Changes:
3.6.14
------
* libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
The TLS server would not bind the session ticket encryption key with a
value supplied by the application until the initial key rotation, allowing
attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2 (#1011).
[GNUTLS-SA-2020-06-03, CVSS: high]
* libgnutls: Fixed handling of certificate chain with cross-signed
intermediate CA certificates (#1008).
* libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
* libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
(2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
Key Identifier (AKI) properly (#989, #991).
* certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
* libgnutls: Added several improvements on Windows Vista and later releases
(!1257, !1254, !1256). Most notably the system random number generator now
uses Windows BCrypt* API if available (!1255).
* libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
Also both accelerated and non-accelerated implementations check key block
according to FIPS-140-2 IG A.9 (!1233).
* libgnutls: Added support for AES-SIV ciphers (#463).
* libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
* libgnutls: No longer use internal symbols exported from Nettle (!1235)
* API and ABI modifications:
GNUTLS_CIPHER_AES_128_SIV: Added
GNUTLS_CIPHER_AES_256_SIV: Added
GNUTLS_CIPHER_AES_192_GCM: Added
gnutls_pkcs7_print_signature_info: Added
Certbot 1.5.0
Added
Require explicit confirmation of snap plugin permissions before connecting.
Changed
Improved error message in apache installer when mod_ssl is not available.
Fixed
Add support for OCSP responses which use a public key hash ResponderID, fixing
interoperability with Sectigo CAs.
Fix TLS-ALPN test that fails when run with newer versions of OpenSSL.
More details about these changes can be found on our GitHub repo.
EVP_sha1 and EVP_sha256. Without this, opendnssec would build
but would not recognize any of those algorithms for tsig, and
therefore be pretty useless. I'll admit that I'm not entirely
certain why this is now suddenly required; those functions are
in the same library in 9.0 as in 8.0.
Bump PKGREVISION.
1.0 - 2020-05-13
- Limit support to GnuPG 2.2+ and 1.4
- Additional information from keys when using GnuPG 2.2 or higher
- Add support for use of agent/pinentry
- Updated options to add ignore_mdc_error and logging
- Improvements to tests
- Update pubkey_data documentation
- Special thanks to dkg on Github for a large PR with updates for GnuPG 2
- Thanks also to ntyni on Github for a pointer to test updates also dealing
with version changes
This release includes important security updates to Firefox.
This new Tor Browser release is focused on helping users understand
onion services.
Tor's onion routing remains the best way to achieve end-to-end
anonymous communication on the Internet. With onion services (.onion
addresses), website administrators can provide their users with
anonymous connections that are metadata-free or that hide metadata
from any third party. Onion services are also one of the few
censorship circumvention technologies that allow users to route
around censorship while simultaneously protecting their privacy
and identity.
For the first time, Tor Browser users on desktop will be able to
opt-in for using onion sites automatically whenever the website
makes them available. For years, some websites have invisibly used
onion services with alternative services (alt-svc), and this
continues to be an excellent choice. Now, there is also an opt-in
mechanism available for websites that want their users to know
about their onion service that invites them to upgrade their
connection via the .onion address.
5.68
[KAuth] Add support for action details in Polkit1 backend
[policy-gen] Fix the code to actually use the correct capture group
Drop Policykit backend
[polkit-1] Simplify Polkit1Backend action exists lookup
[polkit-1] Return an error status in actionStatus if there is an error
Calculate KAuthAction::isValid on demand
5.69
Fix type namespace requirement
ChangeLog:
- New option: -R to recover the public key from a secret key.
- minisign can now be compiled to WebAssembly.
- Error messages have been improved.
- Key derivation is now possible on devices with limited memory.
- Compilation on OpenWRT is now possible using cmake.
- A Docker image is now available.
- 64-bit Windows binaries have been added, and macOS binaries are notarized.
2020.5.20
not documented
2020.5.19
* Reverting Onboarding page for the time being
* Patch for whitelisting rules and EASE mode issue
* Double rule load patch in update channels
* Fix minor JS and UX issues
v 11.0.30
============================================================
x Discoverable option to force site-leaking UI in
PBM/Incognito
x [L10n] Updated he
x Easier keyboard navigation of preset configuration
x Yellow-less UI palette
lxqt-sudo-0.15.0 / 2020-04-23
=============================
* sudo: Fix (re)setting HOME with sudo backend.
