forked from pool/openssh
Accepting request 222365 from home:pcerny:factory
- Update of the underlying OpenSSH to 6.5p1
- Update to 6.5p1
Features since 6.4p1:
* ssh(1), sshd(8): support for key exchange using ECDH in
Daniel Bernstein's Curve25519; default when both the client
and server support it.
* ssh(1), sshd(8): support for Ed25519 as a public key type fo
rboth server and client. Ed25519 is an EC signature offering
better security than ECDSA and DSA and good performance.
* Add a new private key format that uses a bcrypt KDF to better
protect keys at rest. Used unconditionally for Ed25519 keys,
on demand for other key types via the -o ssh-keygen(1)
option. Intended to become default in the near future.
Details documented in PROTOCOL.key.
* ssh(1), sshd(8): new transport cipher
"chacha20-poly1305@openssh.com" combining Daniel Bernstein's
ChaCha20 stream cipher and Poly1305 MAC to build an
authenticated encryption mode. Details documented
PROTOCOL.chacha20poly1305.
* ssh(1), sshd(8): refuse RSA keys from old proprietary clients
and servers that use the obsolete RSA+MD5 signature scheme.
It will still be possible to connect with these
clients/servers but only DSA keys will be accepted, and
OpenSSH will refuse connection entirely in a future release.
* ssh(1), sshd(8): refuse old proprietary clients and servers
that use a weaker key exchange hash calculation.
* ssh(1): increase the size of the Diffie-Hellman groups
requested for each symmetric key size. New values from NIST
Special Publication 800-57 with the upper limit specified by
OBS-URL: https://build.opensuse.org/request/show/222365
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=63
This commit is contained in:
Petr Cerny
committed by
Git OBS Bridge
Git OBS Bridge
parent
b189026b63
commit
08f9072513
@@ -1,3 +1,98 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 12 01:24:16 UTC 2014 - pcerny@suse.com
|
||||
|
||||
- Update to 6.5p1
|
||||
Features since 6.4p1:
|
||||
* ssh(1), sshd(8): support for key exchange using ECDH in
|
||||
Daniel Bernstein's Curve25519; default when both the client
|
||||
and server support it.
|
||||
* ssh(1), sshd(8): support for Ed25519 as a public key type fo
|
||||
rboth server and client. Ed25519 is an EC signature offering
|
||||
better security than ECDSA and DSA and good performance.
|
||||
* Add a new private key format that uses a bcrypt KDF to better
|
||||
protect keys at rest. Used unconditionally for Ed25519 keys,
|
||||
on demand for other key types via the -o ssh-keygen(1)
|
||||
option. Intended to become default in the near future.
|
||||
Details documented in PROTOCOL.key.
|
||||
* ssh(1), sshd(8): new transport cipher
|
||||
"chacha20-poly1305@openssh.com" combining Daniel Bernstein's
|
||||
ChaCha20 stream cipher and Poly1305 MAC to build an
|
||||
authenticated encryption mode. Details documented
|
||||
PROTOCOL.chacha20poly1305.
|
||||
* ssh(1), sshd(8): refuse RSA keys from old proprietary clients
|
||||
and servers that use the obsolete RSA+MD5 signature scheme.
|
||||
It will still be possible to connect with these
|
||||
clients/servers but only DSA keys will be accepted, and
|
||||
OpenSSH will refuse connection entirely in a future release.
|
||||
* ssh(1), sshd(8): refuse old proprietary clients and servers
|
||||
that use a weaker key exchange hash calculation.
|
||||
* ssh(1): increase the size of the Diffie-Hellman groups
|
||||
requested for each symmetric key size. New values from NIST
|
||||
Special Publication 800-57 with the upper limit specified by
|
||||
RFC4419.
|
||||
* ssh(1), ssh-agent(1): support pkcs#11 tokens that only
|
||||
provide X.509 certs instead of raw public keys (requested as
|
||||
bz#1908).
|
||||
* ssh(1): new ssh_config(5) "Match" keyword that allows
|
||||
conditional configuration to be applied by matching on
|
||||
hostname, user and result of arbitrary commands.
|
||||
* ssh(1): support for client-side hostname canonicalisation
|
||||
using a set of DNS suffixes and rules in ssh_config(5). This
|
||||
allows unqualified names to be canonicalised to
|
||||
fully-qualified domain names to eliminate ambiguity when
|
||||
looking up keys in known_hosts or checking host certificate
|
||||
names.
|
||||
* sftp-server(8): ability to whitelist and/or blacklist sftp
|
||||
protocol requests by name.
|
||||
* sftp-server(8): sftp "fsync@openssh.com" to support calling
|
||||
fsync(2) on an open file handle.
|
||||
* sshd(8): ssh_config(5) PermitTTY to disallow TTY allocation,
|
||||
mirroring the longstanding no-pty authorized_keys option.
|
||||
* ssh(1): ssh_config ProxyUseFDPass option that supports the
|
||||
use of ProxyCommands that establish a connection and then
|
||||
pass a connected file descriptor back to ssh(1). This allows
|
||||
the ProxyCommand to exit rather than staying around to
|
||||
transfer data.
|
||||
Bugfixes since 6.4p1:
|
||||
* ssh(1), sshd(8): fix potential stack exhaustion caused by
|
||||
nested certificates.
|
||||
* ssh(1): bz#1211: make BindAddress work with
|
||||
UsePrivilegedPort.
|
||||
* sftp(1): bz#2137: fix the progress meter for resumed
|
||||
transfer.
|
||||
* ssh-add(1): bz#2187: do not request smartcard PIN when
|
||||
removing keys from ssh-agent.
|
||||
* sshd(8): bz#2139: fix re-exec fallback when original sshd
|
||||
binary cannot be executed.
|
||||
* ssh-keygen(1): make relative-specified certificate expiry
|
||||
times relative to current time and not the validity start
|
||||
time.
|
||||
* sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match
|
||||
block.
|
||||
* sftp(1): bz#2129: symlinking a file would incorrectly
|
||||
canonicalise the target path.
|
||||
* ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11
|
||||
agent helper executable.
|
||||
* sshd(8): improve logging of sessions to include the user
|
||||
name, remote host and port, the session type (shell, command,
|
||||
etc.) and allocated TTY (if any).
|
||||
* sshd(8): bz#1297: tell the client (via a debug message) when
|
||||
their preferred listen address has been overridden by the
|
||||
server's GatewayPorts setting.
|
||||
* sshd(8): bz#2162: include report port in bad protocol banner
|
||||
message.
|
||||
* sftp(1): bz#2163: fix memory leak in error path in
|
||||
do_readdir().
|
||||
* sftp(1): bz#2171: don't leak file descriptor on error.
|
||||
* sshd(8): include the local address and port in "Connection
|
||||
from ..." message (only shown at loglevel>=verbose).
|
||||
- systemd systems
|
||||
* create sysconfig file on systemd systems as well, yet do not
|
||||
require it at run-time (bnc#862600)
|
||||
* symlink rcsshd to /usr/bin/service
|
||||
- rename "-forcepermissions" patch to "-sftp_force_permissions"
|
||||
- disable key converter - ssh-keygen is able to do the same
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 11 07:42:09 UTC 2014 - meissner@suse.com
|
||||
|
||||
|
||||
Reference in New Issue
Block a user