocalForward and RemoteForward options in the
|
||
|
<a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> manpage. (Bugzilla #413)
|
||
|
|
||
|
* To control remote bindings while retaining backwards compatibility,
|
||
|
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>'s GatewayPorts option has been extended. To allow client
|
||
|
specified bind addresses for remote (-R) port forwardings, the server
|
||
|
must be configured with "GatewayPorts clientspecified".
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and ssh-keyscan(1) now support hashing of host names and
|
||
|
addresses added to known_hosts files, controlled by the <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
|
||
|
HashKnownHosts configuration directive. This option improves user
|
||
|
privacy by hiding which hosts have been visited. At present this
|
||
|
option is off by default, but may be turned on once it receives
|
||
|
sufficient testing.
|
||
|
|
||
|
* Added options for managing keys in known_hosts files to <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>,
|
||
|
including the ability to search for hosts by name, delete hosts by
|
||
|
name and convert an unhashed known_hosts file into one with hashed
|
||
|
names. These are particularly useful for managing known_hosts files
|
||
|
with hashed hostnames.
|
||
|
|
||
|
* Improve account and password expiry support in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. Ther server
|
||
|
will now warn in advance for both account and password expiry.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> will now log the source of connections denied by AllowUsers,
|
||
|
DenyUsers, AllowGroups and DenyGroups (Bugzilla #909)
|
||
|
|
||
|
* Added AddressFamily option to <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> to allow global control over
|
||
|
IPv4/IPv6 usage. (Bugzilla #989)
|
||
|
|
||
|
* Improved <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> client, including bugfixes and optimisations for the
|
||
|
``ls'' command and command history and editing support using libedit.
|
||
|
|
||
|
* Improved the handling of bad data in authorized_keys files,
|
||
|
eliminating fatal errors on corrupt or very large keys. (Bugzilla
|
||
|
#884)
|
||
|
|
||
|
* Improved connection multiplexing support in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>. Several bugs
|
||
|
have been fixed and a new "command mode" has been added to allow the
|
||
|
control of a running multiplexing master connection, including
|
||
|
checking that it is up, determining its PID and asking it to exit.
|
||
|
|
||
|
* Have <a href="https://man.openbsd.org/scp.1">scp(1)</a> and <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> wait for the spawned ssh to exit before they
|
||
|
exit themselves. This prevents ssh from being unable to restore
|
||
|
terminal modes (not normally a problem on OpenBSD but common with
|
||
|
-Portable on POSIX platforms). (Bugzilla #950)
|
||
|
|
||
|
* Portable OpenSSH:
|
||
|
|
||
|
- Add *EXPERIMENTAL* BSM audit support for Solaris systems
|
||
|
(Bugzilla #125)
|
||
|
|
||
|
- Enable IPv6 on AIX where possible (see README.platform for
|
||
|
details), working around a misfeature of AIX's getnameinfo.
|
||
|
(Bugzilla #835)
|
||
|
|
||
|
- Teach <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> to write failed login records to btmp for
|
||
|
unsuccessful auth attempts. Currently this is only for password,
|
||
|
keyboard-interactive and challenge/response authentication methods
|
||
|
and only on Linux and HP-UX.
|
||
|
|
||
|
- <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now sends output from failing PAM session modules to the
|
||
|
user before exiting, similar to the way /etc/nologin is handled
|
||
|
|
||
|
- Store credentials from gssapi-with-mic authentication early enough
|
||
|
to be available to PAM session modules when privsep=yes.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/openssh-4.1.tar.gz">openssh-4.1.tar.gz</a>) = 62fc9596b20244bb559d5fee3ff3ecc0dfd557cb
|
||
|
- SHA1 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.1p1.tar.gz">openssh-4.1p1.tar.gz</a>) = e85d389da8ad8290f5031b8f9972e2623c674e46
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-4.0" id="4.0">OpenSSH 4.0</a>/<a href="txt/release-4.0" id="4.0p1">4.0p1</a> (2005-03-09)</h3>
|
||
|
<pre>OpenSSH 4.0 was released on 2005-03-09. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support to the project, especially those who contributed source and
|
||
|
bought T-shirts or posters.
|
||
|
|
||
|
We have a new design of T-shirt available, more info on
|
||
|
<a href="http://www.openbsd.org/tshirts.html#18">http://www.openbsd.org/tshirts.html#18</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
|
||
|
Changes since OpenSSH 3.9:
|
||
|
============================
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> now allows the optional specification of an address to bind to
|
||
|
in port forwarding connections (local, remote and dynamic). Please
|
||
|
refer to the documentation for the -L and -R options in the <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
|
||
|
manual page and the LocalForward and RemoteForward options in the
|
||
|
<a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> manpage. (Bugzilla #413)
|
||
|
|
||
|
* To control remote bindings while retaining backwards compatibility,
|
||
|
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>'s GatewayPorts option has been extended. To allow client
|
||
|
specified bind addresses for remote (-R) port forwardings, the server
|
||
|
must be configured with "GatewayPorts clientspecified".
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and ssh-keyscan(1) now support hashing of host names and
|
||
|
addresses added to known_hosts files, controlled by the <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
|
||
|
HashKnownHosts configuration directive. This option improves user
|
||
|
privacy by hiding which hosts have been visited. At present this
|
||
|
option is off by default, but may be turned on once it receives
|
||
|
sufficient testing.
|
||
|
|
||
|
* Added options for managing keys in known_hosts files to <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>,
|
||
|
including the ability to search for hosts by name, delete hosts by
|
||
|
name and convert an unhashed known_hosts file into one with hashed
|
||
|
names. These are particularly useful for managing known_hosts files
|
||
|
with hashed hostnames.
|
||
|
|
||
|
* Improve account and password expiry support in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>. Ther server
|
||
|
will now warn in advance for both account and password expiry.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> will now log the source of connections denied by AllowUsers,
|
||
|
DenyUsers, AllowGroups and DenyGroups (Bugzilla #909)
|
||
|
|
||
|
* Added AddressFamily option to <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> to allow global control over
|
||
|
IPv4/IPv6 usage. (Bugzilla #989)
|
||
|
|
||
|
* Improved <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> client, including bugfixes and optimisations for the
|
||
|
``ls'' command and command history and editing support using libedit.
|
||
|
|
||
|
* Improved the handling of bad data in authorized_keys files,
|
||
|
eliminating fatal errors on corrupt or very large keys. (Bugzilla
|
||
|
#884)
|
||
|
|
||
|
* Improved connection multiplexing support in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>. Several bugs
|
||
|
have been fixed and a new "command mode" has been added to allow the
|
||
|
control of a running multiplexing master connection, including
|
||
|
checking that it is up, determining its PID and asking it to exit.
|
||
|
|
||
|
* Have <a href="https://man.openbsd.org/scp.1">scp(1)</a> and <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> wait for the spawned ssh to exit before they
|
||
|
exit themselves. This prevents ssh from being unable to restore
|
||
|
terminal modes (not normally a problem on OpenBSD but common with
|
||
|
-Portable on POSIX platforms). (Bugzilla #950)
|
||
|
|
||
|
* Portable OpenSSH:
|
||
|
|
||
|
- Add *EXPERIMENTAL* BSM audit support for Solaris systems
|
||
|
(Bugzilla #125)
|
||
|
|
||
|
- Enable IPv6 on AIX where possible (see README.platform for
|
||
|
details), working around a misfeature of AIX's getnameinfo.
|
||
|
(Bugzilla #835)
|
||
|
|
||
|
- Teach <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> to write failed login records to btmp for
|
||
|
unsuccessful auth attempts. Currently this is only for password,
|
||
|
keyboard-interactive and challenge/response authentication methods
|
||
|
and only on Linux and HP-UX.
|
||
|
|
||
|
- <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now sends output from failing PAM session modules to the
|
||
|
user before exiting, similar to the way /etc/nologin is handled
|
||
|
|
||
|
- Store credentials from gssapi-with-mic authentication early enough
|
||
|
to be available to PAM session modules when privsep=yes.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- MD5 (openssh-4.0.tgz) = 7dbf15fe7c294672e8822127f50107d0
|
||
|
- MD5 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.0p1.tar.gz">openssh-4.0p1.tar.gz</a>) = 7b36f28fc16e1b7f4ba3c1dca191ac92
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.9" id="3.9">OpenSSH 3.9</a>/<a href="txt/release-3.9" id="3.9p1">3.9p1</a> (2004-08-18)</h3>
|
||
|
<pre>OpenSSH 3.9 was released on 2004-08-18. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support to the project, especially those who contributed source and
|
||
|
bought T-shirts or posters.
|
||
|
|
||
|
We have a new design of T-shirt available, more info on
|
||
|
<a href="http://www.openbsd.org/tshirts.html#18">http://www.openbsd.org/tshirts.html#18</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
|
||
|
Changes since OpenSSH 3.8:
|
||
|
============================
|
||
|
|
||
|
* Added new "IdentitiesOnly" option to <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, which specifies that it should
|
||
|
use keys specified in ssh_config, rather than any keys in <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>
|
||
|
|
||
|
* Make <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> re-execute itself on accepting a new connection. This security
|
||
|
measure ensures that all execute-time randomisations are reapplied for each
|
||
|
connection rather than once, for the master process' lifetime. This includes
|
||
|
mmap and malloc mappings, shared library addressing, shared library mapping
|
||
|
order, ProPolice and StackGhost cookies on systems that support such things
|
||
|
|
||
|
* Add strict permission and ownership checks to programs reading ~/.ssh/config
|
||
|
NB <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> will now exit instead of trying to process a config with poor
|
||
|
ownership or permissions
|
||
|
|
||
|
* Implemented the ability to pass selected environment variables between the
|
||
|
client and the server. See "AcceptEnv" in <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a> and "SendEnv" in
|
||
|
<a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> for details
|
||
|
|
||
|
* Added a "MaxAuthTries" option to <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>, allowing control over the maximum
|
||
|
number of authentication attempts permitted per connection
|
||
|
|
||
|
* Added support for cancellation of active remote port forwarding sessions.
|
||
|
This may be performed using the ~C escape character, see "Escape Characters"
|
||
|
in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> for details
|
||
|
|
||
|
* Many <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> interface improvements, including greatly enhanced "ls" support
|
||
|
and the ability to cancel active transfers using SIGINT (^C)
|
||
|
|
||
|
* Implement session multiplexing: a single <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> connection can now carry
|
||
|
multiple login/command/file transfer sessions. Refer to the "ControlMaster"
|
||
|
and "ControlPath" options in <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> for more information
|
||
|
|
||
|
* The sftp-server has improved support for non-POSIX filesystems (e.g. FAT)
|
||
|
|
||
|
* Portable OpenSSH: Re-introduce support for PAM password authentication, in
|
||
|
addition to the keyboard-interactive driver. PAM password authentication
|
||
|
is less flexible, and doesn't support pre-authentication password expiry but
|
||
|
runs in-process so Kerberos tokens, etc are retained
|
||
|
|
||
|
* Improved and more extensive regression tests
|
||
|
|
||
|
* Many bugfixes and small improvements
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- MD5 (openssh-3.9.tgz) = 93f48bfcc1560895ae53de6bfc41689b
|
||
|
- MD5 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.9p1.tar.gz">openssh-3.9p1.tar.gz</a>) = 8e1774d0b52aff08f817f3987442a16e
|
||
|
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.8.1p1" id="3.8.1p1">OpenSSH 3.8.1p1</a> (2004-04-19)</h3>
|
||
|
<pre>OpenSSH 3.8.1p1 was released on 2004-04-19. It is available from
|
||
|
the mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
|
||
|
This release is a bug-fix release for the portable version. There are
|
||
|
no feature additions and no corresponding OpenBSD-only release.
|
||
|
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support to the project, especially those who contributed source, help
|
||
|
with testing and have bought T-shirts or posters.