* sudo: Add TERM to allowed/preserved env vars.
* Build on NetBSD.
lxqt-policykit-0.15.0 / 2020-04-22
==================================
* Bumped version to 0.15.0.
* Delete Password from line-edit.
* Made the infobox non-modal.
* Removed (duplicated) string casts definitions.
This package provides the certificates distributed by the Mozilla
Project.
It also provides a script, update-ca-certs, which can be used to manage
a location that makes certificates usable by TLS implementations,
including installing select certificates from this package.
pkgsrc changes: Delete roots which expired today or earlier:
C = SE, O = AddTrust AB, OU = AddTrust TTP Network, CN = AddTrust Class 1 CA Root
C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
C = NL, O = Staat der Nederlanden, CN = Staat der Nederlanden Root CA - G2
Upstream changes:
1618404 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root
1621159 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Consorci AOC,
GRCA, and SK ID root certs. r=jcj
1.4.0:
* Update ``libsodium`` to 1.0.18.
* **BACKWARDS INCOMPATIBLE:** We no longer distribute 32-bit ``manylinux1``
wheels. Continuing to produce them was a maintenance burden.
* Added support for Python 3.8, and removed support for Python 3.4.
* Add low level bindings for extracting the seed and the public key
from crypto_sign_ed25519 secret key
* Add low level bindings for deterministic random generation.
* Add ``wheel`` and ``setuptools`` setup_requirements in ``setup.py``
* Fix checks on very slow builders
* Add low-level bindings to ed25519 arithmetic functions
* Update low-level blake2b state implementation
* Fix wrong short-input behavior of SealedBox.decrypt()
* Raise CryptPrefixError exception instead of InvalidkeyError when trying
to check a password against a verifier stored in a unknown format
* Add support for minimal builds of libsodium. Trying to call functions
not available in a minimal build will raise an UnavailableError
exception. To compile a minimal build of the bundled libsodium, set
the SODIUM_INSTALL_MINIMAL environment variable to any non-empty
string (e.g. ``SODIUM_INSTALL_MINIMAL=1``) for setup.
OpenSSH 8.3 was released on 2020-05-27. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html
Future deprecation notice
=========================
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.
This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.
The better alternatives include:
* The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
algorithms have the advantage of using the same key type as
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
supported since OpenSSH 7.2 and are already used by default if the
client and server support them.
* The ssh-ed25519 signature algorithm. It has been supported in
OpenSSH since release 6.5.
* The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
have been supported by OpenSSH since release 5.7.
To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.
A future release of OpenSSH will enable UpdateHostKeys by default
to allow the client to automatically migrate to better algorithms.
Users may consider enabling this option manually. Vendors of devices
that implement the SSH protocol should ensure that they support the
new signature algorithms for RSA keys.
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
Security
========
* scp(1): when receiving files, scp(1) could be become desynchronised
if a utimes(2) system call failed. This could allow file contents
to be interpreted as file metadata and thereby permit an adversary
to craft a file system that, when copied with scp(1) in a
configuration that caused utimes(2) to fail (e.g. under a SELinux
policy or syscall sandbox), transferred different file names and
contents to the actual file system layout.
Exploitation of this is not likely as utimes(2) does not fail under
normal circumstances. Successful exploitation is not silent - the
output of scp(1) would show transfer errors followed by the actual
file(s) that were received.
Finally, filenames returned from the peer are (since openssh-8.0)
matched against the user's requested destination, thereby
disallowing a successful exploit from writing files outside the
user's selected target glob (or directory, in the case of a
recursive transfer). This ensures that this attack can achieve no
more than a hostile peer is already able to achieve within the scp
protocol.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* sftp(1): reject an argument of "-1" in the same way as ssh(1) and
scp(1) do instead of accepting and silently ignoring it.
Changes since OpenSSH 8.2
=========================
The focus of this release is bug fixing.
New Features
------------
* sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
to allow .shosts files but not .rhosts.
* sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
sshd_config, not just before any Match blocks; bz3148
* ssh(1): add %TOKEN percent expansion for the LocalFoward and
RemoteForward keywords when used for Unix domain socket forwarding.
bz#3014
* all: allow loading public keys from the unencrypted envelope of a
private key file if no corresponding public key file is present.
* ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
possible instead of the (slower) portable C implementation included
in OpenSSH.
* ssh-keygen(1): add ability to dump the contents of a binary key
revocation list via "ssh-keygen -lQf /path" bz#3132
Bugfixes
--------
* ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from
a PKCS11Provider; bz#3141
* ssh-keygen(1): avoid NULL dereference when trying to convert an
invalid RFC4716 private key.
* scp(1): when performing remote-to-remote copies using "scp -3",
start the second ssh(1) channel with BatchMode=yes enabled to
avoid confusing and non-deterministic ordering of prompts.
* ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token,
perform hashing of the message to be signed in the middleware layer
rather than in OpenSSH code. This permits the use of security key
middlewares that perform the hashing implicitly, such as Windows
Hello.
* ssh(1): fix incorrect error message for "too many known hosts
files." bz#3149
* ssh(1): make failures when establishing "Tunnel" forwarding
terminate the connection when ExitOnForwardFailure is enabled;
bz#3116
* ssh-keygen(1): fix printing of fingerprints on private keys and add
a regression test for same.
* sshd(8): document order of checking AuthorizedKeysFile (first) and
AuthorizedKeysCommand (subsequently, if the file doesn't match);
bz#3134
* sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are
not considered for HostbasedAuthentication when the target user is
root; bz#3148
* ssh(1), ssh-keygen(1): fix NULL dereference in private certificate
key parsing (oss-fuzz #20074).
* ssh(1), sshd(8): more consistency between sets of %TOKENS are
accepted in various configuration options.
* ssh(1), ssh-keygen(1): improve error messages for some common
PKCS#11 C_Login failure cases; bz#3130
* ssh(1), sshd(8): make error messages for problems during SSH banner
exchange consistent with other SSH transport-layer error messages
and ensure they include the relevant IP addresses bz#3129
* various: fix a number of spelling errors in comments and debug/error
messages
* ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys
from a token, don't prompt for a PIN until the token has told us
that it needs one. Avoids double-prompting on devices that
implement on-device authentication.
* sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
should be an extension, not a critical option.
* ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message
when trying to use a FIDO key function and SecurityKeyProvider is
empty.
* ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within
the values allowed by the wire format (u32). Prevents integer
wraparound of the timeout values. bz#3119
* ssh(1): detect and prevent trivial configuration loops when using
ProxyJump. bz#3057.
Portability
-----------
* Detect systems where signals flagged with SA_RESTART will interrupt
select(2). POSIX permits implementations to choose whether
select(2) will return when interrupted with a SA_RESTART-flagged
signal, but OpenSSH requires interrupting behaviour.
* Several compilation fixes for HP/UX and AIX.
* On platforms that do not support setting process-wide routing
domains (all excepting OpenBSD at present), fail to accept a
configuration attempts to set one at process start time rather than
fatally erroring at run time. bz#3126
* Improve detection of egrep (used in regression tests) on platforms
that offer a poor default one (e.g. Solaris).
* A number of shell portability fixes for the regression tests.
* Fix theoretical infinite loop in the glob(3) replacement
implementation.
* Fix seccomp sandbox compilation problems for some Linux
configurations bz#3085
* Improved detection of libfido2 and some compilation fixes for some
configurations when --with-security-key-builtin is selected.
OpenSSH 8.2 was released on 2020-02-14. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html
Future deprecation notice
=========================
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
be disabling the "ssh-rsa" public key signature algorithm that depends
on SHA-1 by default in a near-future release.
This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.
The better alternatives include:
* The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
algorithms have the advantage of using the same key type as
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
supported since OpenSSH 7.2 and are already used by default if the
client and server support them.
* The ssh-ed25519 signature algorithm. It has been supported in
OpenSSH since release 6.5.
* The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
have been supported by OpenSSH since release 5.7.
To check whether a server is using the weak ssh-rsa public key
algorithm for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.
