Call for testing: OpenSSH-6.2

Andy Tsouladze andyb1 at andy-t.org
Thu Feb 28 04:04:39 EST 2013 

openssh-SNAP-20130228.tar.gz  builds cleanly, with all tests passed on:

Slackware-14.0 64-bit (gcc-4.7.1, openssl-1.0.1c)
Slackware-13.0 32-bit (gcc-4.3.3, openssl-0.9.8k)

Regards,

Andy

On Wed, 27 Feb 2013, Damien Miller wrote:

> Hi,
>
> It's that time again...
>
> OpenSSH 6.2 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains
> some substantial new features and a number of bugfixes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Mercurial at http://hg.mindrot.org/openssh
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 6.1
> =========================
>
> Features:
>
> * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
>   SSH protocol 2. The new cipher is available as aes128-gcm at openssh.com
>   and aes256-gcm at openssh.com. It uses an identical packet format to the
>   AES-GCM mode specified in RFC 5647, but uses simpler and different
>   selection rules during key exchange.
>
> * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes
>   for SSH protocol 2. These modes alter the packet format and compute
>   the MAC over the packet length and encrypted packet rather than over
>   the plaintext data. These modes are considered more secure and are
>   used by default when available.
>
> * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as
>   "umac-128 at openssh.com" and "umac-128-etm at openssh.com". The latter
>   being an encrypt-then-mac mode.
>
> * sshd(8): Added support for multiple required authentication in SSH
>   protocol 2 via an AuthenticationMethods option. This option lists
>   one or more comma-separated lists of authentication method names.
>   Successful completion of all the methods in any list is required for
>   authentication to complete. This allows, for example, requiring a
>   user having to authenticate via public key or GSSAPI before they
>   are offered password authentication.
>
> * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists
>   (KRLs), a compact binary format to represent lists of revoked keys
>   and certificates that take as little as one bit per certificate when
>   revoking by serial number. KRLs may be generated using ssh-keygen(1)
>   and are loaded into sshd(8) via the existing RevokedKeys sshd_config
>   option.
>
> * ssh(1): IdentitiesOnly now applies to keys obtained from a
>   PKCS11Provider. This allows control of which keys are offered from
>   tokens using IdentityFile.
>
> * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local"
>   and "remote" in addition to its previous "yes"/"no" keywords to allow
>   the server to specify whether just local or remote TCP forwarding is
>   enabled.
>
> * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
>   support fetching authorized_keys from a command in addition to (or
>   instead of) from the filesystem. The command is run under an account
>   specified by an AuthorizedKeysCommandUser sshd_config(5) option.
>
> * sftp-server(8): Now supports a -d option to allow the starting
>   directory to be something other than the user's home directory.
>
> * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11
>   tokens using "ssh-keygen -lD pkcs11_provider".
>
> * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1)
>   now immediately sends its SSH protocol banner to the server without
>   waiting to receive the server's banner, saving time when connecting.
>
> * ssh(1): Added ~v and ~V escape sequences to raise and lower the
>   logging level respectively.
>
> * ssh(1): Made the escape command help (~?) context sensitive so that
>   only commands that will work in the current session are shown.
>
> * ssh-keygen(1): When deleting host lines from known_hosts using
>   "ssh-keygen -R host", ssh-keygen(1) now prints details of which lines
>   were removed.
>
> Bugfixes:
>
> * ssh(1): Force a clean shutdown of ControlMaster client sessions when
>   the ~. escape sequence is used. This means that ~. should now work in
>   mux clients even if the server is no longer responding.
>
> * ssh(1): Correctly detect errors during local TCP forward setup in
>   multiplexed clients. bz#2055
>
> * ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with
>   adding keys with respect to certificates. It now tries to delete the
>   corresponding certificate and respects the -k option to allow deleting
>   of the key only.
>
> * sftp(1): Fix a number of parsing and command-editing bugs, including
>   bz#1956
>
> * ssh(1): When muxmaster is run with -N, ensured that it shuts down
>   gracefully when a client sends it "-O stop" rather than hanging around.
>   bz#1985
>
> * ssh-keygen(1): When screening moduli candidates, append to the file
>   rather than overwriting to allow resumption. bz#1957
>
> * ssh(1): Record "Received disconnect" messages at ERROR rather than
>   INFO priority. bz#2057.
>
> * ssh(1): Loudly warn if explicitly-provided private key is unreadable.
>   bz#1981
>
> Portable OpenSSH:
>
> * sshd(8): The Linux seccomp-filter sandbox is now supported on ARM
>   platforms where the kernel supports it.
>
> * sshd(8): The seccomp-filter sandbox will not be enabled if the system
>   headers support it at compile time, regardless of whether it can be
>   enabled then. If the run-time system does not support seccomp-filter,
>   sshd will fall back to the rlimit pseudo-sandbox.
>
> * ssh(1): Don't link in the Kerberos libraries. They aren't necessary
>   on the client, just on sshd(8). bz#2072
>
> * Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI
>   library. bz#2073
>
> * Fix compilation on systems with openssl-1.0.0-fips.
>
> * Fix a number of errors in the RPM spec files.
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
>  Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

Dr Andy Tsouladze
Sr Unix/Storage SysAdmin

More information about the openssh-unix-dev mailing list