Call for testing: OpenSSH 8.7
Dmitry Belyavskiy
dbelyavs at redhat.com
Sat Aug 14 05:48:49 AEST 2021
Dear Damien,
Are there any chances that something from
https://github.com/openssh/openssh-portable/pull/253
https://github.com/openssh/openssh-portable/pull/236
will be added to release?
On Fri, Aug 13, 2021 at 2:12 AM Damien Miller <djm at mindrot.org> wrote:
> Hi,
>
> OpenSSH 8.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release has a mix of
> bugfixes and new features.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Potentially-incompatible changes
> ================================
>
> This release includes a number of changes that may affect existing
> configurations:
>
> * scp(1): this release changes the behaviour of remote to remote
> copies (e.g. "scp host-a:/path host-b:") to transfer through the
> local host by default. This was previously available via the -3
> flag. This mode avoids the need to expose credentials on the
> origin hop, avoids triplicate interpretation of filenames by the
> shell (by the local system, the copy origin and the destination)
> and, in conjunction with the SFTP support for scp(1) mentioned
> below, allows use of all authentication methods to the remote
> hosts (previously, only non-interactive methods could be used).
> A -R flag has been added to select the old behaviour.
>
> * ssh(1)/sshd(8): both the client and server are now using a more
> strict configuration file parser. The new parser uses more
> shell-like rules for quotes, space and escape characters. It is
> also more strict in rejecting configurations that include options
> lacking arguments. Previously some options (e.g. DenyUsers) to
> appear on a line with no subsequent arguments. This release will
> reject such configurations. The new parser will also reject
> configurations with unterminated quotes and multiple '='
> characters after the option name.
>
> * ssh(1): when using SSHFP DNS records for host key verification,
> ssh(1) will verify all matching records instead of just those
> with the specific signature type requested. This may cause host
> key verification problems if stale SSHFP records of a different
> or legacy signature type exist alongside other records for a
> particular host. bz#3322
>
> * ssh-keygen(1): when generating a FIDO key and specifying an
> explicit attestation challenge (using -Ochallenge), the challenge
> will now be hashed by the builtin security key middleware. This
> removes the (undocumented) requirement that challenges be exactly
> 32 bytes in length and matches the expectations of libfido2.
>
> * sshd(8): environment="..." directives in authorized_keys files are
> now first-match-wins and limited to 1024 discrete environment
> variable names.
>
> Changes since OpenSSH 8.6
> =========================
>
> This release contains a mix of new features and bug-fixes.
>
> New features
> ------------
>
> - scp(1): experimental support for transfers using the SFTP protocol
> as a replacement for the venerable SCP/RCP protocol that it has
> traditionally used. SFTP offers more predictable filename handling
> and does not require expansion of glob(3) patterns via the shell
> on the remote side.
>
> SFTP support may be enabled via a temporary scp -s flag. It is
> intended for SFTP to become the default transfer mode in the
> near future, at which time the -s flag will be removed. The -O
> flag exists to force use of the original SCP/RCP protocol for
> cases where SFTP may be unavailable or incompatible.
>
> - sftp-server(8): add a protocol extension to support expansion of
> ~/ and ~user/ prefixed paths. This was added to support these
> paths when used by scp(1) while in SFTP mode.
>
> - ssh(1): add a ForkAfterAuthentication ssh_config(5) counterpart to
> the ssh(1) -f flag. GHPR#231
>
> - ssh(1): add a StdinNull directive to ssh_config(5) that allows the
> config file to do the same thing as -n does on the ssh(1) command-
> line. GHPR#231
>
> - ssh(1): add a SessionType directive to ssh_config, allowing the
> configuration file to offer equivalent control to the -N (no
> session) and -s (subsystem) command-line flags. GHPR#231
>
> - ssh-keygen(1): let allowed signers files used by ssh-keygen(1)
> signatures support key lifetimes, and allow the verification mode to
> specify a signature time to check at. This is intended for use by
> git to support signing objects using ssh keys.
