mirror of https://gitee.com/openkylin/openssh.git
322 lines
15 KiB
Plaintext
322 lines
15 KiB
Plaintext
|
openssh (1:8.2p1-1) unstable; urgency=medium
|
||
|
|
||
|
OpenSSH 8.2 includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* ssh(1), sshd(8), ssh-keygen(1): This release removes the "ssh-rsa"
|
||
|
(RSA/SHA1) algorithm from those accepted for certificate signatures
|
||
|
(i.e. the client and server CASignatureAlgorithms option) and will use
|
||
|
the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
|
||
|
CA signs new certificates.
|
||
|
|
||
|
Certificates are at special risk to SHA1 collision vulnerabilities as
|
||
|
an attacker has effectively unlimited time in which to craft a
|
||
|
collision that yields them a valid certificate, far more than the
|
||
|
relatively brief LoginGraceTime window that they have to forge a host
|
||
|
key signature.
|
||
|
|
||
|
The OpenSSH certificate format includes a CA-specified (typically
|
||
|
random) nonce value near the start of the certificate that should make
|
||
|
exploitation of chosen-prefix collisions in this context challenging,
|
||
|
as the attacker does not have full control over the prefix that
|
||
|
actually gets signed. Nonetheless, SHA1 is now a demonstrably broken
|
||
|
algorithm and further improvements in attacks are highly likely.
|
||
|
|
||
|
OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
|
||
|
algorithms and will refuse to accept certificates signed by an OpenSSH
|
||
|
8.2+ CA using RSA keys unless the unsafe algorithm is explicitly
|
||
|
selected during signing ("ssh-keygen -t ssh-rsa"). Older
|
||
|
clients/servers may use another CA key type such as ssh-ed25519
|
||
|
(supported since OpenSSH 6.5) or one of the ecdsa-sha2-nistp256/384/521
|
||
|
types (supported since OpenSSH 5.7) instead if they cannot be upgraded.
|
||
|
|
||
|
* ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
|
||
|
key exchange proposal for both the client and server.
|
||
|
|
||
|
* ssh-keygen(1): The command-line options related to the generation and
|
||
|
screening of safe prime numbers used by the
|
||
|
diffie-hellman-group-exchange-* key exchange algorithms have changed.
|
||
|
Most options have been folded under the -O flag.
|
||
|
|
||
|
* sshd(8): The sshd listener process title visible to ps(1) has changed
|
||
|
to include information about the number of connections that are
|
||
|
currently attempting authentication and the limits configured by
|
||
|
MaxStartups.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Fri, 21 Feb 2020 16:36:37 +0000
|
||
|
|
||
|
openssh (1:8.1p1-1) unstable; urgency=medium
|
||
|
|
||
|
OpenSSH 8.1 includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* ssh-keygen(1): when acting as a CA and signing certificates with an RSA
|
||
|
key, default to using the rsa-sha2-512 signature algorithm.
|
||
|
Certificates signed by RSA keys will therefore be incompatible with
|
||
|
OpenSSH versions prior to 7.2 unless the default is overridden (using
|
||
|
"ssh-keygen -t ssh-rsa -s ...").
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Thu, 10 Oct 2019 10:23:19 +0100
|
||
|
|
||
|
openssh (1:8.0p1-1) experimental; urgency=medium
|
||
|
|
||
|
OpenSSH 8.0 includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* sshd(8): Remove support for obsolete "host/port" syntax.
|
||
|
Slash-separated host/port was added in 2001 as an alternative to
|
||
|
host:port syntax for the benefit of IPv6 users. These days there are
|
||
|
established standards for this like [::1]:22 and the slash syntax is
|
||
|
easily mistaken for CIDR notation, which OpenSSH supports for some
|
||
|
things. Remove the slash notation from ListenAddress and PermitOpen.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Sun, 09 Jun 2019 22:47:27 +0100
|
||
|
|
||
|
openssh (1:7.9p1-1) unstable; urgency=medium
|
||
|
|
||
|
OpenSSH 7.9 includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option
|
||
|
bans the use of DSA keys as certificate authorities.
|
||
|
* sshd(8): the authentication success/failure log message has changed
|
||
|
format slightly. It now includes the certificate fingerprint
|
||
|
(previously it included only key ID and CA key fingerprint).
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Sun, 21 Oct 2018 10:39:24 +0100
|
||
|
|
||
|
openssh (1:7.8p1-1) unstable; urgency=medium
|
||
|
|
||
|
OpenSSH 7.8 includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* ssh-keygen(1): Write OpenSSH format private keys by default instead of
|
||
|
using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH
|
||
|
releases since 2014 and described in the PROTOCOL.key file in the
|
||
|
source distribution, offers substantially better protection against
|
||
|
offline password guessing and supports key comments in private keys.
|
||
|
If necessary, it is possible to write old PEM-style keys by adding "-m
|
||
|
PEM" to ssh-keygen's arguments when generating or updating a key.
|
||
|
* sshd(8): Remove internal support for S/Key multiple factor
|
||
|
authentication. S/Key may still be used via PAM or BSD auth.