A future release of OpenSSH will enable UpdateHostKeys by default
to allow the client to automatically migrate to better algorithms.
Users may consider enabling this option manually.
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
Security
========
* ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will
use the rsa-sha2-512 signature algorithm by default when the
ssh-keygen(1) CA signs new certificates.
Certificates are at special risk to the aforementioned SHA1
collision vulnerability as an attacker has effectively unlimited
time in which to craft a collision that yields them a valid
certificate, far more than the relatively brief LoginGraceTime
window that they have to forge a host key signature.
The OpenSSH certificate format includes a CA-specified (typically
random) nonce value near the start of the certificate that should
make exploitation of chosen-prefix collisions in this context
challenging, as the attacker does not have full control over the
prefix that actually gets signed. Nonetheless, SHA1 is now a
demonstrably broken algorithm and futher improvements in attacks
are highly likely.
OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
algorithms and will refuse to accept certificates signed by an
OpenSSH 8.2+ CA using RSA keys unless the unsafe algorithm is
explicitly selected during signing ("ssh-keygen -t ssh-rsa").
Older clients/servers may use another CA key type such as
ssh-ed25519 (supported since OpenSSH 6.5) or one of the
ecdsa-sha2-nistp256/384/521 types (supported since OpenSSH 5.7)
instead if they cannot be upgraded.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): the above removal of "ssh-rsa" from the accepted
CASignatureAlgorithms list.
* ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
from the default key exchange proposal for both the client and
server.
* ssh-keygen(1): the command-line options related to the generation
and screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have
changed. Most options have been folded under the -O flag.
* sshd(8): the sshd listener process title visible to ps(1) has
changed to include information about the number of connections that
are currently attempting authentication and the limits configured
by MaxStartups.
* ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one). It needs to be installed
in the expected path, typically under /usr/libexec or similar.
Changes since OpenSSH 8.1
=========================
This release contains some significant new features.
FIDO/U2F Support
----------------
This release adds support for FIDO/U2F hardware authenticators to
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
authentication hardware that are widely used for website
authentication. In OpenSSH FIDO devices are supported by new public
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
certificate types.
ssh-keygen(1) may be used to generate a FIDO token-backed key, after
which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
used. FIDO tokens also generally require the user explicitly authorise
operations by touching or tapping them.
Generating a FIDO key requires the token be attached, and will usually
require the user tap the token to confirm the operation:
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub
This will yield a public and private key-pair. The private key file
should be useless to an attacker who does not have access to the
physical token. After generation, this key may be used like any other
supported key in OpenSSH and may be listed in authorized_keys, added
to ssh-agent(1), etc. The only additional stipulation is that the FIDO
token that the key belongs to must be attached when the key is used.
FIDO tokens are most commonly connected via USB but may be attached
via other means such as Bluetooth or NFC. In OpenSSH, communication
with the token is managed via a middleware library, specified by the
SecurityKeyProvider directive in ssh/sshd_config(5) or the
$SSH_SK_PROVIDER environment variable for ssh-keygen(1) and
ssh-add(1). The API for this middleware is documented in the sk-api.h
and PROTOCOL.u2f files in the source distribution.
OpenSSH includes a middleware ("SecurityKeyProvider=internal") with
support for USB tokens. It is automatically enabled in OpenBSD and may
be enabled in portable OpenSSH via the configure flag
--with-security-key-builtin. If the internal middleware is enabled
then it is automatically used by default. This internal middleware
requires that libfido2 (https://github.com/Yubico/libfido2) and its
dependencies be installed. We recommend that packagers of portable
OpenSSH enable the built-in middleware, as it provides the
lowest-friction experience for users.
Note: FIDO/U2F tokens are required to implement the ECDSA-P256
"ecdsa-sk" key type, but hardware support for Ed25519 "ed25519-sk" is
less common. Similarly, not all hardware tokens support some of the
optional features such as resident keys.
The protocol-level changes to support FIDO/U2F keys in SSH are
documented in the PROTOCOL.u2f file in the OpenSSH source
distribution.
There are a number of supporting changes to this feature:
* ssh-keygen(1): add a "no-touch-required" option when generating
FIDO-hosted keys, that disables their default behaviour of
requiring a physical touch/tap on the token during authentication.