|
||
|
|
||
|
We have a new design of T-shirt available, more info on
|
||
|
<a href="http://www.openbsd.org/tshirts.html#18">http://www.openbsd.org/tshirts.html#18</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Bugs fixed since OpenSSH 3.8p1:
|
||
|
===============================
|
||
|
|
||
|
Bug #673 - Fix compilation on NetBSD with S/Key enabled
|
||
|
|
||
|
Bug #748 - Detect and workaround broken name resolution on HP-UX
|
||
|
|
||
|
Bug #802 - Fix linking on Tru64 when compiled with SIA support
|
||
|
|
||
|
Bug #808 - Fix PAM crash on expired password when not authenticated using
|
||
|
pam/kbdint mechanism
|
||
|
|
||
|
Bug #810 - Fix erroneous clearing of TZ environment variable
|
||
|
|
||
|
Bug #811 - Improve locked password detection across Linux variants
|
||
|
|
||
|
Bug #820 - Fix utmp corruption on Irix
|
||
|
|
||
|
Bug #825 - Fix disconnection problem when using IPv4-in-IPv6 mapped
|
||
|
addresses on Solaris.
|
||
|
|
||
|
- Fix compilation on OS X systems with Kerberos/GSSAPI
|
||
|
|
||
|
- Many more minor fixes, please refer to the ChangeLog file for details
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- MD5 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.8.1p1.tar.gz">openssh-3.8.1p1.tar.gz</a>) = 1dbfd40ae683f822ae917eebf171ca42
|
||
|
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.
|
||
|
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.8.1" id="3.8.1">OpenSSH 3.8.1</a>/<a href="txt/release-3.8.1" id="3.8.1p1">3.8.1p1</a></h3>
|
||
|
<pre>3.8.1p1 is a Portable-only release, there is no corresponding 3.8.1 release.
|
||
|
See <a href="http://www.openssh.com/txt/release-3.8.1p1">http://www.openssh.com/txt/release-3.8.1p1</a> for the Portable release notes.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.8" id="3.8">OpenSSH 3.8</a>/<a href="txt/release-3.8" id="3.8p1">3.8p1</a> (2004-02-24)</h3>
|
||
|
<pre>OpenSSH 3.8 was released on 2004-02-24. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support to the project, especially those who contributed source and
|
||
|
bought T-shirts or posters.
|
||
|
|
||
|
We have a new design of T-shirt available, more info on
|
||
|
<a href="http://www.openbsd.org/tshirts.html#18">http://www.openbsd.org/tshirts.html#18</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
|
||
|
Changes since OpenSSH 3.7.1:
|
||
|
============================
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now supports forced changes of expired passwords via
|
||
|
/usr/bin/passwd or keyboard-interactive authentication.
|
||
|
|
||
|
Note for AIX: sshd will now deny password access to accounts with
|
||
|
passwords expired longer than their maxexpired attribute. For
|
||
|
details, see the AIX section in README.platform.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> now uses untrusted cookies for X11-Forwarding.
|
||
|
Some X11 applications might need full access to the X11 server,
|
||
|
see ForwardX11Trusted in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and xauth(1) for more information.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> now supports sending application layer
|
||
|
keep-alive messages to the server. See ServerAliveInterval
|
||
|
in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> for more information.
|
||
|
|
||
|
* Improved <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> batch file support.
|
||
|
|
||
|
* New KerberosGetAFSToken option for <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>.
|
||
|
|
||
|
* Updated /etc/moduli file and improved performance for
|
||
|
protocol version 2.
|
||
|
|
||
|
* Support for host keys in DNS (draft-ietf-secsh-dns-xx.txt).
|
||
|
Please see README.dns in the source distribution for details.
|
||
|
|
||
|
* Fix a number of memory leaks.
|
||
|
|
||
|
* The experimental "gssapi" support has been replaced with
|
||
|
the "gssapi-with-mic" to fix possible MITM attacks.
|
||
|
The two versions are not compatible.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- MD5 (openssh-3.8.tgz) = 7d5590a333d8f8aa1fa6f19e24938700
|
||
|
- MD5 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.8p1.tar.gz">openssh-3.8p1.tar.gz</a>) = 7861a4c0841ab69a6eec5c747daff6fb
|
||
|
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.7.1p2" id="3.7.1p2">OpenSSH 3.7.1p2</a> (2003-09-23)</h3>
|
||
|
<pre>Portable OpenSSH 3.7.1p2 was released on 2003-09-23. It will be available
|
||
|
from the mirrors listed at <a href="http://www.openssh.com/portable.html">http://www.openssh.com/portable.html</a> shortly.
|
||
|
|
||
|
Please note that this is a release to address issues in the portable
|
||
|
version only. The items mentioned below do not affect the OpenBSD
|
||
|
version.
|
||
|
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support to the project, especially those who contributed source and
|
||
|
bought T-shirts or posters.
|
||
|
|
||
|
We have a new design of T-shirt available, more info on
|
||
|
<a href="http://www.openbsd.org/tshirts.html#18">http://www.openbsd.org/tshirts.html#18</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Security Changes:
|
||
|
=================
|
||
|
|
||
|
Portable OpenSSH version 3.7p1 and 3.7.1p1 contain multiple
|
||
|
vulnerabilities in the new PAM authentication code. At least one of
|
||
|
these bugs is remotely exploitable (under a non-standard
|
||
|
configuration, with privsep disabled).
|
||
|
|
||
|
OpenSSH 3.7.1p2 fixes these bugs. Please note that these bugs do not
|
||
|
exist in OpenBSD's releases of OpenSSH.
|
||
|
|
||
|
Changes since OpenSSH 3.7.1p1:
|
||
|
==============================
|
||
|
|
||
|
* This release disables PAM by default. To enable it, set "UsePAM yes" in
|
||
|
sshd_config. Due to complexity, inconsistencies in the specification and
|
||
|
differences between vendors' PAM implementations we recommend that PAM
|
||
|
be left disabled in sshd_config unless there is a need for its use.
|
||
|
Sites using only public key or simple password authentication usually
|
||
|
have little need to enable PAM support.
|
||
|
|
||
|
* This release now requires zlib 1.1.4 to build correctly. Previous
|
||
|
versions have security problems.
|
||
|
|
||
|
* Fix compilation for versions of OpenSSL before 0.9.6. Some cipher modes
|
||
|
are not supported for older OpenSSL versions.
|
||
|
|
||
|
* Fix compilation problems on systems with a missing or lacking inet_ntoa()
|
||
|
function.
|
||
|
|
||
|
* Workaround problems related to unimplemented or broken setresuid/setreuid
|
||
|
functions on several platforms.
|
||
|
|
||
|
* Fix compilation on older OpenBSD systems.
|
||
|
|
||
|
* Fix handling of password-less authentication (PermitEmptyPasswords=yes)
|
||
|
that has not worked since the 3.7p1 release.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- MD5 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.7.1p2.tar.gz">openssh-3.7.1p2.tar.gz</a>) = 61cf5b059938718308836d00f6764a94
|
||
|
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.7.1" id="3.7.1">OpenSSH 3.7.1</a>/<a href="txt/release-3.7.1" id="3.7.1p1">3.7.1p1</a> (2004-02-25)</h3>
|
||
|
<pre>OpenSSH 3.7.1 was released on 2004-02-25. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support to the project, especially those who contributed source and
|
||
|
bought T-shirts or posters.
|
||
|
|
||
|
We have a new design of T-shirt available, more info on
|
||
|
<a href="http://www.openbsd.org/tshirts.html#18">http://www.openbsd.org/tshirts.html#18</a>
|
||
|
|
||
|
For international orders use <a href="https://https.openbsd.org/cgi-bin/order">https://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="https://https.openbsd.org/cgi-bin/order.eu">https://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Security Changes:
|
||
|
=================
|
||
|
|
||
|
All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
|
||
|
management errors. It is uncertain whether these errors are
|
||
|
potentially exploitable, however, we prefer to see bugs
|
||
|
fixed proactively.
|
||
|
|
||
|
OpenSSH 3.7 fixed one of these bugs.
|
||
|
|
||
|
OpenSSH 3.7.1 fixes more similar bugs.
|
||
|
|
||
|
Changes since OpenSSH 3.6.1:
|
||
|
============================
|
||
|
|
||
|
* The entire OpenSSH code-base has undergone a license review. As
|
||
|
a result, all non-ssh1.x code is under a BSD-style license with no
|
||
|
advertising requirement. Please refer to README in the source
|
||
|
distribution for the exact license terms.
|
||
|
|
||
|
* Rhosts authentication has been removed in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>.
|
||
|
|
||
|
* Changes in Kerberos support:
|
||
|
|
||
|
- KerberosV password support now uses a file cache instead of
|
||
|
a memory cache.
|
||
|
|
||
|
- KerberosIV and AFS support has been removed.
|
||
|
|
||
|
- KerberosV support has been removed from SSH protocol 1.
|
||
|
|
||
|
- KerberosV password authentication support remains for SSH
|
||
|
protocols 1 and 2.
|
||
|
|
||
|
- This release contains some GSSAPI user authentication support
|
||
|
to replace legacy KerberosV authentication support. At present
|
||
|
this code is still considered experimental and SHOULD NOT BE
|
||
|
USED.
|
||
|
|
||
|
* Changed order that keys are tried in public key authentication.
|
||
|
The <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> client tries the keys in the following order:
|
||
|
|
||
|
1. <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> keys that are found in the <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> file
|
||
|
2. remaining <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> keys
|
||
|
3. keys that are only listed in the <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> file
|
||
|
|
||
|
This helps when an <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> has many keys, where the <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>
|
||
|
server might close the connection before the correct key is tried.
|
||
|
|
||
|
* SOCKS5 support has been added to the dynamic forwarding mode
|
||
|
in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>.
|
||
|
|
||
|
* Removed implementation barriers to operation of SSH over SCTP.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> client can now transfer files with quote characters in
|
||
|
their filenames.
|
||
|
|
||
|
* Replaced <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>'s VerifyReverseMapping with UseDNS option.
|
||
|
When UseDNS option is on, reverse hostname lookups are always
|
||
|
performed.
|
||
|
|
||
|
* Fix a number of memory leaks.
|
||
|
|
||
|
* Support for sending tty BREAK over SSH protocol 2.
|
||
|
|
||
|
* Workaround for other vendor bugs in KEX guess handling.
|
||
|
|
||
|
* Support for generating KEX-GEX groups (/etc/moduli) in <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>.
|
||
|
|
||
|
* Automatic re-keying based on amount of data sent over connection.
|
||
|
|
||
|
* New AddressFamily option on client to select protocol to use (IPv4
|
||
|
or IPv6).
|
||
|
|
||
|
* Experimental support for the "aes128-ctr", "aes192-ctr", and
|
||
|
"aes256-ctr" ciphers for SSH protocol 2.
|
||
|
|
||
|
* Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt).
|
||
|
Please see README.dns in the source distribution for details.
|
||
|
|
||
|
* Portable OpenSSH:
|
||
|
|
||
|
- Replace PAM password authentication kludge with a more correct
|
||
|
PAM challenge-response module from FreeBSD.
|
||
|
|
||
|
- PAM support may now be enabled/disabled at runtime using the
|
||
|
UsePAM directive.
|
||
|
|
||
|
- Many improvements to the OpenSC smartcard support.
|
||
|
|
||
|
- Regression tests now work with portable OpenSSH.
|
||
|
Please refer to regress/README.regress in the source distribution.
|
||
|
|
||
|
- On platforms that support it, portable OpenSSH now honors the
|
||
|
UMASK, PATH and SUPATH attributes set in /etc/default/login.
|
||
|
|
||
|
- Deny access to locked accounts, regardless of authentication
|
||
|
method in use.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- MD5 (openssh-3.7.1.tgz) = 3d2f1644d6a3d3267e5e2421f1385129
|
||
|
- MD5 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.7.1p1.tar.gz">openssh-3.7.1p1.tar.gz</a>) = f54e574e606c08ef63ebb1ab2f7689dc
|
||
|
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.7" id="3.7">OpenSSH 3.7</a>/<a href="txt/release-3.7" id="3.7p1">3.7p1</a> (2003-09-16)</h3>
|
||
|
<pre>OpenSSH 3.7 was released on 2003-09-16. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support to the project, especially those who contributed source and
|
||
|
bought T-shirts or posters.
|
||
|
|
||
|
We have a new design of T-shirt available, more info on
|
||
|
<a href="http://www.openbsd.org/tshirts.html#18">http://www.openbsd.org/tshirts.html#18</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
Security Changes:
|
||
|
=================
|
||
|
|
||
|
All versions of OpenSSH's sshd prior to 3.7 contain a buffer
|
||
|
management error. It is uncertain whether this error is
|
||
|
potentially exploitable, however, we prefer to see bugs
|
||
|
fixed proactively.
|
||
|
|
||
|
OpenSSH 3.7 fixes this bug.
