openssh/debian/NEWS

322 lines
15 KiB
Plaintext
Raw Normal View History

openssh (1:8.2p1-1) unstable; urgency=medium
OpenSSH 8.2 includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8), ssh-keygen(1): This release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will use
the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
CA signs new certificates.
Certificates are at special risk to SHA1 collision vulnerabilities as
an attacker has effectively unlimited time in which to craft a
collision that yields them a valid certificate, far more than the
relatively brief LoginGraceTime window that they have to forge a host
key signature.
The OpenSSH certificate format includes a CA-specified (typically
random) nonce value near the start of the certificate that should make
exploitation of chosen-prefix collisions in this context challenging,
as the attacker does not have full control over the prefix that
actually gets signed. Nonetheless, SHA1 is now a demonstrably broken
algorithm and further improvements in attacks are highly likely.
OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
algorithms and will refuse to accept certificates signed by an OpenSSH
8.2+ CA using RSA keys unless the unsafe algorithm is explicitly
selected during signing ("ssh-keygen -t ssh-rsa"). Older
clients/servers may use another CA key type such as ssh-ed25519
(supported since OpenSSH 6.5) or one of the ecdsa-sha2-nistp256/384/521
types (supported since OpenSSH 5.7) instead if they cannot be upgraded.
* ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
key exchange proposal for both the client and server.
* ssh-keygen(1): The command-line options related to the generation and
screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have changed.
Most options have been folded under the -O flag.
* sshd(8): The sshd listener process title visible to ps(1) has changed
to include information about the number of connections that are
currently attempting authentication and the limits configured by
MaxStartups.
-- Colin Watson <cjwatson@debian.org> Fri, 21 Feb 2020 16:36:37 +0000
openssh (1:8.1p1-1) unstable; urgency=medium
OpenSSH 8.1 includes a number of changes that may affect existing
configurations:
* ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
Certificates signed by RSA keys will therefore be incompatible with
OpenSSH versions prior to 7.2 unless the default is overridden (using
"ssh-keygen -t ssh-rsa -s ...").
-- Colin Watson <cjwatson@debian.org> Thu, 10 Oct 2019 10:23:19 +0100
openssh (1:8.0p1-1) experimental; urgency=medium
OpenSSH 8.0 includes a number of changes that may affect existing
configurations:
* sshd(8): Remove support for obsolete "host/port" syntax.
Slash-separated host/port was added in 2001 as an alternative to
host:port syntax for the benefit of IPv6 users. These days there are
established standards for this like [::1]:22 and the slash syntax is
easily mistaken for CIDR notation, which OpenSSH supports for some
things. Remove the slash notation from ListenAddress and PermitOpen.
-- Colin Watson <cjwatson@debian.org> Sun, 09 Jun 2019 22:47:27 +0100
openssh (1:7.9p1-1) unstable; urgency=medium
OpenSSH 7.9 includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option
bans the use of DSA keys as certificate authorities.
* sshd(8): the authentication success/failure log message has changed
format slightly. It now includes the certificate fingerprint
(previously it included only key ID and CA key fingerprint).
-- Colin Watson <cjwatson@debian.org> Sun, 21 Oct 2018 10:39:24 +0100
openssh (1:7.8p1-1) unstable; urgency=medium
OpenSSH 7.8 includes a number of changes that may affect existing
configurations:
* ssh-keygen(1): Write OpenSSH format private keys by default instead of
using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH
releases since 2014 and described in the PROTOCOL.key file in the
source distribution, offers substantially better protection against
offline password guessing and supports key comments in private keys.
If necessary, it is possible to write old PEM-style keys by adding "-m
PEM" to ssh-keygen's arguments when generating or updating a key.
* sshd(8): Remove internal support for S/Key multiple factor
authentication. S/Key may still be used via PAM or BSD auth.
* ssh(1): Remove vestigial support for running ssh(1) as setuid. This
used to be required for hostbased authentication and the (long gone)
rhosts-style authentication, but has not been necessary for a long
time. Attempting to execute ssh as a setuid binary, or with uid !=
effective uid will now yield a fatal error at runtime.
* sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
HostbasedAcceptedKeyTypes options have changed. These now specify
signature algorithms that are accepted for their respective
authentication mechanism, where previously they specified accepted key
types. This distinction matters when using the RSA/SHA2 signature
algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
counterparts. Configurations that override these options but omit
these algorithm names may cause unexpected authentication failures (no
action is required for configurations that accept the default for these
options).
* sshd(8): The precedence of session environment variables has changed.
~/.ssh/environment and environment="..." options in authorized_keys
files can no longer override SSH_* variables set implicitly by sshd.
* ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a
detailed rationale, please see the commit message:
https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
-- Colin Watson <cjwatson@debian.org> Thu, 30 Aug 2018 15:35:27 +0100
openssh (1:7.6p1-1) unstable; urgency=medium
OpenSSH 7.6 includes a number of changes that may affect existing
configurations:
* ssh(1): Delete SSH protocol version 1 support, associated configuration
options and documentation.
* ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
* ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
ciphers.
* Refuse RSA keys <1024 bits in length and improve reporting for keys
that do not meet this requirement.
* ssh(1): Do not offer CBC ciphers by default.
-- Colin Watson <cjwatson@debian.org> Fri, 06 Oct 2017 12:36:48 +0100
openssh (1:7.5p1-1) experimental; urgency=medium
OpenSSH 7.5 includes a number of changes that may affect existing
configurations:
* This release deprecates the sshd_config UsePrivilegeSeparation option,
thereby making privilege separation mandatory.