Note: not all tokens support disabling the touch requirement.
* sshd(8): add a sshd_config PubkeyAuthOptions directive that
collects miscellaneous public key authentication-related options
for sshd(8). At present it supports only a single option
"no-touch-required". This causes sshd to skip its default check for
FIDO/U2F keys that the signature was authorised by a touch or press
event on the token hardware.
* ssh(1), sshd(8), ssh-keygen(1): add a "no-touch-required" option
for authorized_keys and a similar extension for certificates. This
option disables the default requirement that FIDO key signatures
attest that the user touched their key to authorize them, mirroring
the similar PubkeyAuthOptions sshd_config option.
* ssh-keygen(1): add support for the writing the FIDO attestation
information that is returned when new keys are generated via the
"-O write-attestation=/path" option. FIDO attestation certificates
may be used to verify that a FIDO key is hosted in trusted
hardware. OpenSSH does not currently make use of this information,
beyond optionally writing it to disk.
FIDO2 resident keys
-------------------
FIDO/U2F OpenSSH keys consist of two parts: a "key handle" part stored
in the private key file on disk, and a per-device private key that is
unique to each FIDO/U2F token and that cannot be exported from the
token hardware. These are combined by the hardware at authentication
time to derive the real key that is used to sign authentication
challenges.
For tokens that are required to move between computers, it can be
cumbersome to have to move the private key file first. To avoid this
requirement, tokens implementing the newer FIDO2 standard support
"resident keys", where it is possible to effectively retrieve the key
handle part of the key from the hardware.
OpenSSH supports this feature, allowing resident keys to be generated
using the ssh-keygen(1) "-O resident" flag. This will produce a
public/private key pair as usual, but it will be possible to retrieve
the private key part from the token later. This may be done using
"ssh-keygen -K", which will download all available resident keys from
the tokens attached to the host and write public/private key files
for them. It is also possible to download and add resident keys
directly to ssh-agent(1) without writing files to the file-system
using "ssh-add -K".
Resident keys are indexed on the token by the application string and
user ID. By default, OpenSSH uses an application string of "ssh:" and
an empty user ID. If multiple resident keys on a single token are
desired then it may be necessary to override one or both of these
defaults using the ssh-keygen(1) "-O application=" or "-O user="
options. Note: OpenSSH will only download and use resident keys whose
application string begins with "ssh:"
Storing both parts of a key on a FIDO token increases the likelihood
of an attacker being able to use a stolen token device. For this
reason, tokens should enforce PIN authentication before allowing
download of keys, and users should set a PIN on their tokens before
creating any resident keys.
Other New Features
------------------
* sshd(8): add an Include sshd_config keyword that allows including
additional configuration files via glob(3) patterns. bz2468
* ssh(1)/sshd(8): make the LE (low effort) DSCP code point available
via the IPQoS directive; bz2986,
* ssh(1): when AddKeysToAgent=yes is set and the key contains no
comment, add the key to the agent with the key's path as the
comment. bz2564
* ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509
subjects as key comments, rather than simply listing the PKCS#11
provider library path. PR138
* ssh-keygen(1): allow PEM export of DSA and ECDSA keys; bz3091
* ssh(1), sshd(8): make zlib compile-time optional, available via the
Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure
option for OpenSSH portable.
* sshd(8): when clients get denied by MaxStartups, send a
notification prior to the SSH2 protocol banner according to
RFC4253 section 4.2.
* ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt
program, pass a hint to the program to describe the type of
desired prompt. The possible values are "confirm" (indicating
that a yes/no confirmation dialog with no text entry should be
shown), "none" (to indicate an informational message only), or
blank for the original ssh-askpass behaviour of requesting a
password/phrase.
* ssh(1): allow forwarding a different agent socket to the path
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
option to accepting an explicit path or the name of an environment
variable in addition to yes/no.
* ssh-keygen(1): add a new signature operations "find-principals" to
look up the principal associated with a signature from an allowed-
signers file.
* sshd(8): expose the number of currently-authenticating connections
along with the MaxStartups limit in the process title visible to
"ps".
