Announce: OpenSSH 6.2 released
Iain Morgan
imorgan at nas.nasa.gov
Sat Mar 23 12:20:20 EST 2013
There are some _really_ nice features in this release. Thanks to the
OpenSSH developers for all their effort!
--
Iain Morgan
On Thu, Mar 21, 2013 at 19:38:43 -0500, Damien Miller wrote:
>
> Changes since OpenSSH 6.1
> =========================
>
> This release introduces a number of new features:
>
> Features:
>
> * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
> SSH protocol 2. The new cipher is available as aes128-gcm at openssh.com
> and aes256-gcm at openssh.com. It uses an identical packet format to the
> AES-GCM mode specified in RFC 5647, but uses simpler and different
> selection rules during key exchange.
>
> * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes
> for SSH protocol 2. These modes alter the packet format and compute
> the MAC over the packet length and encrypted packet rather than over
> the plaintext data. These modes are considered more secure and are
> used by default when available.
>
> * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as
> "umac-128 at openssh.com" and "umac-128-etm at openssh.com". The latter
> being an encrypt-then-mac mode.
>
> * sshd(8): Added support for multiple required authentication in SSH
> protocol 2 via an AuthenticationMethods option. This option lists
> one or more comma-separated lists of authentication method names.
> Successful completion of all the methods in any list is required for
> authentication to complete. This allows, for example, requiring a
> user having to authenticate via public key or GSSAPI before they
> are offered password authentication.
>
> * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists
> (KRLs), a compact binary format to represent lists of revoked keys
> and certificates that take as little as one bit per certificate when
> revoking by serial number. KRLs may be generated using ssh-keygen(1)
> and are loaded into sshd(8) via the existing RevokedKeys sshd_config
> option.
>
> * ssh(1): IdentitiesOnly now applies to keys obtained from a
> PKCS11Provider. This allows control of which keys are offered from
> tokens using IdentityFile.
>
> * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local"
> and "remote" in addition to its previous "yes"/"no" keywords to allow
> the server to specify whether just local or remote TCP forwarding is
> enabled.
>
> * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
> support fetching authorized_keys from a command in addition to (or
> instead of) from the filesystem. The command is run under an account
> specified by an AuthorizedKeysCommandUser sshd_config(5) option.
>
> * sftp-server(8): Now supports a -d option to allow the starting
> directory to be something other than the user's home directory.
>
> * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11
> tokens using "ssh-keygen -lD pkcs11_provider".
>
> * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1)
> now immediately sends its SSH protocol banner to the server without
> waiting to receive the server's banner, saving time when connecting.
>
> * ssh(1): Added ~v and ~V escape sequences to raise and lower the
> logging level respectively.
>
> * ssh(1): Made the escape command help (~?) context sensitive so that
> only commands that will work in the current session are shown.
>
> * ssh-keygen(1): When deleting host lines from known_hosts using
> "ssh-keygen -R host", ssh-keygen(1) now prints details of which lines
> were removed.
>
> Bugfixes:
>
> * ssh(1): Force a clean shutdown of ControlMaster client sessions when
> the ~. escape sequence is used. This means that ~. should now work in
> mux clients even if the server is no longer responding.
>
> * ssh(1): Correctly detect errors during local TCP forward setup in
> multiplexed clients. bz#2055
>
> * ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with
> adding keys with respect to certificates. It now tries to delete the
> corresponding certificate and respects the -k option to allow deleting
> of the key only.
>
> * sftp(1): Fix a number of parsing and command-editing bugs, including
> bz#1956
>
> * ssh(1): When muxmaster is run with -N, ensured that it shuts down
> gracefully when a client sends it "-O stop" rather than hanging around.
> bz#1985
>
> * ssh-keygen(1): When screening moduli candidates, append to the file
> rather than overwriting to allow resumption. bz#1957
>
> * ssh(1): Record "Received disconnect" messages at ERROR rather than
> INFO priority. bz#2057.
>
> * ssh(1): Loudly warn if explicitly-provided private key is unreadable.
> bz#1981
>
> Portable OpenSSH:
>
> * sshd(8): The Linux seccomp-filter sandbox is now supported on ARM
> platforms where the kernel supports it.
>
> * sshd(8): The seccomp-filter sandbox will not be enabled if the system
> headers support it at compile time, regardless of whether it can be
> enabled then. If the run-time system does not support seccomp-filter,
> sshd will fall back to the rlimit pseudo-sandbox.
>
> * ssh(1): Don't link in the Kerberos libraries. They aren't necessary
> on the client, just on sshd(8). bz#2072
>
> * Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI
> library. bz#2073
>
> * Fix compilation on systems with openssl-1.0.0-fips.
>
> * Fix a number of errors in the RPM spec files.
>
> Checksums:
> ==========
>
> - SHA1 (openssh-6.2.tar.gz) = b3f6cd774d345f22f6d0038cc9464cce131a0676
> - SHA1 (openssh-6.2p1.tar.gz) = 8824708c617cc781b2bb29fa20bd905fd3d2a43d
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
> Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Iain Morgan
More information about the openssh-unix-dev
mailing list