* The format of several log messages emitted by the packet code has
changed to include additional information about the user and their
authentication state. Software that monitors ssh/sshd logs may need to
account for these changes. For example:
Connection closed by user x 1.1.1.1 port 1234 [preauth]
Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
Affected messages include connection closure, timeout, remote
disconnection, negotiation failure and some other fatal messages
generated by the packet code.
-- Colin Watson <cjwatson@debian.org> Sun, 02 Apr 2017 02:58:01 +0100
openssh (1:7.4p1-7) unstable; urgency=medium
This version restores the default for AuthorizedKeysFile to search both
~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
Debian configurations before 1:7.4p1-1. Upstream intends to phase out
searching ~/.ssh/authorized_keys2 by default, so you should ensure that
you are only using ~/.ssh/authorized_keys, at least for critical
administrative access; do not assume that the current default will remain
in place forever.
-- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000
openssh (1:7.4p1-1) unstable; urgency=medium
OpenSSH 7.4 includes a number of changes that may affect existing
configurations:
* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the only
mandatory cipher in the SSH RFCs, this may cause problems connecting to
older devices using the default configuration, but it's highly likely
that such devices already need explicit configuration for key exchange
and hostkey algorithms already anyway.
* sshd(8): Remove support for pre-authentication compression. Doing
compression early in the protocol probably seemed reasonable in the
1990s, but today it's clearly a bad idea in terms of both cryptography
(cf. multiple compression oracle attacks in TLS) and attack surface.
Pre-auth compression support has been disabled by default for >10
years. Support remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist of
trusted paths by default. The path whitelist may be specified at
run-time.
* sshd(8): When a forced-command appears in both a certificate and an
authorized keys/principals command= restriction, sshd will now refuse
to accept the certificate unless they are identical. The previous
(documented) behaviour of having the certificate forced-command
override the other could be a bit confusing and error-prone.
* sshd(8): Remove the UseLogin configuration directive and support for
having /bin/login manage login sessions.
The unprivileged sshd process that deals with pre-authentication network
traffic is now subject to additional sandboxing restrictions by default:
that is, the default sshd_config now sets UsePrivilegeSeparation to
"sandbox" rather than "yes". This has been the case upstream for a while,
but until now the Debian configuration diverged unnecessarily.
-- Colin Watson <cjwatson@debian.org> Tue, 27 Dec 2016 18:01:46 +0000
openssh (1:7.2p1-1) unstable; urgency=medium
OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
default in ssh:
* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
rijndael-cbc aliases for AES.
* MD5-based and truncated HMAC algorithms.
These algorithms are already disabled by default in sshd.
-- Colin Watson <cjwatson@debian.org> Tue, 08 Mar 2016 11:47:20 +0000
openssh (1:7.1p1-2) unstable; urgency=medium
OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
cryptography.
* Support for the legacy SSH version 1 protocol is disabled by default at
compile time. Note that this also means that the Cipher keyword in
ssh_config(5) is effectively no longer usable; use Ciphers instead for
protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1",
and "ssh-keygen1" binaries which you can use if you have no alternative
way to connect to an outdated SSH1-only server; please contact the
server administrator or system vendor in such cases and ask them to
upgrade.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
disabled by default at run-time. It may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
default at run-time. These may be re-enabled using the instructions at
http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
Future releases will retire more legacy cryptography, including:
* Refusing all RSA keys smaller than 1024 bits (the current minimum is
768 bits).
* Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
all arcfour variants, and the rijndael-cbc aliases for AES.
* MD5-based HMAC algorithms will be disabled by default.
-- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000
openssh (1:6.9p1-1) unstable; urgency=medium
UseDNS now defaults to 'no'. Configurations that match against the client
host name (via sshd_config or authorized_keys) may need to re-enable it or
convert to matching against addresses.
-- Colin Watson <cjwatson@debian.org> Thu, 20 Aug 2015 10:38:58 +0100
openssh (1:6.7p1-5) unstable; urgency=medium
openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
a number of specific LC_FOO variables rather than the wildcard LC_*. I
have since been persuaded that this was a bad idea and have reverted it,
but it is difficult to automatically undo the change to
/etc/ssh/sshd_config without compounding the problem (that of modifying
configuration that some users did not want to be modified) further. Most
users who upgraded via version 1:6.7p1-4 should restore the previous value
of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
-- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000
openssh (1:5.4p1-2) unstable; urgency=low
Smartcard support is now available using PKCS#11 tokens. If you were
previously using an unofficial build of Debian's OpenSSH package with
OpenSC-based smartcard support added, then note that commands like
'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
/usr/lib/opensc-pkcs11.so' instead.
-- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100
openssh (1:3.8.1p1-9) experimental; urgency=low
The ssh package has been split into openssh-client and openssh-server. If
you had previously requested that the sshd server should not be run, then
that request will still be honoured. However, the recommended approach is
now to remove the openssh-server package if you do not want to run sshd.
You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
that.
-- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100
openssh (1:3.5p1-1) unstable; urgency=low
This version of OpenSSH disables the environment option for public keys by
default, in order to avoid certain attacks (for example, LD_PRELOAD). If
you are using this option in an authorized_keys file, beware that the keys
in question will no longer work until the option is removed.
To re-enable this option, set "PermitUserEnvironment yes" in
/etc/ssh/sshd_config after the upgrade is complete, taking note of the
warning in the sshd_config(5) manual page.
-- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100
openssh (1:3.0.1p1-1) unstable; urgency=high
As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
keys. This means the authorized_keys2 and known_hosts2 files are no longer
needed. They will still be read in order to maintain backward
compatibility.
-- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000