>
> - ssh-keygen(8): support printing of the full public key in a sshsig
> signature via a -Oprint-pubkey flag.
>
> Bugfixes
> --------
>
> * ssh(1)/sshd(8): start time-based re-keying exactly on schedule in
> the client and server mainloops. Previously the re-key timeout
> could expire but re-keying would not start until a packet was sent
> or received, causing a spin in select() if the connection was
> quiescent.
>
> * ssh-keygen(1): avoid Y2038 problem in printing certificate
> validity lifetimes. Dates past 2^31-1 seconds since epoch were
> displayed incorrectly on some platforms. bz#3329
>
> * scp(1): allow spaces to appear in usernames for local to remote
> and scp -3 remote to remote copies. bz#1164
>
> * ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
> in favour of KbdInteractiveAuthentication. The former is what was in
> SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
> treated as somewhat but not entirely equivalent. We retain the old
> name as a deprecated alias so configuration files continue to work
> as well as a reference in the man page for people looking for it.
> bz#3303
>
> * ssh(1)/ssh-add(1)/ssh-keygen(1): fix decoding of X.509 subject name
> when extracting a key from a PKCS#11 certificate. bz#3327
>
> * ssh(1): restore blocking status on stdio fds before close. ssh(1)
> needs file descriptors in non-blocking mode to operate but it was
> not restoring the original state on exit. This could cause
> problems with fds shared with other programs via the shell,
> bz#3280 and GHPR#246
>
> * ssh(1)/sshd(8): switch both client and server mainloops from
> select(3) to pselect(3). Avoids race conditions where a signal
> may arrive immediately before select(3) and not be processed until
> an event fires. bz#2158
>
> * ssh(1): sessions started with ControlPersist were incorrectly
> executing a shell when the -N (no shell) option was specified.
> bz#3290
>
> * ssh(1): check if IPQoS or TunnelDevice are already set before
> overriding. Prevents values in config files from overriding values
> supplied on the command line. bz#3319
>
> * ssh(1): fix debug message when finding a private key to match a
> certificate being attempted for user authentication. Previously it
> would print the certificate's path, whereas it was supposed to be
> showing the private key's path. GHPR#247
>
> * sshd(8): match host certificates against host public keys, not
> private keys. Allows use of certificates with private keys held in
> a ssh-agent. bz#3524
>
> * ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8), which
> allows RSA/SHA2 signatures for public key authentication but fails
> to advertise this correctly via SSH2_MSG_EXT_INFO. This causes
> clients of these server to incorrectly match
> PubkeyAcceptedAlgorithmse and potentially refuse to offer valid
> keys. bz#3213
>
> * sftp(1)/scp(1): degrade gracefully if a sftp-server offers the
> limits at openssh.com extension but fails when the client tries to
> invoke it. bz#3318
>
> * ssh(1): allow ssh_config SetEnv to override $TERM, which is
> otherwise handled specially by the protocol. Useful in ~/.ssh/config
> to set TERM to something generic (e.g. "xterm" instead of
> "xterm-256color") for destinations that lack terminfo entries.
>
> * sftp-server(8): the limits at openssh.com extension was incorrectly
> marked as an operation that writes to the filesystem, which made it
> unavailable in sftp-server read-only mode. bz#3318
>
> * ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered when
> the update removed more host keys than remain present.
>
> * many manual page fixes.
>
> Portability
> -----------
>
> * ssh(1): move closefrom() to before first malloc. When built against
> tcmalloc, the closefrom() would stomp on file descriptors created
> for tcmalloc's internal use. bz#3321
>
> * sshd(8): handle GIDs > 2^31 in getgrouplist. When compiled in 32bit
> mode, the getgrouplist implementation may fail for GIDs greater than
> LONG_MAX.
>
> * ssh(1): xstrdup environment variable used by ForwardAgent. bz#3328
>
> * sshd(8): don't sigdie() in signal handler in privsep child process;
> this can end up causing sandbox violations per bz3286
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
--
Dmitry Belyavskiy
More information about the openssh-unix-dev
mailing list