summaryrefslogtreecommitdiffstats
path: root/debian/NEWS
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:26:58 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 01:26:58 +0000
commit4722d4b7980d6fd8145e2e9f08492d951ea261d1 (patch)
tree7ab498b39f5bdce46b1bbc41ef5201322df4e2d4 /debian/NEWS
parentAdding upstream version 1:7.9p1. (diff)
downloadopenssh-4722d4b7980d6fd8145e2e9f08492d951ea261d1.tar.xz
openssh-4722d4b7980d6fd8145e2e9f08492d951ea261d1.zip
Adding debian version 1:7.9p1-10+deb10u2.debian/1%7.9p1-10+deb10u2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/NEWS')
-rw-r--r--debian/NEWS247
1 files changed, 247 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..c0a535c
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,247 @@
+openssh (1:7.9p1-1) unstable; urgency=medium
+
+ OpenSSH 7.9 includes a number of changes that may affect existing
+ configurations:
+
+ * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option
+ bans the use of DSA keys as certificate authorities.
+ * sshd(8): the authentication success/failure log message has changed
+ format slightly. It now includes the certificate fingerprint
+ (previously it included only key ID and CA key fingerprint).
+
+ -- Colin Watson <cjwatson@debian.org> Sun, 21 Oct 2018 10:39:24 +0100
+
+openssh (1:7.8p1-1) unstable; urgency=medium
+
+ OpenSSH 7.8 includes a number of changes that may affect existing
+ configurations:
+
+ * ssh-keygen(1): Write OpenSSH format private keys by default instead of
+ using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH
+ releases since 2014 and described in the PROTOCOL.key file in the
+ source distribution, offers substantially better protection against
+ offline password guessing and supports key comments in private keys.
+ If necessary, it is possible to write old PEM-style keys by adding "-m
+ PEM" to ssh-keygen's arguments when generating or updating a key.
+ * sshd(8): Remove internal support for S/Key multiple factor
+ authentication. S/Key may still be used via PAM or BSD auth.
+ * ssh(1): Remove vestigial support for running ssh(1) as setuid. This
+ used to be required for hostbased authentication and the (long gone)
+ rhosts-style authentication, but has not been necessary for a long
+ time. Attempting to execute ssh as a setuid binary, or with uid !=
+ effective uid will now yield a fatal error at runtime.
+ * sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
+ HostbasedAcceptedKeyTypes options have changed. These now specify
+ signature algorithms that are accepted for their respective
+ authentication mechanism, where previously they specified accepted key
+ types. This distinction matters when using the RSA/SHA2 signature
+ algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
+ counterparts. Configurations that override these options but omit
+ these algorithm names may cause unexpected authentication failures (no
+ action is required for configurations that accept the default for these
+ options).
+ * sshd(8): The precedence of session environment variables has changed.
+ ~/.ssh/environment and environment="..." options in authorized_keys
+ files can no longer override SSH_* variables set implicitly by sshd.
+ * ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
+ will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a
+ detailed rationale, please see the commit message:
+ https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 30 Aug 2018 15:35:27 +0100
+
+openssh (1:7.6p1-1) unstable; urgency=medium
+
+ OpenSSH 7.6 includes a number of changes that may affect existing
+ configurations:
+
+ * ssh(1): Delete SSH protocol version 1 support, associated configuration
+ options and documentation.
+ * ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
+ * ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
+ ciphers.
+ * Refuse RSA keys <1024 bits in length and improve reporting for keys
+ that do not meet this requirement.
+ * ssh(1): Do not offer CBC ciphers by default.
+
+ -- Colin Watson <cjwatson@debian.org> Fri, 06 Oct 2017 12:36:48 +0100
+
+openssh (1:7.5p1-1) experimental; urgency=medium
+
+ OpenSSH 7.5 includes a number of changes that may affect existing
+ configurations:
+
+ * This release deprecates the sshd_config UsePrivilegeSeparation option,
+ thereby making privilege separation mandatory.
+
+ * The format of several log messages emitted by the packet code has
+ changed to include additional information about the user and their
+ authentication state. Software that monitors ssh/sshd logs may need to
+ account for these changes. For example:
+
+ Connection closed by user x 1.1.1.1 port 1234 [preauth]
+ Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
+ Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
+
+ Affected messages include connection closure, timeout, remote
+ disconnection, negotiation failure and some other fatal messages
+ generated by the packet code.