Bugfixes
--------
* sshd(8): make ClientAliveCountMax=0 have sensible semantics: it
will now disable connection killing entirely rather than the
current behaviour of instantly killing the connection after the
first liveness test regardless of success. bz2627
* sshd(8): clarify order of AllowUsers / DenyUsers vs AllowGroups /
DenyGroups in the sshd(8) manual page. bz1690
* sshd(8): better describe HashKnownHosts in the manual page. bz2560
* sshd(8): clarify that that permitopen=/PermitOpen do no name or
address translation in the manual page. bz3099
* sshd(8): allow the UpdateHostKeys feature to function when
multiple known_hosts files are in use. When updating host keys,
ssh will now search subsequent known_hosts files, but will add
updated host keys to the first specified file only. bz2738
* All: replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the
handler preventing races between handlers, and sets SA_RESTART
which should reduce the potential for short read/write operations.
* sftp(1): fix a race condition in the SIGCHILD handler that could
turn in to a kill(-1); bz3084
* sshd(8): fix a case where valid (but extremely large) SSH channel
IDs were being incorrectly rejected. bz3098
* ssh(1): when checking host key fingerprints as answers to new
hostkey prompts, ignore whitespace surrounding the fingerprint
itself.
* All: wait for file descriptors to be readable or writeable during
non-blocking connect, not just readable. Prevents a timeout when
the server doesn't immediately send a banner (e.g. multiplexers
like sslh)
* sshd_config(5): document the sntrup4591761x25519-sha512@tinyssh.org
key exchange algorithm. PR#151
Portability
-----------
* sshd(8): multiple adjustments to the Linux seccomp sandbox:
- Non-fatally deny IPC syscalls in sandbox
- Allow clock_gettime64() in sandbox (MIPS / glibc >= 2.31)
- Allow clock_nanosleep_time64 in sandbox (ARM) bz3100
- Allow clock_nanosleep() in sandbox (recent glibc) bz3093
* Explicit check for memmem declaration and fix up declaration if the
system headers lack it. bz3102
OpenSSH 8.1 was released on 2019-10-09. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html
Security
========
* ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer
overflow bug was found in the private key parsing code for the XMSS
key type. This key type is still experimental and support for it is
not compiled by default. No user-facing autoconf option exists in
portable OpenSSH to enable it. This bug was found by Adam Zabrocki
and reported via SecuriTeam's SSD program.
* ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
rest in RAM against speculation and memory side-channel attacks like
Spectre, Meltdown and Rambleed. This release encrypts private keys
when they are not in use with a symmetric key that is derived from a
relatively large "prekey" consisting of random data (currently 16KB).
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* ssh-keygen(1): when acting as a CA and signing certificates with
an RSA key, default to using the rsa-sha2-512 signature algorithm.
Certificates signed by RSA keys will therefore be incompatible
with OpenSSH versions prior to 7.2 unless the default is
overridden (using "ssh-keygen -t ssh-rsa -s ...").
Changes since OpenSSH 8.0
=========================
This release is focused on bug-fixing.
New Features
------------
* ssh(1): Allow %n to be expanded in ProxyCommand strings
* ssh(1), sshd(8): Allow prepending a list of algorithms to the
default set by starting the list with the '^' character, E.g.
"HostKeyAlgorithms ^ssh-ed25519"
* ssh-keygen(1): add an experimental lightweight signature and
verification ability. Signatures may be made using regular ssh keys
held on disk or stored in a ssh-agent and verified against an
authorized_keys-like list of allowed keys. Signatures embed a
namespace that prevents confusion and attacks between different
usage domains (e.g. files vs email).
* ssh-keygen(1): print key comment when extracting public key from a
private key. bz#3052
* ssh-keygen(1): accept the verbose flag when searching for host keys
in known hosts (i.e. "ssh-keygen -vF host") to print the matching
host's random-art signature too. bz#3003
* All: support PKCS8 as an optional format for storage of private
keys to disk. The OpenSSH native key format remains the default,
but PKCS8 is a superior format to PEM if interoperability with
non-OpenSSH software is required, as it may use a less insecure
key derivation function than PEM's.