|
||
|
|
||
|
Changes since OpenSSH 3.6.1:
|
||
|
============================
|
||
|
|
||
|
* The entire OpenSSH code-base has undergone a license review. As
|
||
|
a result, all non-ssh1.x code is under a BSD-style license with no
|
||
|
advertising requirement. Please refer to README in the source
|
||
|
distribution for the exact license terms.
|
||
|
|
||
|
* Rhosts authentication has been removed in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>.
|
||
|
|
||
|
* Changes in Kerberos support:
|
||
|
|
||
|
- KerberosV password support now uses a file cache instead of
|
||
|
a memory cache.
|
||
|
|
||
|
- KerberosIV and AFS support has been removed.
|
||
|
|
||
|
- KerberosV support has been removed from SSH protocol 1.
|
||
|
|
||
|
- KerberosV password authentication support remains for SSH
|
||
|
protocols 1 and 2.
|
||
|
|
||
|
- This release contains some GSSAPI user authentication support
|
||
|
to replace legacy KerberosV authentication support. At present
|
||
|
this code is still considered experimental and SHOULD NOT BE
|
||
|
USED.
|
||
|
|
||
|
* Changed order that keys are tried in public key authentication.
|
||
|
The <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> client tries the keys in the following order:
|
||
|
|
||
|
1. <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> keys that are found in the <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> file
|
||
|
2. remaining <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> keys
|
||
|
3. keys that are only listed in the <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> file
|
||
|
|
||
|
This helps when an <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> has many keys, where the <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>
|
||
|
server might close the connection before the correct key is tried.
|
||
|
|
||
|
* SOCKS5 support has been added to the dynamic forwarding mode
|
||
|
in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>.
|
||
|
|
||
|
* Removed implementation barriers to operation of SSH over SCTP.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> client can now transfer files with quote characters in
|
||
|
their filenames.
|
||
|
|
||
|
* Replaced <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>'s VerifyReverseMapping with UseDNS option.
|
||
|
When UseDNS option is on, reverse hostname lookups are always
|
||
|
performed.
|
||
|
|
||
|
* Fix a number of memory leaks.
|
||
|
|
||
|
* Support for sending tty BREAK over SSH protocol 2.
|
||
|
|
||
|
* Workaround for other vendor bugs in KEX guess handling.
|
||
|
|
||
|
* Support for generating KEX-GEX groups (/etc/moduli) in <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>.
|
||
|
|
||
|
* Automatic re-keying based on amount of data sent over connection.
|
||
|
|
||
|
* New AddressFamily option on client to select protocol to use (IPv4
|
||
|
or IPv6).
|
||
|
|
||
|
* Experimental support for the "aes128-ctr", "aes192-ctr", and
|
||
|
"aes256-ctr" ciphers for SSH protocol 2.
|
||
|
|
||
|
* Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt).
|
||
|
Please see README.dns in the source distribution for details.
|
||
|
|
||
|
* Portable OpenSSH:
|
||
|
|
||
|
- Replace PAM password authentication kludge with a more correct
|
||
|
PAM challenge-response module from FreeBSD.
|
||
|
|
||
|
- PAM support may now be enabled/disabled at runtime using the
|
||
|
UsePAM directive.
|
||
|
|
||
|
- Many improvements to the OpenSC smartcard support.
|
||
|
|
||
|
- Regression tests now work with portable OpenSSH.
|
||
|
Please refer to regress/README.regress in the source distribution.
|
||
|
|
||
|
- On platforms that support it, portable OpenSSH now honors the
|
||
|
UMASK, PATH and SUPATH attributes set in /etc/default/login.
|
||
|
|
||
|
- Deny access to locked accounts, regardless of authentication
|
||
|
method in use.
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- MD5 (openssh-3.7.tgz) = 86864ecc276c5f75b06d4872a553fa70
|
||
|
- MD5 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.7p1.tar.gz">openssh-3.7p1.tar.gz</a>) = 77662801ba2a9cadc0ac10054bc6cb37
|
||
|
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.6.1p2" id="3.6.1p2">OpenSSH 3.6.1p2</a> (2003-04-30)</h3>
|
||
|
<pre>OpenSSH 3.6.1p2 was released on 2003-04-30. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.This is a release
|
||
|
of the Portable version only.
|
||
|
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
|
||
|
Changes since OpenSSH 3.6.1p1:
|
||
|
============================
|
||
|
|
||
|
* Security: corrected linking problem on AIX/gcc. AIX users are
|
||
|
advised to upgrade immediately. For details, please refer to
|
||
|
separate advisory (aixgcc.adv).
|
||
|
|
||
|
* Corrected build problems on Irix
|
||
|
|
||
|
* Corrected build problem when building with AFS support
|
||
|
|
||
|
* Merged some changes from Openwall Linux
|
||
|
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- MD5 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.6p1.tar.gz">openssh-3.6p1.tar.gz</a>) = f3879270bffe479e1bd057aa36258696
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.6.1" id="3.6.1">OpenSSH 3.6.1</a>/<a href="txt/release-3.6.1" id="3.6.1p1">3.6.1p1</a> (2003-04-01)</h3>
|
||
|
<pre>OpenSSH 3.6.1 was released on 2003-04-01. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support to the project, especially those who contributed source and
|
||
|
bought T-shirts or posters.
|
||
|
|
||
|
We have a new design of T-shirt available, more info on
|
||
|
<a href="http://www.openbsd.org/tshirts.html#18">http://www.openbsd.org/tshirts.html#18</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
|
||
|
Changes since OpenSSH 3.6:
|
||
|
==========================
|
||
|
|
||
|
* The 'kex guesses' bugfix from OpenSSH 3.6 triggers a bug
|
||
|
in a few other SSH v2 implementations and causes connections to
|
||
|
stall. OpenSSH 3.6.1 disables this bugfix when interoperating
|
||
|
with these implementations.
|
||
|
|
||
|
|
||
|
Changes between OpenSSH 3.5 and OpenSSH 3.6:
|
||
|
============================================
|
||
|
|
||
|
* RSA blinding is now used by <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> and <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>.
|
||
|
in order to avoid potential timing attacks against the RSA keys.
|
||
|
Older versions of OpenSSH have been using RSA blinding in
|
||
|
ssh-keysign(1) only.
|
||
|
|
||
|
Please note that there is no evidence that the SSH protocol is
|
||
|
vulnerable to the OpenSSL/TLS timing attack described in
|
||
|
<a href="http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf">http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> optionally requires user confirmation if a key gets
|
||
|
used, see '-c' in <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now handles PermitRootLogin correctly when UsePrivilegeSeparation
|
||
|
is enabled.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now removes X11 cookies when a session gets closed.
|
||
|
|
||
|
* ssh-keysign(8) is disabled by default and only enabled if the
|
||
|
new EnableSSHKeysign option is set in the global <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>
|
||
|
file.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now handle 'kex guesses' correctly (key exchange
|
||
|
guesses).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> no longer overwrites SIG_IGN. This matches behaviour from
|
||
|
rsh(1) and is used by backup tools.
|
||
|
|
||
|
* setting ProxyCommand to 'none' disables the proxy feature, see
|
||
|
<a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a> supports add -1 and -2.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a> supports bandwidth limiting.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> displays a progressmeter.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> has improved error handling for scripting.
|
||
|
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- MD5 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.6.1p1.tar.gz">openssh-3.6.1p1.tar.gz</a>) = d4c2c88b883f097fe88e327cbb4b2e2a
|
||
|
- MD5 (openssh-3.6.1.tgz) = aa2acd2be17dc3fd514a1e09336aab51
|
||
|
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.6" id="3.6">OpenSSH 3.6</a>/<a href="txt/release-3.6" id="3.6p1">3.6p1</a> (2003-03-31)</h3>
|
||
|
<pre>OpenSSH 3.6 was released on 2003-03-31. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support to the project, especially those who contributed source and
|
||
|
bought T-shirts or posters.
|
||
|
|
||
|
We have a new design of T-shirt available, more info on
|
||
|
<a href="http://www.openbsd.org/tshirts.html#18">http://www.openbsd.org/tshirts.html#18</a>
|
||
|
|
||
|
For international orders use <a href="http://https.openbsd.org/cgi-bin/order">http://https.openbsd.org/cgi-bin/order</a>
|
||
|
and for European orders, use <a href="http://https.openbsd.org/cgi-bin/order.eu">http://https.openbsd.org/cgi-bin/order.eu</a>
|
||
|
|
||
|
|
||
|
Changes since OpenSSH 3.5:
|
||
|
============================
|
||
|
|
||
|
|
||
|
* RSA blinding is now used by <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>, <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> and <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>.
|
||
|
in order to avoid potential timing attacks against the RSA keys.
|
||
|
Older versions of OpenSSH have been using RSA blinding in
|
||
|
ssh-keysign(1) only.
|
||
|
|
||
|
Please note that there is no evidence that the SSH protocol is
|
||
|
vulnerable to the OpenSSL/TLS timing attack described in
|
||
|
<a href="http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf">http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf</a>
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> optionally requires user confirmation if a key gets
|
||
|
used, see '-c' in <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now handles PermitRootLogin correctly when UsePrivilegeSeparation
|
||
|
is enabled.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now removes X11 cookies when a session gets closed.
|
||
|
|
||
|
* ssh-keysign(8) is disabled by default and only enabled if the
|
||
|
new EnableSSHKeysign option is set in the global <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>
|
||
|
file.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now handle 'kex guesses' correctly (key exchange
|
||
|
guesses).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> no longer overwrites SIG_IGN. This matches behaviour from
|
||
|
rsh(1) and is used by backup tools.
|
||
|
|
||
|
* setting ProxyCommand to 'none' disables the proxy feature, see
|
||
|
<a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a> supports add -1 and -2.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/scp.1">scp(1)</a> supports bandwidth limiting.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> displays a progressmeter.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> has improved error handling for scripting.
|
||
|
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- MD5 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.6p1.tar.gz">openssh-3.6p1.tar.gz</a>) = 72ef1134d521cb6926c99256dad17fe0
|
||
|
- MD5 (openssh-3.6.tgz) = 758822b888c5c3f83a98045aef904254
|
||
|
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.5" id="3.5">OpenSSH 3.5</a>/<a href="txt/release-3.5" id="3.5p1">3.5p1</a> (2002-10-15)</h3>
|
||
|
<pre>OpenSSH 3.5 was released on 2002-10-15. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
|
||
|
Changes since OpenSSH 3.4:
|
||
|
============================
|
||
|
|
||
|
* Improved support for Privilege Separation (Portability, Kerberos,
|
||
|
PermitRootLogin handling).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> prints out all known host keys for a host if it receives an
|
||
|
unknown host key of a different type.
|
||
|
|
||
|
* Fixed AES/Rijndael EVP integration for OpenSSL < 0.9.7 (caused
|
||
|
problems with bounds checking patches for gcc).
|
||
|
|
||
|
* ssh-keysign(8) is disabled by default and only enabled if the
|
||
|
HostbasedAuthentication option is enabled in the global <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>
|
||
|
file.
|
||
|
|
||
|
* ssh-keysign(8) uses RSA blinding in order to avoid timing attacks
|
||
|
against the RSA host key.
|
||
|
|
||
|
* A use-after-free bug was fixed in ssh-keysign(8). This bug
|
||
|
broke hostbased authentication on several platforms.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> is now installed setgid in order to avoid ptrace(2)
|
||
|
attacks.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a> now restricts the access with getpeereid(2) (or
|
||
|
equivalent, where available).