|
||
|
* ssh(1): Remove vestigial support for running ssh(1) as setuid. This
|
||
|
used to be required for hostbased authentication and the (long gone)
|
||
|
rhosts-style authentication, but has not been necessary for a long
|
||
|
time. Attempting to execute ssh as a setuid binary, or with uid !=
|
||
|
effective uid will now yield a fatal error at runtime.
|
||
|
* sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
|
||
|
HostbasedAcceptedKeyTypes options have changed. These now specify
|
||
|
signature algorithms that are accepted for their respective
|
||
|
authentication mechanism, where previously they specified accepted key
|
||
|
types. This distinction matters when using the RSA/SHA2 signature
|
||
|
algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
|
||
|
counterparts. Configurations that override these options but omit
|
||
|
these algorithm names may cause unexpected authentication failures (no
|
||
|
action is required for configurations that accept the default for these
|
||
|
options).
|
||
|
* sshd(8): The precedence of session environment variables has changed.
|
||
|
~/.ssh/environment and environment="..." options in authorized_keys
|
||
|
files can no longer override SSH_* variables set implicitly by sshd.
|
||
|
* ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
|
||
|
will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a
|
||
|
detailed rationale, please see the commit message:
|
||
|
https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Thu, 30 Aug 2018 15:35:27 +0100
|
||
|
|
||
|
openssh (1:7.6p1-1) unstable; urgency=medium
|
||
|
|
||
|
OpenSSH 7.6 includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* ssh(1): Delete SSH protocol version 1 support, associated configuration
|
||
|
options and documentation.
|
||
|
* ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
|
||
|
* ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
|
||
|
ciphers.
|
||
|
* Refuse RSA keys <1024 bits in length and improve reporting for keys
|
||
|
that do not meet this requirement.
|
||
|
* ssh(1): Do not offer CBC ciphers by default.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Fri, 06 Oct 2017 12:36:48 +0100
|
||
|
|
||
|
openssh (1:7.5p1-1) experimental; urgency=medium
|
||
|
|
||
|
OpenSSH 7.5 includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* This release deprecates the sshd_config UsePrivilegeSeparation option,
|
||
|
thereby making privilege separation mandatory.
|
||
|
|
||
|
* The format of several log messages emitted by the packet code has
|
||
|
changed to include additional information about the user and their
|
||
|
authentication state. Software that monitors ssh/sshd logs may need to
|
||
|
account for these changes. For example:
|
||
|
|
||
|
Connection closed by user x 1.1.1.1 port 1234 [preauth]
|
||
|
Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
|
||
|
Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
|
||
|
|
||
|
Affected messages include connection closure, timeout, remote
|
||
|
disconnection, negotiation failure and some other fatal messages
|
||
|
generated by the packet code.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Sun, 02 Apr 2017 02:58:01 +0100
|
||
|
|
||
|
openssh (1:7.4p1-7) unstable; urgency=medium
|
||
|
|
||
|
This version restores the default for AuthorizedKeysFile to search both
|
||
|
~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
|
||
|
Debian configurations before 1:7.4p1-1. Upstream intends to phase out
|
||
|
searching ~/.ssh/authorized_keys2 by default, so you should ensure that
|
||
|
you are only using ~/.ssh/authorized_keys, at least for critical
|
||
|
administrative access; do not assume that the current default will remain
|
||
|
in place forever.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000
|
||
|
|
||
|
openssh (1:7.4p1-1) unstable; urgency=medium
|
||
|
|
||
|
OpenSSH 7.4 includes a number of changes that may affect existing
|
||
|
configurations:
|
||
|
|
||
|
* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
|
||
|
block ciphers are not safe in 2016 and we don't want to wait until
|
||
|
attacks like SWEET32 are extended to SSH. As 3des-cbc was the only
|
||
|
mandatory cipher in the SSH RFCs, this may cause problems connecting to
|
||
|
older devices using the default configuration, but it's highly likely
|
||
|
that such devices already need explicit configuration for key exchange
|
||
|
and hostkey algorithms already anyway.
|
||
|
* sshd(8): Remove support for pre-authentication compression. Doing
|
||
|
compression early in the protocol probably seemed reasonable in the
|
||
|
1990s, but today it's clearly a bad idea in terms of both cryptography
|
||
|
(cf. multiple compression oracle attacks in TLS) and attack surface.
|
||
|
Pre-auth compression support has been disabled by default for >10
|
||
|
years. Support remains in the client.
|
||
|
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist of
|
||
|
trusted paths by default. The path whitelist may be specified at
|
||
|
run-time.
|
||
|
* sshd(8): When a forced-command appears in both a certificate and an
|
||
|
authorized keys/principals command= restriction, sshd will now refuse
|
||
|
to accept the certificate unless they are identical. The previous
|
||
|
(documented) behaviour of having the certificate forced-command
|
||
|
override the other could be a bit confusing and error-prone.
|
||
|
* sshd(8): Remove the UseLogin configuration directive and support for
|
||
|
having /bin/login manage login sessions.
