Call for testing: OpenSSH-6.5
Mark E. Lee
mark at markelee.com
Thu Jan 23 13:01:49 EST 2014
On Fri, 2014-01-17 at 11:26 +1100, Damien Miller wrote:
> Hi,
>
> OpenSSH 6.5 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains
> some substantial new features and a number of bugfixes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Mercurial at http://hg.mindrot.org/openssh
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 6.4
> =========================
>
> This is a feature-focused release.
>
> New features:
>
> * ssh(1), sshd(8): Add support for key exchange using elliptic-curve
> Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange
> method is the default when both the client and server support it.
>
> * ssh(1), sshd(8): Add support for Ed25519 as a public key type.
> Ed25519 is a elliptic curve signature scheme that offers
> better security than ECDSA and DSA and good performance. It may be
> used for both user and host keys.
>
> * Add a new private key format that uses a bcrypt KDF to better
> protect keys at rest. This format is used unconditionally for
> Ed25519 keys, but may be requested when generating or saving
> existing keys of other types via the -o ssh-keygen(1) option.
> We intend to make the new format the default in the near future.
> Details of the new format are in the PROTOCOL.key file.
>
> * ssh(1), sshd(8): Add a new transport cipher
> "chacha20-poly1305 at openssh.com" that combines Daniel Bernstein's
> ChaCha20 stream cipher and Poly1305 MAC to build an authenticated
> encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.
>
> * ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and
> servers that use the obsolete RSA+MD5 signature scheme. It will
> still be possible to connect with these clients/servers but only
> DSA keys will be accepted, and OpenSSH will refuse connection
> entirely in a future release.
>
> * ssh(1), sshd(8): Refuse old proprietary clients and servers that
> use a weaker key exchange hash calculation.
>
> * ssh(1): Increase the size of the Diffie-Hellman groups requested
> for each symmetric key size. New values from NIST Special
> Publication 800-57 with the upper limit specified by RFC4419
>
> * ssh(1), ssh-agent(1): Support pkcs#11 tokes that only provide
> X.509 certs instead of raw public keys (requested as bz#1908).
>
> * ssh(1): Add a ssh_config(5) "Match" keyword that allows
> conditional configuration to be applied by matching on hostname,
> user and result of arbitrary commands.
>
> * ssh(1): Add support for client-side hostname canonicalisation
> using a set of DNS suffixes and rules in ssh_config(5). This
> allows unqualified names to be canonicalised to fully-qualified
> domain names to eliminate ambiguity when looking up keys in
> known_hosts or checking host certificate names.
>
> * sftp-server(8): Add the ability to whitelist and/or blacklist sftp
> protocol requests by name.
>
> * sftp-server(8): Add a sftp "fsync at openssh.com" to support calling
> fsync(2) on an open file handle.
>
> * sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation,
> mirroring the longstanding no-pty authorized_keys option.
>
> * ssh(1): Add a ssh_config ProxyUseFDPass option that supports the
> use of ProxyCommands that establish a connection and then pass a
> connected file descriptor back to ssh(1). This allows the
> ProxyCommand to exit rather than staying around to transfer data.
>
> Bugfixes:
>
> * ssh(1), sshd(8): Fix potential stack exhaustion caused by nested
> certificates.
>
> * ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort.
>
> * sftp(1): bz#2137: fix the progress meter for resumed transfer.
>
> * ssh-add(1): bz#2187: do not request smartcard PIN when removing
> keys from ssh-agent.
>
> * sshd(8): bz#2139: fix re-exec fallback when original sshd binary
> cannot be executed.
>
> * ssh-keygen(1): Make relative-specified certificate expiry times
> relative to current time and not the validity start time.
>
> * sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block.
>
> * sftp(1): bz#2129: symlinking a file would incorrectly canonicalise
> the target path.
>
> * ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent
> helper executable.
>
> * sshd(8): Improve logging of sessions to include the user name,
> remote host and port, the session type (shell, command, etc.) and
> allocated TTY (if any).
>
> * sshd(8): bz#1297: tell the client (via a debug message) when
> their preferred listen address has been overridden by the
> server's GatewayPorts setting.
>
> * sshd(8): bz#2162: include report port in bad protocol banner
> message.
>
> * sftp(1): bz#2163: fix memory leak in error path in do_readdir()
>
> * sftp(1): bz#2171: don't leak file descriptor on error.
>
> * sshd(8): Include the local address and port in "Connection from
> ..." message (only shown at loglevel>=verbose)
>
> Portable OpenSSH:
>
> * Switch to a ChaCha20-based arc4random() PRNG for platforms that do
> not provide their own.
>
> * sshd(8): bz#2156: restore Linux oom_adj setting when handling
> SIGHUP to maintain behaviour over retart.
>
> * sshd(8): bz#2032: use local username in krb5_kuserok check rather
> than full client name which may be of form user at REALM.
>
> * ssh(1), sshd(8): Test for both the presence of ECC NID numbers in
> OpenSSL and that they actually work. Fedora (at least) has
> NID_secp521r1 that doesn't work.
>
> * bz#2173: use pkg-config --libs to include correct -L location for
> libedit.
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
> Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Salutations,
Tested 1/23/2014 snapshot on Arch Linux 64-bit with following configure
options:
./configure \
--prefix=/usr \
--sbindir=/usr/bin \
--libexecdir=/usr/lib/ssh \
--sysconfdir=/etc/ssh \
--with-ldns \
--with-libedit \
--with-ssl-engine \
--with-pam \
--with-privsep-user=nobody \
--with-kerberos5=/usr \
--with-xauth=/usr/bin/xauth \
--with-mantype=man \
--with-md5-passwords \
--with-pid-dir=/run \
Passed all tests.
Regards,
Mark
--
Mark E. Lee <mark at markelee.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140122/8a8aac61/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list