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> no longer uses the ASN.1 parsing code from libcrypto when
|
||
|
verifying RSA signatures.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> now sets the SSH_CONNECTION environment variable.
|
||
|
|
||
|
* Enhanced "ls" support for the <a href="https://man.openbsd.org/sftp.1">sftp(1)</a> client, including globbing and
|
||
|
detailed listings.
|
||
|
|
||
|
* <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> now always falls back to uncompressed sessions, if the
|
||
|
server does not support compression.
|
||
|
|
||
|
* The default behavior of <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> with regard to user settable
|
||
|
environ variables has changed: the new option PermitUserEnvironment
|
||
|
is disabled by default, see <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>.
|
||
|
|
||
|
* The default value for LoginGraceTime has been changed from 600 to 120
|
||
|
seconds, see <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>.
|
||
|
|
||
|
* Removed erroneous SO_LINGER handling.
|
||
|
|
||
|
|
||
|
Checksums:
|
||
|
==========
|
||
|
|
||
|
- MD5 (<a href="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.5p1.tar.gz">openssh-3.5p1.tar.gz</a>) = 42bd78508d208b55843c84dd54dea848
|
||
|
- MD5 (openssh-3.5.tgz) = 79fc225dbe0fe71ebb6910f449101d23
|
||
|
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.4" id="3.4">OpenSSH 3.4</a>/<a href="txt/release-3.4" id="3.4p1">3.4p1</a> (2002-06-26)</h3>
|
||
|
<pre>OpenSSH 3.4 was released on 2002-06-26. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
|
||
|
Changes since OpenSSH 3.3:
|
||
|
============================
|
||
|
|
||
|
Security Changes:
|
||
|
=================
|
||
|
|
||
|
All versions of OpenSSH's sshd between 2.9.9 and 3.3
|
||
|
contain an input validation error that can result in
|
||
|
an integer overflow and privilege escalation.
|
||
|
|
||
|
OpenSSH 3.4 fixes this bug.
|
||
|
|
||
|
In addition, OpenSSH 3.4 adds many checks to detect
|
||
|
invalid input and mitigate resource exhaustion attacks.
|
||
|
|
||
|
OpenSSH 3.2 and later prevent privilege escalation
|
||
|
if UsePrivilegeSeparation is enabled in sshd_config.
|
||
|
OpenSSH 3.3 enables UsePrivilegeSeparation by
|
||
|
default.
|
||
|
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.3" id="3.3">OpenSSH 3.3</a>/<a href="txt/release-3.3" id="3.3p1">3.3p1</a> (2002-06-21)</h3>
|
||
|
<pre>OpenSSH 3.3 was released on 2002-06-21. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
|
||
|
Changes since OpenSSH 3.2.3:
|
||
|
============================
|
||
|
|
||
|
Security Changes:
|
||
|
=================
|
||
|
|
||
|
- improved support for privilege separation:
|
||
|
|
||
|
privilege separation is now enabled by default
|
||
|
|
||
|
See UsePrivilegeSeparation in <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>
|
||
|
and <a href="http://www.citi.umich.edu/u/provos/ssh/privsep.html">http://www.citi.umich.edu/u/provos/ssh/privsep.html</a> for more
|
||
|
information.
|
||
|
- ssh no longer needs to be installed setuid root for protocol
|
||
|
version 2 hostbased authentication, see ssh-keysign(8).
|
||
|
protocol version 1 rhosts-rsa authentication still requires privileges
|
||
|
and is not recommended.
|
||
|
|
||
|
Other Changes:
|
||
|
==============
|
||
|
|
||
|
- documentation for the client and server configuration options have
|
||
|
been moved to <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> and <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>.
|
||
|
- the server now supports the Compression option, see <a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>.
|
||
|
- the client options RhostsRSAAuthentication and RhostsAuthentication now
|
||
|
default to no, see <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>.
|
||
|
- the client options FallBackToRsh and UseRsh are deprecated.
|
||
|
- ssh-agent now supports locking and timeouts for keys, see <a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>.
|
||
|
- ssh-agent can now bind to unix-domain sockets given on the command line,
|
||
|
see <a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>.
|
||
|
- fixes problems with valid RSA signatures from putty clients.
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.2.3" id="3.2.3">OpenSSH 3.2.3</a>/<a href="txt/release-3.2.3" id="3.2.3p1">3.2.3p1</a> (2002-05-23)</h3>
|
||
|
<pre>OpenSSH 3.2.3 was released on 2002-05-23. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
|
||
|
Changes since OpenSSH 3.2.2:
|
||
|
============================
|
||
|
|
||
|
This release fixes several problems in OpenSSH 3.2.2:
|
||
|
|
||
|
- a defect in the BSD_AUTH access control handling for
|
||
|
OpenBSD and BSD/OS systems:
|
||
|
|
||
|
Under certain conditions, on systems using YP with netgroups
|
||
|
in the password database, it is possible that sshd does ACL
|
||
|
checks for the requested user name but uses the password
|
||
|
database entry of a different user for authentication. This
|
||
|
means that denied users might authenticate successfully while
|
||
|
permitted users could be locked out (OpenBSD PR 2659).
|
||
|
|
||
|
- login/tty problems on Solaris (bug #245)
|
||
|
|
||
|
- build problems on Cygwin systems
|
||
|
|
||
|
|
||
|
Changes between OpenSSH 3.1 and OpenSSH 3.2.2:
|
||
|
==============================================
|
||
|
|
||
|
Security Changes:
|
||
|
=================
|
||
|
|
||
|
- fixed buffer overflow in Kerberos/AFS token passing
|
||
|
- fixed overflow in Kerberos client code
|
||
|
- sshd no longer auto-enables Kerberos/AFS
|
||
|
- experimental support for privilege separation,
|
||
|
see UsePrivilegeSeparation in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> and
|
||
|
<a href="http://www.citi.umich.edu/u/provos/ssh/privsep.html">http://www.citi.umich.edu/u/provos/ssh/privsep.html</a>
|
||
|
for more information.
|
||
|
- only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger
|
||
|
|
||
|
Other Changes:
|
||
|
==============
|
||
|
|
||
|
- improved smartcard support (including support for OpenSC,
|
||
|
see www.opensc.org)
|
||
|
- improved Kerberos support (including support for MIT-Kerberos V)
|
||
|
- fixed stderr handling in protocol v2
|
||
|
- client reports failure if -R style TCP forwarding fails in protocol v2
|
||
|
- support configuration of TCP forwarding during interactive sessions (~C)
|
||
|
- improved support for older sftp servers
|
||
|
- improved support for importing old DSA keys (from ssh.com software).
|
||
|
- client side suport for PASSWD_CHANGEREQ in protocol v2
|
||
|
- fixed waitpid race conditions
|
||
|
- record correct lastlogin time
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a>
|
||
|
and <a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.2.2" id="3.2.2">OpenSSH 3.2.2</a>/<a href="txt/release-3.2.2" id="3.2.2p1">3.2.2p1</a> (2002-05-16)</h3>
|
||
|
<pre>OpenSSH 3.2.2 was released on 2002-05-16. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
Security Changes:
|
||
|
=================
|
||
|
|
||
|
- fixed buffer overflow in Kerberos/AFS token passing
|
||
|
- fixed overflow in Kerberos client code
|
||
|
- sshd no longer auto-enables Kerberos/AFS
|
||
|
- experimental support for privilege separation,
|
||
|
see UsePrivilegeSeparation in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> and
|
||
|
<a href="http://www.citi.umich.edu/u/provos/ssh/privsep.html">http://www.citi.umich.edu/u/provos/ssh/privsep.html</a>
|
||
|
for more information.
|
||
|
- only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger
|
||
|
|
||
|
Other Changes:
|
||
|
==============
|
||
|
|
||
|
- improved smartcard support (including support for OpenSC, see www.opensc.org)
|
||
|
- improved Kerberos support (including support for MIT-Kerberos V)
|
||
|
- fixed stderr handling in protocol v2
|
||
|
- client reports failure if -R style TCP forwarding fails in protocol v2
|
||
|
- support configuration of TCP forwarding during interactive sessions (~C)
|
||
|
- improved support for older sftp servers
|
||
|
- improved support for importing old DSA keys (from ssh.com software).
|
||
|
- client side suport for PASSWD_CHANGEREQ in protocol v2
|
||
|
- fixed waitpid race conditions
|
||
|
- record correct lastlogin time
|
||
|
|
||
|
Reporting Bugs:
|
||
|
===============
|
||
|
|
||
|
- please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a> and
|
||
|
<a href="http://bugzilla.mindrot.org/">http://bugzilla.mindrot.org/</a>
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.1" id="3.1">OpenSSH 3.1</a>/<a href="txt/release-3.1" id="3.1p1">3.1p1</a> (2004-04-09)</h3>
|
||
|
<pre>OpenSSH 3.1 was released on 2004-04-09. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
|
||
|
Important Changes:
|
||
|
==================
|
||
|
|
||
|
- /etc/ssh/ now default directory for keys and configuration files
|
||
|
- ssh-keygen no longer defaults to a specific key type (rsa1);
|
||
|
use ssh-keygen -t {rsa,dsa,rsa1}
|
||
|
- sshd x11 forwarding listens on localhost by default;
|
||
|
see sshd X11UseLocalhost option to revert to prior behaviour
|
||
|
if your older X11 clients do not function with this configuration
|
||
|
|
||
|
|
||
|
Other Changes:
|
||
|
==============
|
||
|
|
||
|
- ssh ~& escape char functions now for both protocol versions
|
||
|
- sshd ReverseMappingCheck option changed to VerifyReverseMapping
|
||
|
to clarify its function; ReverseMappingCheck can still be used
|
||
|
- public key fingerprint is now logged with LogLevel=VERBOSE
|
||
|
- reason logged for disallowed logins (e.g., no shell, etc.)
|
||
|
- more robust error handling for x11 forwarding
|
||
|
- improved packet/window size handling in ssh2
|
||
|
- use of regex(3) has been removed
|
||
|
- fix SIGCHLD races in sshd (seen on Solaris)
|
||
|
- sshd -o option added
|
||
|
- sftp -B -R -P options added
|
||
|
- ssh-add now adds all 3 default keys
|
||
|
- ssh-keyscan bug fixes
|
||
|
- ssh-askpass for hostkey dialog
|
||
|
- fix fd leak in sshd on SIGHUP
|
||
|
- TCP_NODELAY set on X11 and TCP forwarding endpoints
|
||
|
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.0.2" id="3.0.2">OpenSSH 3.0.2</a>/<a href="txt/release-3.0.2" id="3.0.2p1">3.0.2p1</a> (2002-12-04)</h3>
|
||
|
<pre>OpenSSH 3.0.2 was released on 2002-12-04. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
Important Changes:
|
||
|
==================
|
||
|
|
||
|
This release fixes a vulnerability in the UseLogin option
|
||
|
of OpenSSH. This option is not enabled in the default
|
||
|
installation of OpenSSH.
|
||
|
|
||
|
However, if UseLogin is enabled by the administrator, all
|
||
|
versions of OpenSSH prior to 3.0.2 may be vulnerable to
|
||
|
local attacks.
|
||
|
|
||
|
The vulnerability allows local users to pass environment
|
||
|
variables (e.g. LD_PRELOAD) to the login process. The login
|
||
|
process is run with the same privilege as sshd (usually
|
||
|
with root privilege).
|
||
|
|
||
|
Do not enable UseLogin on your machines or disable UseLogin
|
||
|
again in /etc/sshd_config:
|
||
|
UseLogin no
|
||
|
|
||
|
We also have received many reports about attacks against the crc32
|
||
|
bug. This bug has been fixed about 12 months ago in OpenSSH 2.3.0.
|
||
|
However, these attacks cause non-vulnerable daemons to chew a lot
|
||
|
of cpu since the crc32 attack sends a tremendously large amount of
|
||
|
data which must be processed.
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
|
||
|
|
||
|
|
||
|
The following patch fixes the UseLogin vulnerability in OpenSSH 3.0.1 and
|
||
|
earlier releases.
|
||
|
|
||
|
--- session.c 11 Oct 2001 13:45:21 -0000 1.108
|
||
|
+++ session.c 1 Dec 2001 22:14:39 -0000
|
||
|
@@ -875,6 +875,7 @@
|
||
|
child_set_env(&env, &envsize, "TZ", getenv("TZ"));
|
||
|
|
||
|
/* Set custom environment options from RSA authentication. */
|
||
|
+ if (!options.use_login)
|
||
|
while (custom_environment) {
|
||
|
struct envstring *ce = custom_environment;
|
||
|
char *s = ce->s;
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.0.1" id="3.0.1">OpenSSH 3.0.1</a>/<a href="txt/release-3.0.1" id="3.0.1p1">3.0.1p1</a> (2001-11-19)</h3>
|
||
|
<pre>OpenSSH 3.0.1 was released on 2001-11-19. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
Important Changes:
|
||
|
==================
|
||
|
|
||
|
A security hole that may allow an attacker to authenticate
|
||
|
if -- and only if -- the administrator has enabled KerberosV.
|
||
|
By default, OpenSSH KerberosV support only becomes active
|
||
|
after KerberosV has been properly configured.
|
||
|
|
||
|
An excessive memory clearing bug (which we believe to be
|
||
|
unexploitable) also exists, but since this may cause daemon
|
||
|
crashes, we are providing a fix as well.
|
||
|
|
||
|
Various other non-critical fixes (~& support and more).