|
||
|
|
||
|
The unprivileged sshd process that deals with pre-authentication network
|
||
|
traffic is now subject to additional sandboxing restrictions by default:
|
||
|
that is, the default sshd_config now sets UsePrivilegeSeparation to
|
||
|
"sandbox" rather than "yes". This has been the case upstream for a while,
|
||
|
but until now the Debian configuration diverged unnecessarily.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Tue, 27 Dec 2016 18:01:46 +0000
|
||
|
|
||
|
openssh (1:7.2p1-1) unstable; urgency=medium
|
||
|
|
||
|
OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
|
||
|
default in ssh:
|
||
|
|
||
|
* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
|
||
|
rijndael-cbc aliases for AES.
|
||
|
* MD5-based and truncated HMAC algorithms.
|
||
|
|
||
|
These algorithms are already disabled by default in sshd.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Tue, 08 Mar 2016 11:47:20 +0000
|
||
|
|
||
|
openssh (1:7.1p1-2) unstable; urgency=medium
|
||
|
|
||
|
OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
|
||
|
cryptography.
|
||
|
|
||
|
* Support for the legacy SSH version 1 protocol is disabled by default at
|
||
|
compile time. Note that this also means that the Cipher keyword in
|
||
|
ssh_config(5) is effectively no longer usable; use Ciphers instead for
|
||
|
protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1",
|
||
|
and "ssh-keygen1" binaries which you can use if you have no alternative
|
||
|
way to connect to an outdated SSH1-only server; please contact the
|
||
|
server administrator or system vendor in such cases and ask them to
|
||
|
upgrade.
|
||
|
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
|
||
|
disabled by default at run-time. It may be re-enabled using the
|
||
|
instructions at http://www.openssh.com/legacy.html
|
||
|
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
|
||
|
default at run-time. These may be re-enabled using the instructions at
|
||
|
http://www.openssh.com/legacy.html
|
||
|
* Support for the legacy v00 cert format has been removed.
|
||
|
|
||
|
Future releases will retire more legacy cryptography, including:
|
||
|
|
||
|
* Refusing all RSA keys smaller than 1024 bits (the current minimum is
|
||
|
768 bits).
|
||
|
* Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
|
||
|
all arcfour variants, and the rijndael-cbc aliases for AES.
|
||
|
* MD5-based HMAC algorithms will be disabled by default.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000
|
||
|
|
||
|
openssh (1:6.9p1-1) unstable; urgency=medium
|
||
|
|
||
|
UseDNS now defaults to 'no'. Configurations that match against the client
|
||
|
host name (via sshd_config or authorized_keys) may need to re-enable it or
|
||
|
convert to matching against addresses.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Thu, 20 Aug 2015 10:38:58 +0100
|
||
|
|
||
|
openssh (1:6.7p1-5) unstable; urgency=medium
|
||
|
|
||
|
openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
|
||
|
a number of specific LC_FOO variables rather than the wildcard LC_*. I
|
||
|
have since been persuaded that this was a bad idea and have reverted it,
|
||
|
but it is difficult to automatically undo the change to
|
||
|
/etc/ssh/sshd_config without compounding the problem (that of modifying
|
||
|
configuration that some users did not want to be modified) further. Most
|
||
|
users who upgraded via version 1:6.7p1-4 should restore the previous value
|
||
|
of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000
|
||
|
|
||
|
openssh (1:5.4p1-2) unstable; urgency=low
|
||
|
|
||
|
Smartcard support is now available using PKCS#11 tokens. If you were
|
||
|
previously using an unofficial build of Debian's OpenSSH package with
|
||
|
OpenSC-based smartcard support added, then note that commands like
|
||
|
'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
|
||
|
/usr/lib/opensc-pkcs11.so' instead.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100
|
||
|
|
||
|
openssh (1:3.8.1p1-9) experimental; urgency=low
|
||
|
|
||
|
The ssh package has been split into openssh-client and openssh-server. If
|
||
|
you had previously requested that the sshd server should not be run, then
|
||
|
that request will still be honoured. However, the recommended approach is
|
||
|
now to remove the openssh-server package if you do not want to run sshd.
|
||
|
You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
|
||
|
that.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100
|
||
|
|
||
|
openssh (1:3.5p1-1) unstable; urgency=low
|
||
|
|
||
|
This version of OpenSSH disables the environment option for public keys by
|
||
|
default, in order to avoid certain attacks (for example, LD_PRELOAD). If
|
||
|
you are using this option in an authorized_keys file, beware that the keys
|
||
|
in question will no longer work until the option is removed.
|
||
|
|
||
|
To re-enable this option, set "PermitUserEnvironment yes" in
|
||
|
/etc/ssh/sshd_config after the upgrade is complete, taking note of the
|
||
|
warning in the sshd_config(5) manual page.
|
||
|
|
||
|
-- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100
|
||
|
|
||
|
openssh (1:3.0.1p1-1) unstable; urgency=high
|
||
|
|
||
|
As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
|
||
|
keys. This means the authorized_keys2 and known_hosts2 files are no longer
|
||
|
needed. They will still be read in order to maintain backward
|
||
|
compatibility.
|
||
|
|
||
|
-- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000
|