Revision tags: release/14.0.0 |
|
#
535af610 |
| 11-Aug-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: Update to OpenSSH 9.4p1
Excerpts from the release notes:
* ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system
ssh: Update to OpenSSH 9.4p1
Excerpts from the release notes:
* ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories.
* ssh(1): allow forwarding Unix Domain sockets via ssh -W.
* ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name.
* ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location.
* ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider.
* ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it.
* ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567
Full release notes at https://www.openssh.com/txt/release-9.4
Relnotes: Yes Sponsored by: The FreeBSD Foundation
show more ...
|
Revision tags: release/13.2.0 |
|
#
f374ba41 |
| 06-Feb-2023 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.2p1
Release notes are available at https://www.openssh.com/txt/release-9.2
OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory saf
ssh: update to OpenSSH 9.2p1
Release notes are available at https://www.openssh.com/txt/release-9.2
OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD.
Some other notable items from the release notes:
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime.
* sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels.
* sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has.
* scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976
* ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499
MFC after: 1 week Sponsored by: The FreeBSD Foundation
show more ...
|
Revision tags: release/12.4.0 |
|
#
38a52bd3 |
| 19-Oct-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH 9.1p1
Release notes are available at https://www.openssh.com/txt/release-9.1
9.1 contains fixes for three minor memory safety problems; these have lready been merged to the c
ssh: update to OpenSSH 9.1p1
Release notes are available at https://www.openssh.com/txt/release-9.1
9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system.
Some highlights copied from the release notes:
Potentially-incompatible changes --------------------------------
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.
New features ------------
* ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8).
* sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids.
* sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings.
* sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it.
* ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character.
Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468
* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3"
* ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429
MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation
show more ...
|
Revision tags: release/13.1.0 |
|
#
1323ec57 |
| 13-Apr-2022 |
Ed Maste <emaste@FreeBSD.org> |
ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting
ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1)
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method.
* sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar.
Future deprecation notice =========================
A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.
MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation
show more ...
|
Revision tags: release/12.3.0 |
|
#
19261079 |
| 08-Sep-2021 |
Ed Maste <emaste@FreeBSD.org> |
openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new ho
openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used.
Additional integration work is needed to support FIDO/U2F in the base system.
Deprecation Notice ------------------
OpenSSH will disable the ssh-rsa signature scheme by default in the next release.
Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
show more ...
|