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-3.0" id="3.0">OpenSSH 3.0</a>/<a href="txt/release-3.0" id="3.0p1">3.0p1</a> (2001-11-06)</h3>
|
||
|
<pre>OpenSSH 3.0 was released on 2001-11-06. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
This release contains many portability bug-fixes (listed in the
|
||
|
ChangeLog) as well as several new features (listed below).
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
Important Changes:
|
||
|
==================
|
||
|
|
||
|
1) SSH protocol v2 is now the default protocol version
|
||
|
|
||
|
use the 'Protocol' option from <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> if
|
||
|
you need to change this.
|
||
|
|
||
|
2) The files
|
||
|
/etc/ssh_known_hosts2
|
||
|
~/.ssh/known_hosts2
|
||
|
~/.ssh/authorized_keys2
|
||
|
are now obsolete, you can use
|
||
|
/etc/ssh_known_hosts
|
||
|
~/.ssh/known_hosts
|
||
|
~/.ssh/authorized_keys
|
||
|
For backward compatibility ~/.ssh/authorized_keys2 will still used for
|
||
|
authentication and hostkeys are still read from the known_hosts2.
|
||
|
However, those deprecated files are considered 'readonly'. Future
|
||
|
releases are likely not to read these files.
|
||
|
|
||
|
3) The CheckMail option in sshd_config is deprecated, as <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> no longer
|
||
|
checks for new mail.
|
||
|
|
||
|
4) X11 cookies are now stored in $HOME.
|
||
|
|
||
|
New Features:
|
||
|
=============
|
||
|
|
||
|
1) Smartcard support in the ssh client and agent based on work by
|
||
|
University of Michigan CITI (<a href="http://www.citi.umich.edu/projects/smartcard/)">http://www.citi.umich.edu/projects/smartcard/)</a>.
|
||
|
2) support for Rekeying in protocol version 2
|
||
|
|
||
|
3) improved Kerberos support in protocol v1 (KerbIV and KerbV)
|
||
|
|
||
|
4) backward compatibility with older commercial SSH versions >= 2.0.10
|
||
|
|
||
|
5) getopt(3) is now used by all programs
|
||
|
|
||
|
6) dynamic forwarding (use <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> as your socks server)
|
||
|
|
||
|
7) ClearAllForwardings in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
|
||
|
|
||
|
8) <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> now checks the hostkey for localhost (NoHostAuthenticationForLocalhost yes/no).
|
||
|
|
||
|
9) -F option in <a href="https://man.openbsd.org/ssh.1">ssh(1)</a>
|
||
|
|
||
|
10) <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> now has a '-b bindaddress' option
|
||
|
|
||
|
11) <a href="https://man.openbsd.org/scp.1">scp(1)</a> allows "scp /file localhost:/file"
|
||
|
|
||
|
12) The AuthorizedKeysFile option allows specification of alternative
|
||
|
files that contain the public keys that can be used for user authentication
|
||
|
(e.g. /etc/ssh_keys/%u, see <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>)
|
||
|
|
||
|
13) extended AllowUsers user@host syntax in <a href="https://man.openbsd.org/sshd.8">sshd(8)</a>
|
||
|
|
||
|
14) improved challenge-response support (especially for systems supporting BSD_AUTH)
|
||
|
|
||
|
15) <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> can specify time args as 1h, 2h30s etc.
|
||
|
|
||
|
16) <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> transmits the correct exit status for remote execution with protocol version 2.
|
||
|
|
||
|
17) <a href="https://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a> can import private RSA/DSA keys generated with the commercial version
|
||
|
|
||
|
18) ssh-keyscan(1) supports protocol version 2
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.9p2" id="2.9p2">OpenSSH 2.9p2</a> (2001-06-17)</h3>
|
||
|
<pre>Portable OpenSSH 2.9p2 has just been uploaded and shall be making its
|
||
|
way to the mirrors listed at <a href="http://www.openssh.com/portable.html">http://www.openssh.com/portable.html</a>
|
||
|
shortly.
|
||
|
|
||
|
This release fixes the "cookies" file deletion problem reported on
|
||
|
BUGTRAQ as well as a few other minor (non-security) bugs. No new
|
||
|
features have been added in this release.
|
||
|
|
||
|
Regards,
|
||
|
Damien Miller
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.9.9" id="2.9.9">OpenSSH 2.9.9</a>/<a href="txt/release-2.9.9" id="2.9.9p1">2.9.9p1</a> (2001-09-25)</h3>
|
||
|
<pre>OpenSSH 2.9.9 has just been uploaded. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH 2.9.9 fixes a weakness in the key file option handling,
|
||
|
including source IP based access control.
|
||
|
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
This release contains many portability bug-fixes (listed in the
|
||
|
ChangeLog) as well as several new features (listed below).
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
Security Notes:
|
||
|
===============
|
||
|
|
||
|
This release fixes weakness in the source IP based access control
|
||
|
for SSH protocol v2 public key authentication:
|
||
|
|
||
|
Versions of OpenSSH between 2.5 and 2.9.9 are
|
||
|
affected if they use the 'from=' key file option in
|
||
|
combination with both RSA and DSA keys in
|
||
|
~/.ssh/authorized_keys2.
|
||
|
|
||
|
Depending on the order of the user keys in
|
||
|
~/.ssh/authorized_keys2 sshd might fail to apply the
|
||
|
source IP based access control restriction (e.g.
|
||
|
from="10.0.0.1") to the correct key:
|
||
|
|
||
|
If a source IP restricted key (e.g. DSA key) is
|
||
|
immediately followed by a key of a different type
|
||
|
(e.g. RSA key), then key options for the second key
|
||
|
are applied to both keys, which includes 'from='.
|
||
|
|
||
|
This means that users can circumvent the system policy
|
||
|
and login from disallowed source IP addresses.
|
||
|
|
||
|
|
||
|
Important Changes:
|
||
|
==================
|
||
|
|
||
|
OpenSSH 2.9.9 might have upgrade issues introduced by the long time
|
||
|
between releases, which may affect people in unforseen ways:
|
||
|
|
||
|
1) The files
|
||
|
/etc/ssh_known_hosts2
|
||
|
~/.ssh/known_hosts2
|
||
|
~/.ssh/authorized_keys2
|
||
|
are now obsolete, you can use
|
||
|
/etc/ssh_known_hosts
|
||
|
~/.ssh/known_hosts
|
||
|
~/.ssh/authorized_keys
|
||
|
For backward compatibility ~/.ssh/authorized_keys2 is still used for
|
||
|
authentication and hostkeys are still read from the known_hosts2.
|
||
|
However, old files are considered 'readonly'. Future releases are
|
||
|
likely to not read these files.
|
||
|
|
||
|
2) The CheckMail option in sshd_config is deprecated, sshd no longer
|
||
|
checks for new mail.
|
||
|
|
||
|
3) X11 cookies are stored in $HOME
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.9" id="2.9">OpenSSH 2.9</a>/<a href="txt/release-2.9" id="2.9p1">2.9p1</a> (2001-04-29)</h3>
|
||
|
<pre>OpenSSH 2.9 has just been uploaded. It is available from the
|
||
|
mirrors listed at <a href="https://www.openssh.com/">https://www.openssh.com/</a>.
|
||
|
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
|
||
|
implementation and includes sftp client and server support.
|
||
|
|
||
|
This release contains many portability bug-fixes (listed in the
|
||
|
ChangeLog) as well as several new features (listed below).
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued
|
||
|
support and encouragement.
|
||
|
|
||
|
Important Changes:
|
||
|
==================
|
||
|
|
||
|
WARNING: SSH protocol v2 is now the default protocol version
|
||
|
|
||
|
use the 'Protocol' option from <a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and <a href="https://man.openbsd.org/sshd.8">sshd(8)</a> if
|
||
|
you want to change this.
|
||
|
|
||
|
SSH protocol v2 implementation adds support for:
|
||
|
|
||
|
HostbasedAuthentication, similar to RhostsRSA in SSH protocol
|
||
|
v1
|
||
|
|
||
|
Rekeying (negotiate new encryption keys for the current SSH
|
||
|
session, try ~R in interactive SSH sessions)
|
||
|
|
||
|
updated DH group exchange:
|
||
|
draft-ietf-secsh-dh-group-exchange-01.txt
|
||
|
|
||
|
client option HostKeyAlgorithms
|
||
|
|
||
|
server options ClientAliveInterval and ClientAliveCountMax
|
||
|
|
||
|
tty mode passing
|
||
|
|
||
|
general:
|
||
|
|
||
|
gid swapping in sshd (fixes access to /home/group/user based
|
||
|
directory structures)
|
||
|
|
||
|
Dan Kaminsky <dankamin@cisco.com> contributed an experimental
|
||
|
SOCKS4 proxy to the ssh client (yes, client not the server).
|
||
|
Use 'ssh -D 1080 server' if you want to try this out.
|
||
|
|
||
|
server option PrintLastLog
|
||
|
|
||
|
improvements for scp > 2GB
|
||
|
|
||
|
improved ListenAddress option.
|
||
|
You can now use ListenAddress host:port
|
||
|
|
||
|
improved interoperability (bug detection for older implementations)
|
||
|
|
||
|
improved documentation
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.5.2p2" id="2.5.2p2">OpenSSH 2.5.2p2</a> (2001-03-22)</h3>
|
||
|
<pre>Portable OpenSSH 2.5.2p2 is now available from the mirror sites
|
||
|
listed at <a href="http://www.openssh.com/portable.html">http://www.openssh.com/portable.html</a>
|
||
|
|
||
|
Security related changes:
|
||
|
Improved countermeasure against "Passive Analysis of SSH
|
||
|
(Secure Shell) Traffic"
|
||
|
<a href="http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt">http://openwall.com/advisories/OW-003-ssh-traffic-analysis.txt</a>
|
||
|
|
||
|
The countermeasures introduced in earlier OpenSSH-2.5.x versions
|
||
|
caused interoperability problems with some other implementations.
|
||
|
|
||
|
Improved countermeasure against "SSH protocol 1.5 session
|
||
|
key recovery vulnerability"
|
||
|
<a href="http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm">http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm</a>
|
||
|
|
||
|
New options:
|
||
|
permitopen authorized_keys option to restrict portforwarding.
|
||
|
|
||
|
PreferredAuthentications allows client to specify the order in which
|
||
|
authentication methods are tried.
|
||
|
|
||
|
Sftp:
|
||
|
sftp client supports globbing (get *, put *).
|
||
|
|
||
|
Support for sftp protocol v3 (draft-ietf-secsh-filexfer-01.txt).
|
||
|
|
||
|
Batch file (-b) support for automated transfers
|
||
|
|
||
|
Performance:
|
||
|
Speedup DH exchange. OpenSSH should now be significantly faster when
|
||
|
connecting use SSH protocol 2.
|
||
|
|
||
|
Preferred SSH protocol 2 cipher is AES with hmac-md5. AES offers
|
||
|
much faster throughput in a well scrutinised cipher.
|
||
|
|
||
|
Bugfixes:
|
||
|
stderr handling fixes in SSH protocol 2.
|
||
|
|
||
|
Improved interoperability.
|
||
|
|
||
|
Client:
|
||
|
The client no longer asks for the the passphrase if the key
|
||
|
will not be accepted by the server (SSH2_MSG_USERAUTH_PK_OK)
|
||
|
|
||
|
Miscellaneous:
|
||
|
scp should now work for files > 2GB
|
||
|
|
||
|
ssh-keygen can now generate fingerprints in the "bubble babble"
|
||
|
format for exchanging fingerprints with SSH.COM's SSH protocol 2
|
||
|
implementation.
|
||
|
|
||
|
Portable version:
|
||
|
Better support for the PRNGd[1] entropy collection daemon. The
|
||
|
--with-egd-pool configure option has been deprecated in favour
|
||
|
of --with-prngd-socket and the new --with-prngd-port options.
|
||
|
The latter allows collection of entropy from a localhost
|
||
|
socket.
|
||
|
|
||
|
configure ensures that scp is in the $PATH set by the server
|
||
|
(unless a custom path is specified).
