forked from pool/openssh
6543c1a02b
- update to 8.4p1:
Security
========
* ssh-agent(1): restrict ssh-agent from signing web challenges for
FIDO/U2F keys.
* ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
a FIDO resident key.
* ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
each use. These keys may be generated using ssh-keygen using a new
"verify-required" option. When a PIN-required key is used, the user
will be prompted for a PIN to complete the signature operation.
New Features
------------
* sshd(8): authorized_keys now supports a new "verify-required"
option to require FIDO signatures assert that the token verified
that the user was present before making the signature. The FIDO
protocol supports multiple methods for user-verification, but
currently OpenSSH only supports PIN verification.
* sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
signatures. Webauthn is a standard for using FIDO keys in web
browsers. These signatures are a slightly different format to plain
FIDO signatures and thus require explicit support.
* ssh(1): allow some keywords to expand shell-style ${ENV}
environment variables. The supported keywords are CertificateFile,
ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
RemoteForward when used for Unix domain socket paths. bz#3140
* ssh(1), ssh-agent(1): allow some additional control over the use of
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
including forcibly enabling and disabling its use. bz#69
* ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
OBS-URL: https://build.opensuse.org/request/show/863944
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=222
There are following changes in default settings of ssh client and server: * Accepting and sending of locale environment variables in protocol 2 is enabled. * PAM authentication is enabled and mostly even required, do not turn it off. * root authentiation with password is enabled by default (PermitRootLogin yes). NOTE: this has security implications and is only done in order to not change behaviour of the server in an update. We strongly suggest setting this option either "prohibit-password" or even better to "no" (which disables direct remote root login entirely). * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot be considered safe any more. * Accepting all RFC4419 specified DH group parameters. See KexDHMin in ssh_config and sshd_config manual pages. For more information on differences in SUSE OpenSSH package see README.FIPS