Bugfixes
--------
* ssh(1): if a PKCS#11 token returns no keys then try to login and
refetch them. Based on patch from Jakub Jelen; bz#2430
* ssh(1): produce a useful error message if the user's shell is set
incorrectly during "match exec" processing. bz#2791
* sftp(1): allow the maximum uint32 value for the argument passed
to -b which allows better error messages from later validation.
bz#3050
* ssh(1): avoid pledge sandbox violations in some combinations of
remote forwarding, connection multiplexing and ControlMaster.
* ssh-keyscan(1): include SHA2-variant RSA key algorithms in KEX
proposal; allows ssh-keyscan to harvest keys from servers that
disable old SHA1 ssh-rsa. bz#3029
* sftp(1): print explicit "not modified" message if a file was
requested for resumed download but was considered already complete.
bz#2978
* sftp(1): fix a typo and make <esc><right> move right to the
closest end of a word just like <esc><left> moves left to the
closest beginning of a word.
* sshd(8): cap the number of permitopen/permitlisten directives
allowed to appear on a single authorized_keys line.
* All: fix a number of memory leaks (one-off or on exit paths).
* Regression tests: a number of fixes and improvements, including
fixes to the interop tests, adding the ability to run most tests
on builds that disable OpenSSL support, better support for running
tests under Valgrind and a number of bug-fixes.
* ssh(1), sshd(8): check for convtime() refusing to accept times that
resolve to LONG_MAX Reported by Kirk Wolf bz2977
* ssh(1): slightly more instructive error message when the user
specifies multiple -J options on the command-line. bz3015
* ssh-agent(1): process agent requests for RSA certificate private
keys using correct signature algorithm when requested. bz3016
* sftp(1): check for user@host when parsing sftp target. This
allows user@[1.2.3.4] to work without a path. bz#2999
* sshd(8): enlarge format buffer size for certificate serial
number so the log message can record any 64-bit integer without
truncation. bz#3012
* sshd(8): for PermitOpen violations add the remote host and port to
be able to more easily ascertain the source of the request. Add the
same logging for PermitListen violations which where not previously
logged at all.
* scp(1), sftp(1): use the correct POSIX format style for left
justification for the transfer progress meter. bz#3002
* sshd(8) when examining a configuration using sshd -T, assume any
attribute not provided by -C does not match, which allows it to work
when sshd_config contains a Match directive with or without -C.
bz#2858
* ssh(1), ssh-keygen(1): downgrade PKCS#11 "provider returned no
slots" warning from log level error to debug. This is common when
attempting to enumerate keys on smartcard readers with no cards
plugged in. bz#3058
* ssh(1), ssh-keygen(1): do not unconditionally log in to PKCS#11
tokens. Avoids spurious PIN prompts for keys not selected for
authentication in ssh(1) and when listing public keys available in
a token using ssh-keygen(1). bz#3006
Portability
-----------
* ssh(1): fix SIGWINCH delivery of Solaris for multiplexed sessions
bz#3030
* ssh(1), sshd(8): fix typo that prevented detection of Linux VRF
* sshd(8): add no-op implementation of pam_putenv to avoid build
breakage on platforms where the PAM implementation lacks this
function (e.g. HP-UX). bz#3008
* sftp-server(8): fix Solaris privilege sandbox from preventing
the legacy sftp rename operation from working (was refusing to
allow hard links to files owned by other users). bz#3036
* All: add a proc_pidinfo()-based closefrom() for OS X to avoid
the need to brute-force close all high-numbered file descriptors.
bz#3049
* sshd(8): in the Linux seccomp-bpf sandbox, allow mprotect(2) with
PROT_(READ|WRITE|NONE) only. This syscall is used by some hardened
heap allocators. Github PR#142
* sshd(8): in the Linux seccomp-bpf sandbox, allow the s390-specific
ioctl for ECC hardware support.
* All: use "doc" man page format if the mandoc(1) tool is present on
the system. Previously configure would not select the "doc" man
page format if mandoc was present but nroff was not.
* sshd(8): don't install duplicate STREAMS modules on Solaris; check
if STREAMS modules are already installed on a pty before installing
since when compiling with XPG>=4 they will likely be installed
already. Prevents hangs and duplicate lines on the terminal.
bz#2945 and bz#2998,