|
||
|
|
||
|
-d
|
||
|
|
||
|
[1] <a href="http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html">http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html</a>
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.5.1p2" id="2.5.1p2">OpenSSH 2.5.1p2</a> (2001-03-20)</h3>
|
||
|
<pre>Portable OpenSSH 2.5.1p2 has just been uploaded and will be making its
|
||
|
way to the mirror sites (<a href="http://www.openssh.com/portable.html">http://www.openssh.com/portable.html</a>)in due
|
||
|
course.
|
||
|
|
||
|
This release contains primarily bug-fixes over 2.5.1p1 but an upgrade is
|
||
|
recommended. Specific bug-fixes include:
|
||
|
|
||
|
- Fixed endianess issue causing failues when usin Rijndael/AES cipher
|
||
|
- Fix PAM failures on Solaris and Linux
|
||
|
- Fix RPM spec file for Redhat systems
|
||
|
- Fixed several compatibility functions
|
||
|
- Fix entropy collection code for SCO3 and NeXTStep
|
||
|
- Many other minor fixes (see Changelog for details)
|
||
|
|
||
|
This release includes Mark Roth's mdoc2man.pl script which can be used
|
||
|
to fix up the manpages on systems that lack the full andoc set of
|
||
|
macros (e.g. Solaris). A future release of portable OpenSSH will automate
|
||
|
this scripts use for systems that require it.
|
||
|
|
||
|
-d
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.5.1p1" id="2.5.1p1">OpenSSH 2.5.1p1</a> (2001-02-19)</h3>
|
||
|
<pre>Portable OpenSSH 2.5.1p1 has just been uploaded. It will be available
|
||
|
from the mirrors listed at <a href="http://www.openssh.com/portable.html">http://www.openssh.com/portable.html</a> shortly.
|
||
|
|
||
|
OpenSSH is a 100% complete SSH 1.3 & 1.5 protocol implementation and
|
||
|
a 99% SSH 2 protocol implementation, including sftp client and server
|
||
|
support.
|
||
|
|
||
|
This release contains many portability bug-fixes (listed in the
|
||
|
ChangeLog) as well as several new features (listed below).
|
||
|
|
||
|
OpenSSH 2.5.0p1 was skipped because of interoperability issues with
|
||
|
ssh-1.2.18 => ssh-1.2.22.
|
||
|
|
||
|
We would like to thank the OpenSSH community for their continued support
|
||
|
and encouragement.
|
||
|
|
||
|
Important Changes:
|
||
|
==================
|
||
|
|
||
|
1) Features added to the implementation of the SSH 2 protocol:
|
||
|
|
||
|
* agent forwarding
|
||
|
* support for -R forwarding
|
||
|
* RSA host and userkeys
|
||
|
* extended support for older SSH 2 protocol implementations
|
||
|
|
||
|
OpenSSH still lacks support for rekeying, so you have to turn off
|
||
|
rekeying if your server tries to force this feature.
|
||
|
|
||
|
The next release of OpenSSH will probably support rekeying.
|
||
|
|
||
|
2) Damien Miller contributed an interactive sftp client.
|
||
|
|
||
|
The sftp client works for both SSH protocol versions.
|
||
|
|
||
|
3) David Mazieres' ssh-keyscan has been added to the OpenSSH distribution.
|
||
|
|
||
|
4) Now there are three types of keys in OpenSSH:
|
||
|
|
||
|
RSA1 is used by the SSH 1 protocol only,
|
||
|
RSA and DSA keys are used by the SSH 2 protocol implementation.
|
||
|
|
||
|
You can generate RSA keys for use with SSH 2 protocol with:
|
||
|
|
||
|
$ ssh-keygen -t rsa -f /etc/ssh_host_rsa_key
|
||
|
|
||
|
To use RSA or DSA keys in SSH 2 protocol, simply
|
||
|
add the public keys to the .ssh/authorised_keys2 file.
|
||
|
|
||
|
IdentityFile2, HostDsaKey and DSAAuthentication are obsolete:
|
||
|
|
||
|
You can use multiple IdentityFile and HostKey options instead, e.g
|
||
|
HostKey /etc/ssh_host_key
|
||
|
HostKey /etc/ssh_host_dsa_key
|
||
|
HostKey /etc/ssh_host_rsa_key
|
||
|
in /etc/sshd_config
|
||
|
|
||
|
The option DSAAuthentication has been replaced by PubkeyAuthentication.
|
||
|
|
||
|
Fingerprinting works for all types of keys:
|
||
|
|
||
|
$ ssh-keygen -l -f $HOME/.ssh/{authorized_keys,known_hosts}{,2}
|
||
|
|
||
|
5) Important changes in the implementation of SSH 1 protocol:
|
||
|
|
||
|
The OpenSSH server does not require a privileged source port for
|
||
|
RhostsRsaAuthentication, since it adds no additional security.
|
||
|
|
||
|
Interoperation with SSH 1.4 protocol
|
||
|
|
||
|
6) New option HostKeyAlias
|
||
|
|
||
|
This option allows the user to record the host key under a
|
||
|
different name. This is useful for tunneling over
|
||
|
forwarded connections or if you run multiple sshd's on
|
||
|
different ports on the same machine.
|
||
|
|
||
|
Alternatively you can use the UserKnownHostsFile or
|
||
|
UserKnownHostsFile2 options to specify seperate host key
|
||
|
files for the connection.
|
||
|
|
||
|
7) The ReverseMappingCheck is now optional in sshd_config.
|
||
|
|
||
|
If you combine this with the 'sshd -u0' option the server
|
||
|
will not do DNS lookups when a client connects.
|
||
|
|
||
|
8) Stricter Hostkey Checking
|
||
|
|
||
|
9) Option Change Summary:
|
||
|
|
||
|
a) New or changed:
|
||
|
|
||
|
ChallengeResponseAuthentication
|
||
|
MACs
|
||
|
PubkeyAuthentication
|
||
|
|
||
|
HostkeyAlias (Client only)
|
||
|
|
||
|
Banner (Server only)
|
||
|
ReverseMappingCheck (Server only)
|
||
|
|
||
|
PermitRootLogin {yes,without-password,forced-commands-only,no}
|
||
|
|
||
|
{Allow,Deny}Groups now support supplementary groups
|
||
|
|
||
|
sshd -D for monitoring scripts or inittab
|
||
|
ssh -t multiple -t force tty allocation
|
||
|
|
||
|
b) Obsolete:
|
||
|
|
||
|
DsaAuthentication (use PubkeyAuthentication instead)
|
||
|
HostDsaKey (use HostKey)
|
||
|
Identityfile2 (use Identityfile or -i)
|
||
|
SkeyAuthentication (use ChallengeResponseAuthentication)
|
||
|
TisAuthentication (use ChallengeResponseAuthentication)
|
||
|
|
||
|
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
|
||
|
Kevin Steves, Damien Miller and Ben Lindstrom.
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.3.0p1" id="2.3.0p1">OpenSSH 2.3.0p1</a> (2000-11-06)</h3>
|
||
|
<pre>This is to announce the release of portable openssh-2.3.0p1. This
|
||
|
release includes many new features and bug fixes. This is a
|
||
|
recommended upgrade if you are using 2.2.0p1 or an older release.
|
||
|
|
||
|
Portable OpenSSH is available from one of the many mirrors listed at
|
||
|
<a href="http://www.openssh.com/portable.html">http://www.openssh.com/portable.html</a>
|
||
|
|
||
|
Some of the more notable features include:
|
||
|
|
||
|
- Rijndael support for SSH2. Use the "Ciphers" configuration directive
|
||
|
to enable it. (Markus Friedl <markus@cvs.openbsd.org>
|
||
|
|
||
|
- Cygwin support (Corinna Vinschen <vinschen@cygnus.com>)
|
||
|
|
||
|
- sftp-server support (Markus Friedl <markus@cvs.openbsd.org>)
|
||
|
|
||
|
- SSH1 single-des support for interop with Cisco routers. This cipher
|
||
|
is never enabled automatically, you have to either specify "-c des"
|
||
|
or enable it using "Cipher des" in a config file. (Markus Friedl
|
||
|
<markus@cvs.openbsd.org>
|
||
|
|
||
|
- Support expired password change through PAM (Steve VanDevender's
|
||
|
<stevev@darkwing.uoregon.edu>)
|
||
|
|
||
|
- Better compatibility with buggy SSH implementations (Markus Friedl
|
||
|
<markus@cvs.openbsd.org>
|
||
|
|
||
|
- S/key support for SSH2, based on kbd-interactive auth (Markus Friedl
|
||
|
<markus@cvs.openbsd.org> and mkiernan@avantgo.com
|
||
|
|
||
|
- scp now supports "-o" option (Ben Lindstron <mouring@pconline.com>)
|
||
|
|
||
|
Please refer to the ChangeLog for a full list of features and bugfixes.
|
||
|
|
||
|
Regards,
|
||
|
Damien Miller
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.2.0p1" id="2.2.0p1">OpenSSH 2.2.0p1</a> (2000-09-01)</h3>
|
||
|
<pre>Version 2.2.0p1 of portable OpenSSH has just been uploaded to the
|
||
|
master site and should be making its way to the mirrors in due
|
||
|
course.
|
||
|
|
||
|
<a href="http://www.openssh.com/portable.html">http://www.openssh.com/portable.html</a>
|
||
|
|
||
|
This release contains several new features and bugfixes relative to
|
||
|
the previous 2.1.1p4 release. In particular:
|
||
|
|
||
|
- DSA key support in ssh-agent. Please not that this will not
|
||
|
interop with ssh.com's ssh-agent (Markus Friedl)
|
||
|
- sshd now implements Random Early Drop connection rate limiting,
|
||
|
which can help mitigate DoS attacks against sshd. See the
|
||
|
`MaxStartups' option in the sshd manpage for details (Markus Friedl)
|
||
|
- `-u' option to sshd allow logging of hostnames (rather than IP
|
||
|
addresses) in wtmp when `UseLogin' is set to `yes'. (Markus Friedl)
|
||
|
- Escape character `~' support in SSH2 (Markus Friedl)
|
||
|
- Interop with SSH.COM ssh 2.3.0 (Markus Friedl)
|
||
|
- Fix problems when sshd is run from inetd
|
||
|
- Better SunOS 4.1.x support (Nate Itkin and Charles Levert)
|
||
|
- Solaris package support, see contrib/solaris (Rip Loomis)
|
||
|
- Work around connection freezes on HPUX and SunOS 4 (Lutz Jaenicke,
|
||
|
Tamito KAJIYAMA)
|
||
|
- Fix ^C ignored issue on Solaris. (Gert Doering, John Horne and
|
||
|
Garrick James)
|
||
|
- Further improved NeXT support. (Ben Lindstrom, Mark Miller)
|
||
|
- Lots of other minor fixes (see ChangeLog for details)
|
||
|
|
||
|
This release has been tested on HPUX (10.20, 11.00), Irix (5.3,
|
||
|
6.5), Linux (Debian, Redhat, Slackware, SuSE), NeXTstep 3 (HPPA,
|
||
|
i386, m68k), OpenStep (i386, m68k, Sparc), SCO Unixware 7.1.0, SCO
|
||
|
OpenServer 5.0.5, Solaris 2.7 (Sparc), Solaris 2.8 (i386, Sparc),
|
||
|
SNI/Reliant Unix, DEC OSF/Tru64 5.0.
|
||
|
|
||
|
Many thanks to those who contributed bug reports, fixes and testing
|
||
|
time.
|
||
|
|
||
|
Regards,
|
||
|
Damien Miller
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.1.1p4" id="2.1.1p4">OpenSSH 2.1.1p4</a> (2000-07-16)</h3>
|
||
|
<pre>
|
||
|
I have just uploaded portable OpenSSH 2.1.1p4, it should be making
|
||
|
its way to the mirrors listed at <a href="http://www.openssh.com/portable.html">http://www.openssh.com/portable.html</a>
|
||
|
soon.
|
||
|
|
||
|
This release contains several bugfixes from the OpenBSD team,
|
||
|
primarily the config file parsing problem reported by Ralf
|
||
|
Engelschall <rse@engelschall.com>
|
||
|
|
||
|
Regards,
|
||
|
Damien Miller
|
||
|
|
||
|
--------------- Changelog:
|
||
|
|
||
|
20000716
|
||
|
- Release 2.1.1p4
|
||
|
|
||
|
20000715
|
||
|
- (djm) OpenBSD CVS updates
|
||
|
- provos@cvs.openbsd.org 2000/07/13 16:53:22
|
||
|
[aux.c readconf.c servconf.c ssh.h]
|
||
|
allow multiple whitespace but only one '=' between tokens, bug report from
|
||
|
Ralf S. Engelschall <rse@engelschall.com> but different fix. okay deraadt@
|
||
|
- provos@cvs.openbsd.org 2000/07/13 17:14:09
|
||
|
[clientloop.c]
|
||
|
typo; todd@fries.net
|
||
|
- provos@cvs.openbsd.org 2000/07/13 17:19:31
|
||
|
[scp.c]
|
||
|
close can fail on AFS, report error; from Greg Hudson <ghudson@mit.edu>
|
||
|
- markus@cvs.openbsd.org 2000/07/14 16:59:46
|
||
|
[readconf.c servconf.c]
|
||
|
allow leading whitespace. ok niels
|
||
|
- djm@cvs.openbsd.org 2000/07/14 22:01:38
|
||
|
[ssh-keygen.c ssh.c]
|
||
|
Always create ~/.ssh with mode 700; ok Markus
|
||
|
- Fixes for SunOS 4.1.4 from Gordon Atwood <gordon@cs.ualberta.ca>
|
||
|
- Include floatingpoint.h for entropy.c
|
||
|
- strerror replacement
|
||
|
|
||
|
---------------
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.1.1p3" id="2.1.1p3">OpenSSH 2.1.1p3</a> (2000-07-12)</h3>
|
||
|
<pre>
|
||
|
The 2.1.1p3 release of portable OpenSSH has been uploaded to the
|
||
|
OpenBSD ftp master site. In a few hours it will be available from one
|
||
|
of the many mirrors listed at:
|
||
|
|
||
|
<a href="http://www.openssh.com/portable.html">http://www.openssh.com/portable.html</a>
|
||
|
|
||
|
This release fixes several bugs reported since the previous release
|
||
|
and extends portability to NeXT and Reliant Unix.
|
||
|
|
||
|
As usual, the OpenBSD team has been hard at work further polishing and
|
||
|
enhancing OpenSSH. This release brings a new configuration directive
|
||
|
"MaxStartups" which mitigates connection flooding attacks, further
|
||
|
details are in the sshd man-page.
|
||
|
|
||
|
Another noteworthy difference from previous releases is that
|
||
|
'FallBackToRsh' now defaults to 'no'. Users of this feature may need
|
||
|
to edit their /etc/ssh_config or ~/.ssh/config files to achieve the
|
||
|
same behavior.
|
||
|
|
||
|
Again, thanks to those who reported bugs, tested the snapshot and sent
|
||
|
fixes.
|
||
|
|
||
|
Regards,
|
||
|
Damien Miller
|
||
|
|
||
|
------------------ Changelog
|
||
|
|
||
|
20000712
|
||
|
- (djm) Remove -lresolve for Reliant Unix
|
||
|
- (djm) OpenBSD CVS Updates:
|
||
|
- deraadt@cvs.openbsd.org 2000/07/11 02:11:34
|
||
|
[session.c sshd.c ]
|
||
|
make MaxStartups code still work with -d; djm
|
||
|
- deraadt@cvs.openbsd.org 2000/07/11 13:17:45
|
||
|
[readconf.c ssh_config]
|
||
|
disable FallBackToRsh by default
|
||
|
- (djm) Replace in_addr_t with u_int32_t in bsd-inet_aton.c. Report from
|
||
|
Ben Lindstrom <mouring@pconline.com>
|
||
|
- (djm) Make building of X11-Askpass and GNOME-Askpass optional in RPM
|
||
|
spec file.
|
||
|
- (djm) Released 2.1.1p3
|
||
|
|
||
|
20000711
|
||
|
- (djm) Fixup for AIX getuserattr() support from Tom Bertelson
|
||
|
<tbert@abac.com>
|
||
|
- (djm) ReliantUNIX support from Udo Schweigert <ust@cert.siemens.de>
|
||
|
- (djm) NeXT: dirent structures to get scp working from Ben Lindstrom
|
||
|
<mouring@pconline.com>
|
||
|
- (djm) Fix broken inet_ntoa check and ut_user/ut_name confusion, report
|
||
|
from Jim Watt <jimw@peisj.pebio.com>
|
||
|
- (djm) Replaced bsd-snprintf.c with one from Mutt source tree, it is known
|
||
|
to compile on more platforms (incl NeXT).
|
||
|
- (djm) Added bsd-inet_aton and configure support for NeXT
|
||
|
- (djm) Misc NeXT fixes from Ben Lindstrom <mouring@pconline.com>
|
||
|
- (djm) OpenBSD CVS updates:
|
||
|
- markus@cvs.openbsd.org 2000/06/26 03:22:29
|
||
|
[authfd.c]
|
||
|
cleanup, less cut&paste
|
||
|
- markus@cvs.openbsd.org 2000/06/26 15:59:19
|
||
|
[servconf.c servconf.h session.c sshd.8 sshd.c]
|
||
|
MaxStartups: limit number of unauthenticated connections, work by
|
||
|
theo and me
|
||
|
- deraadt@cvs.openbsd.org 2000/07/05 14:18:07
|
||
|
[session.c]
|
||
|
use no_x11_forwarding_flag correctly; provos ok
|
||
|
- provos@cvs.openbsd.org 2000/07/05 15:35:57
|
||
|
[sshd.c]
|
||
|
typo
|
||
|
- aaron@cvs.openbsd.org 2000/07/05 22:06:58
|
||
|
[scp.1 ssh-agent.1 ssh-keygen.1 sshd.8]
|
||
|
Insert more missing .El directives. Our troff really should identify
|
||
|
these and spit out a warning.
|
||
|
- todd@cvs.openbsd.org 2000/07/06 21:55:04
|
||
|
[auth-rsa.c auth2.c ssh-keygen.c]
|
||
|
clean code is good code
|
||
|
- deraadt@cvs.openbsd.org 2000/07/07 02:14:29
|
||
|
[serverloop.c]
|
||
|
sense of port forwarding flag test was backwards
|
||
|
- provos@cvs.openbsd.org 2000/07/08 17:17:31
|
||
|
[compat.c readconf.c]
|
||
|
replace strtok with strsep; from David Young <dyoung@onthejob.net>
|
||
|
- deraadt@cvs.openbsd.org 2000/07/08 19:21:15
|
||
|
[auth.h]
|
||
|
KNF
|
||
|
- ho@cvs.openbsd.org 2000/07/08 19:27:33
|
||
|
[compat.c readconf.c]
|
||
|
Better conditions for strsep() ending.
|
||
|
- ho@cvs.openbsd.org 2000/07/10 10:27:05
|
||
|
[readconf.c]
|
||
|
Get the correct message on errors. (niels@ ok)
|
||
|
- ho@cvs.openbsd.org 2000/07/10 10:30:25
|
||
|
[cipher.c kex.c servconf.c]
|
||
|
strtok() --> strsep(). (niels@ ok)
|
||
|
- (djm) Fix problem with debug mode and MaxStartups
|
||
|
- (djm) Don't generate host keys when $(DESTDIR) is set (e.g. during RPM
|
||
|
builds)
|
||
|
- (djm) Add strsep function from OpenBSD libc for systems that lack it
|
||
|
|
||
|
20000709
|
||
|
- (djm) Only enable PAM_TTY kludge for Linux. Problem report from
|
||
|
Kevin Steves <stevesk@sweden.hp.com>
|
||
|
- (djm) Match prototype and function declaration for rresvport_af.
|
||
|
Problem report from Niklas Edmundsson <nikke@ing.umu.se>
|
||
|
- (djm) Missing $(DESTDIR) on host-key target causing problems with RPM
|
||
|
builds. Problem report from Gregory Leblanc <GLeblanc@cu-portland.edu>
|
||
|
- (djm) Replace ut_name with ut_user. Patch from Jim Watt
|
||
|
<jimw@peisj.pebio.com>
|
||
|
- (djm) Fix pam sprintf fix
|
||
|
- (djm) Cleanup entropy collection code a little more. Split initialisation
|
||
|
from seeding, perform intialisation immediatly at start, be careful with
|
||
|
uids. Based on problem report from Jim Watt <jimw@peisj.pebio.com>
|
||
|
- (djm) More NeXT compatibility from Ben Lindstrom <mouring@pconline.com>
|
||
|
Including sigaction() et al. replacements
|
||
|
- (djm) AIX getuserattr() session initialisation from Tom Bertelson
|
||
|
<tbert@abac.com>
|
||
|
|
||
|
20000708
|
||
|
- (djm) Fix bad fprintf format handling in auth-pam.c. Patch from
|
||
|
Aaron Hopkins <aaron@die.net>
|
||
|
- (djm) Fix incorrect configure handling of --with-rsh-path option. Fix from
|
||
|
Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
|
||
|
- (djm) Fixed undefined variables for OSF SIA. Report from
|
||
|
Baars, Henk <Hendrik.Baars@nl.origin-it.com>
|
||
|
- (djm) Handle EWOULDBLOCK returns from read() and write() in atomicio.c
|
||
|
Fix from Marquess, Steve Mr JMLFDC <Steve.Marquess@DET.AMEDD.ARMY.MIL>
|
||
|
- (djm) Don't use inet_addr.
|
||
|
|
||
|
20000702
|
||
|
- (djm) Fix brace mismatch from Corinna Vinschen <vinschen@cygnus.com>
|
||
|
- (djm) Stop shadow expiry checking from preventing logins with NIS. Based
|
||
|
on fix from HARUYAMA Seigo <haruyama@nt.phys.s.u-tokyo.ac.jp>
|
||
|
- (djm) Use standard OpenSSL functions in auth-skey.c. Patch from
|
||
|
Chris, the Young One <cky@pobox.com>
|
||
|
- (djm) Fix scp progress meter on really wide terminals. Based on patch
|
||
|
from James H. Cloos Jr. <cloos@jhcloos.com>
|
||
|
|
||
|
------------------
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.1.1p2" id="2.1.1p2">OpenSSH 2.1.1p2</a> (2000-07-01)</h3>
|
||
|
<pre>Announcing the release of portable OpenSSH 2.1.1p2.
|
||
|
|
||
|
This release primarily contains fixes to the bugs that have been
|
||
|
reported over the last month, in particular:
|
||
|
|
||
|
- Invalid time bring written to utmp/wtmp on systems using bash2
|
||
|
|
||
|
- Several lastlog fixes
|
||
|
|
||
|
- AIX, SCO, Irix portability fixes
|
||
|
|
||
|
- Avoid failures on PAM systems when using PAM authentication modules
|
||
|
which require a tty.
|
||
|
|
||
|
- Entropy collection fixes for Solaris.
|
||
|
|
||
|
- EGD robustness improvements
|
||
|
|
||
|
- Fixes and enhancements from the OpenBSD team:
|
||
|
- Fixed options processing in authorized_keys2 file
|
||
|
- Compatibility with commercial SSH 2.0.13 and 2.2.0
|
||
|
- Numerous minor fixes
|
||
|
|
||
|
There are also a couple of new features:
|
||
|
|
||
|
- Shadow password expiry support (no password change support yet)
|
||
|
|
||
|
- Irix 6.x array sessions, project IDs and system audit trail IDs
|
||
|
|
||
|
- Beginnings of Tru64 / OSF SIA (Security Integration Architecture)
|
||
|
support
|
||
|
|
||
|
- Beginnings of NeXT support
|
||
|
|
||
|
Version 2.1.1p2 will be available from the mirrors listed at
|
||
|
<a href="http://www.openssh.com/portable.html">http://www.openssh.com/portable.html</a> (as soon as they update).
|
||
|
|
||
|
Many thanks to all those who tested the snapshots and/or contributed
|
||
|
bug reports and patches
|
||
|
|
||
|
Regards,
|
||
|
Damien Miller
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.1.1p1" id="2.1.1p1">OpenSSH 2.1.1p1</a> (2000-06-09)</h3>
|
||
|
<pre>Announcing the availability of portable OpenSSH 2.1.1p1.
|
||
|
|
||
|
This release contains the fix for the "UseLogin yes" vulnerability
|
||
|
identified in Markus' release and several other enhancements and
|
||
|
bugfixes. Including:
|
||
|
|
||
|
- Better login code. Andre Lucas has rewritten the login code to
|
||
|
be much more modular and extensible. In the process he has fixed
|
||
|
the problems with Solaris utmp[x].
|
||
|
|
||
|
- Revised the entropy collection code to be faster and more reliable.
|
||
|
|
||
|
- Fix for RSA host restrictions ("from=" in authorized_keys)
|
||
|
|
||
|
It is recommended that all users upgrade to this version.
|
||
|
|
||
|
Portable OpenSSH 2.1.1p1 is available from one of the many mirrors
|
||
|
listed at: <a href="http://www.openssh.com/portable.html">http://www.openssh.com/portable.html</a>
|
||
|
|
||
|
Regards,
|
||
|
Damien Miller
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-2.1.0p1" id="2.1.0p1">OpenSSH 2.1.0p1</a> (2000-05-09)</h3>
|
||
|
<pre>
|
||
|
This is to announce the release of openssh-2.1.0, the first stable
|
||
|
release of portable OpenSSH to incorporate support for the SSH2
|
||
|
protocol.
|
||
|
|
||
|
The SSH2 protocol offers a number of advantages over the SSH1 protocol
|
||
|
including standards compliance (SSH2 is on the IETF standards
|
||
|
track[1]), improved security and operation without RSA (which is
|
||
|
patented in some countries).
|
||
|
|
||
|
The SSH2 support in OpenSSH has been developed by Markus Friedl, with
|
||
|
support from the OpenBSD team.
|
||
|
|
||
|
This is also the first version of the portable version of OpenSSH
|
||
|
to offer built-in entropy collection. This removes the requirement
|
||
|
for EGD on systems that lack a /dev/random driver. As a result,
|
||
|
OpenSSH-2.1.0 now requires a recent version of OpenSSL[2] to compile
|
||
|
(version 0.9.5 or later).
|
||
|
|
||
|
NB. The portable version of OpenSSH is currently in the
|
||
|
process of merging its webpages with the official OpenBSD
|
||
|
project. Please use <a href="http://www.openssh.com/">http://www.openssh.com/</a> from now
|
||
|
on. Distribution files are also available from the mirrors listed at
|
||
|
<a href="http://violet.ibs.com.au/openssh/files/MIRRORS.html">http://violet.ibs.com.au/openssh/files/MIRRORS.html</a>
|
||
|
|
||
|
Please read <a href="http://www.openssh.com/report.html">http://www.openssh.com/report.html</a> before reporting bugs.
|
||
|
Patches, bug reports, developer and user queries are welcome on the
|
||
|
mailing list (<a href="http://www.openssh.com/list.html)">http://www.openssh.com/list.html)</a>.
|
||
|
Regards,
|
||
|
Damien Miller
|
||
|
|
||
|
[1] <a href="http://www.ietf.org/html.charters/secsh-charter.html">http://www.ietf.org/html.charters/secsh-charter.html</a>
|
||
|
[2] <a href="http://www.openssl.org/">http://www.openssl.org/</a>
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-1.2.3p1" id="1.2.3p1">OpenSSH 1.2.3p1</a> (2000-03-24)</h3>
|
||
|
<pre>
|
||
|
The Unix/Linux port of OpenSSH 1.2.3 was released yesterday and should
|
||
|
be available from a mirror near you. A mirror list is available from:
|
||
|
|
||
|
<a href="http://violet.ibs.com.au/openssh/files/MIRRORS.html">http://violet.ibs.com.au/openssh/files/MIRRORS.html</a>
|
||
|
|
||
|
This release fixes the bugs reported since 1.2.2p1 and contains many
|
||
|
cleanups from the OpenBSD tree.
|
||
|
|
||
|
In particular, the OpenSSL detection problems have been resolved.
|
||
|
|
||
|
The layout has changed a little bit. The packages/ subdirectory has
|
||
|
been replaced with a contrib/ subdirectory which contains platform
|
||
|
specific code and other patches. Submissions are welcome.
|
||
|
|
||
|
Enjoy,
|
||
|
Damien Miller
|
||
|
|
||
|
20000317
|
||
|
- Clarified --with-default-path option.
|
||
|
- Added -blibpath handling for AIX to work around stupid runtime linking.
|
||
|
Problem elucidated by gshapiro@SENDMAIL.ORG by way of Jim Knoble
|
||
|
<jmknoble@pobox.com>
|
||
|
- Checks for 64 bit int types. Problem report from Mats Fredholm
|
||
|
<matsf@init.se>
|
||
|
- OpenBSD CVS updates:
|
||
|
- [atomicio.c auth-krb4.c bufaux.c channels.c compress.c fingerprint.c]
|
||
|
[packet.h radix.c rsa.c scp.c ssh-agent.c ssh-keygen.c sshconnect.c]
|
||
|
[sshd.c]
|
||
|
pedantic: signed vs. unsigned, void*-arithm, etc
|
||
|
- [ssh.1 sshd.8]
|
||
|
Various cleanups and standardizations.
|
||
|
- Runtime error fix for HPUX from Otmar Stahl
|
||
|
<O.Stahl@lsw.uni-heidelberg.de>
|
||
|
|
||
|
20000316
|
||
|
- Fixed configure not passing LDFLAGS to Solaris. Report from David G.
|
||
|
Hesprich <dghespri@sprintparanet.com>
|
||
|
- Propogate LD through to Makefile
|
||
|
- Doc cleanups
|
||
|
- Added blurb about "scp: command not found" errors to UPGRADING
|
||
|
|
||
|
20000315
|
||
|
- Fix broken CFLAGS handling during search for OpenSSL. Fixes va_list
|
||
|
problems with gcc/Solaris.
|
||
|
- Don't free argument to putenv() after use (in setenv() replacement).
|
||
|
Report from Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp>
|
||
|
- Created contrib/ subdirectory. Included helpers from Phil Hands'
|
||
|
Debian package, README file and chroot patch from Ricardo Cerqueira
|
||
|
<rmcc@clix.pt>
|
||
|
- Moved gnome-ssh-askpass.c to contrib directory and removed config
|
||
|
option.
|
||
|
- Slight cleanup to doc files
|
||
|
- Configure fix from Bratislav ILICH <bilic@zepter.ru>
|
||
|
|
||
|
20000314
|
||
|
- Include macro for IN6_IS_ADDR_V4MAPPED. Report from
|
||
|
peter@frontierflying.com
|
||
|
- Include /usr/local/include and /usr/local/lib for systems that don't
|
||
|
do it themselves
|
||
|
- -R/usr/local/lib for Solaris
|
||
|
- Fix RSAref detection
|
||
|
- Fix IN6_IS_ADDR_V4MAPPED macro
|
||
|
|
||
|
20000311
|
||
|
- Detect RSAref
|
||
|
- OpenBSD CVS change
|
||
|
[sshd.c]
|
||
|
- disallow guessing of root password
|
||
|
- More configure fixes
|
||
|
- IPv6 workarounds from Hideaki YOSHIFUJI <yoshfuji@ecei.tohoku.ac.jp>
|
||
|
|
||
|
20000309
|
||
|
- OpenBSD CVS updates to v1.2.3
|
||
|
[ssh.h atomicio.c]
|
||
|
- int atomicio -> ssize_t (for alpha). ok deraadt@
|
||
|
[auth-rsa.c]
|
||
|
- delay MD5 computation until client sends response, free() early, cleanup.
|
||
|
[cipher.c]
|
||
|
- void* -> unsigned char*, ok niels@
|
||
|
[hostfile.c]
|
||
|
- remove unused variable 'len'. fix comments.
|
||
|
- remove unused variable
|
||
|
[log-client.c log-server.c]
|
||
|
- rename a cpp symbol, to avoid param.h collision
|
||
|
[packet.c]
|
||
|
- missing xfree()
|
||
|
- getsockname() requires initialized tolen; andy@guildsoftware.com
|
||
|
- use getpeername() in packet_connection_is_on_socket(), fixes sshd -i;
|
||
|
from Holger.Trapp@Informatik.TU-Chemnitz.DE
|
||
|
[pty.c pty.h]
|
||
|
- register cleanup for pty earlier. move code for pty-owner handling to
|
||
|
pty.c ok provos@, dugsong@
|
||
|
[readconf.c]
|
||
|
- turn off x11-fwd for the client, too.
|
||
|
[rsa.c]
|
||
|
- PKCS#1 padding
|
||
|
[scp.c]
|
||
|
- allow '.' in usernames; from jedgar@fxp.org
|
||
|
[servconf.c]
|
||
|
- typo: ignore_user_known_hosts int->flag; naddy@mips.rhein-neckar.de
|
||
|
- sync with sshd_config
|
||
|
[ssh-keygen.c]
|
||
|
- enable ssh-keygen -l -f ~/.ssh/known_hosts, ok deraadt@
|
||
|
[ssh.1]
|
||
|
- Change invalid 'CHAT' loglevel to 'VERBOSE'
|
||
|
[ssh.c]
|
||
|
- suppress AAAA query host when '-4' is used; from shin@nd.net.fujitsu.co.jp
|
||
|
- turn off x11-fwd for the client, too.
|
||
|
[sshconnect.c]
|
||
|
- missing xfree()
|
||
|
- retry rresvport_af(), too. from sumikawa@ebina.hitachi.co.jp.
|
||
|
- read error vs. "Connection closed by remote host"
|
||
|
[sshd.8]
|
||
|
- ie. -> i.e.,
|
||
|
- do not link to a commercial page..
|
||
|
- sync with sshd_config
|
||
|
[sshd.c]
|
||
|
- no need for poll.h; from bright@wintelcom.net
|
||
|
- log with level log() not fatal() if peer behaves badly.
|
||
|
- don't panic if client behaves strange. ok deraadt@
|
||
|
- make no-port-forwarding for RSA keys deny both -L and -R style fwding
|
||
|
- delay close() of pty until the pty has been chowned back to root
|
||
|
- oops, fix comment, too.
|
||
|
- missing xfree()
|
||
|
- move XAUTHORITY to subdir. ok dugsong@. fixes debian bug #57907, too.
|
||
|
(<a href="http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907">http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907</a>) - register cleanup for pty earlier. move code for pty-owner handling to
|
||
|
pty.c ok provos@, dugsong@
|
||
|
- create x11 cookie file
|
||
|
- fix pr 1113, fclose() -> pclose(), todo: remote popen()
|
||
|
- version 1.2.3
|
||
|
- Cleaned up
|
||
|
- Removed warning workaround for Linux and devpts filesystems (no longer
|
||
|
required after OpenBSD updates)
|
||
|
|
||
|
20000308
|
||
|
- Configure fix from Hiroshi Takekawa <takekawa@sr3.t.u-tokyo.ac.jp>
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<h3><a href="txt/release-1.2.2p1" id="1.2.2p1">OpenSSH 1.2.2p1</a> (2000-03-05)</h3>
|
||
|
<pre>
|
||
|
It gives me no little pleasure to announce the first stable release
|
||
|
of the Unix port of OpenSSH.
|
||
|
|
||
|
It is available in tar.gz and RPM format from one of the mirrors
|
||
|
listed at:
|
||
|
|
||
|
<a href="http://violet.ibs.com.au/openssh/files/MIRRORS.html">http://violet.ibs.com.au/openssh/files/MIRRORS.html</a>
|
||
|
|
||
|
This release fixes all known issues and is known to compile and
|
||
|
function on (at least) recent releases on Linux, Solaris, HPUX and SCO
|
||
|
Unixware.
|
||
|
|
||
|
Please review the ChangeLog[1] for details on what has changed since
|
||
|
the last release.
|
||
|
|
||
|
I am holding off on a wider announcement until the mirrors have
|
||
|
updated.
|
||
|
|
||
|
Thanks to everyone who assisted with testing, bug reports, success
|
||
|
stories and most of all, patches :) Special thanks to the OpenBSD
|
||
|
developers for giving us OpenSSH to begin with.
|
||
|
|
||
|
Regards,
|
||
|
Damien Miller
|
||
|
|
||
|
[1] <a href="http://violet.ibs.com.au/openssh/files/ChangeLog">http://violet.ibs.com.au/openssh/files/ChangeLog</a>
|
||
|
</pre>
|
||
|
<hr>
|
||
|
<p>$OpenBSD: releasenotes.html,v 1.49 2021/03/03 04:02:49 djm Exp $ </p>
|
||
|
</body>
|
||
|
</html>
|