+
+ -- Colin Watson <cjwatson@debian.org> Sun, 02 Apr 2017 02:58:01 +0100
+
+openssh (1:7.4p1-7) unstable; urgency=medium
+
+ This version restores the default for AuthorizedKeysFile to search both
+ ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
+ Debian configurations before 1:7.4p1-1. Upstream intends to phase out
+ searching ~/.ssh/authorized_keys2 by default, so you should ensure that
+ you are only using ~/.ssh/authorized_keys, at least for critical
+ administrative access; do not assume that the current default will remain
+ in place forever.
+
+ -- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000
+
+openssh (1:7.4p1-1) unstable; urgency=medium
+
+ OpenSSH 7.4 includes a number of changes that may affect existing
+ configurations:
+
+ * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
+ block ciphers are not safe in 2016 and we don't want to wait until
+ attacks like SWEET32 are extended to SSH. As 3des-cbc was the only
+ mandatory cipher in the SSH RFCs, this may cause problems connecting to
+ older devices using the default configuration, but it's highly likely
+ that such devices already need explicit configuration for key exchange
+ and hostkey algorithms already anyway.
+ * sshd(8): Remove support for pre-authentication compression. Doing
+ compression early in the protocol probably seemed reasonable in the
+ 1990s, but today it's clearly a bad idea in terms of both cryptography
+ (cf. multiple compression oracle attacks in TLS) and attack surface.
+ Pre-auth compression support has been disabled by default for >10
+ years. Support remains in the client.
+ * ssh-agent will refuse to load PKCS#11 modules outside a whitelist of
+ trusted paths by default. The path whitelist may be specified at
+ run-time.
+ * sshd(8): When a forced-command appears in both a certificate and an
+ authorized keys/principals command= restriction, sshd will now refuse
+ to accept the certificate unless they are identical. The previous
+ (documented) behaviour of having the certificate forced-command
+ override the other could be a bit confusing and error-prone.
+ * sshd(8): Remove the UseLogin configuration directive and support for
+ having /bin/login manage login sessions.
+
+ The unprivileged sshd process that deals with pre-authentication network
+ traffic is now subject to additional sandboxing restrictions by default:
+ that is, the default sshd_config now sets UsePrivilegeSeparation to
+ "sandbox" rather than "yes". This has been the case upstream for a while,
+ but until now the Debian configuration diverged unnecessarily.
+
+ -- Colin Watson <cjwatson@debian.org> Tue, 27 Dec 2016 18:01:46 +0000
+
+openssh (1:7.2p1-1) unstable; urgency=medium
+
+ OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
+ default in ssh:
+
+ * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
+ rijndael-cbc aliases for AES.
+ * MD5-based and truncated HMAC algorithms.
+
+ These algorithms are already disabled by default in sshd.
+
+ -- Colin Watson <cjwatson@debian.org> Tue, 08 Mar 2016 11:47:20 +0000
+
+openssh (1:7.1p1-2) unstable; urgency=medium
+
+ OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
+ cryptography.
+
+ * Support for the legacy SSH version 1 protocol is disabled by default at
+ compile time. Note that this also means that the Cipher keyword in
+ ssh_config(5) is effectively no longer usable; use Ciphers instead for
+ protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1",
+ and "ssh-keygen1" binaries which you can use if you have no alternative
+ way to connect to an outdated SSH1-only server; please contact the
+ server administrator or system vendor in such cases and ask them to
+ upgrade.
+ * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
+ disabled by default at run-time. It may be re-enabled using the
+ instructions at http://www.openssh.com/legacy.html
+ * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
+ default at run-time. These may be re-enabled using the instructions at
+ http://www.openssh.com/legacy.html
+ * Support for the legacy v00 cert format has been removed.
+
+ Future releases will retire more legacy cryptography, including:
+
+ * Refusing all RSA keys smaller than 1024 bits (the current minimum is
+ 768 bits).
+ * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
+ all arcfour variants, and the rijndael-cbc aliases for AES.
+ * MD5-based HMAC algorithms will be disabled by default.
+
+ -- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000
+
+openssh (1:6.9p1-1) unstable; urgency=medium
+
+ UseDNS now defaults to 'no'. Configurations that match against the client
+ host name (via sshd_config or authorized_keys) may need to re-enable it or
+ convert to matching against addresses.
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 20 Aug 2015 10:38:58 +0100
+
+openssh (1:6.7p1-5) unstable; urgency=medium
+
+ openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
+ a number of specific LC_FOO variables rather than the wildcard LC_*. I
+ have since been persuaded that this was a bad idea and have reverted it,
+ but it is difficult to automatically undo the change to
+ /etc/ssh/sshd_config without compounding the problem (that of modifying
+ configuration that some users did not want to be modified) further. Most
+ users who upgraded via version 1:6.7p1-4 should restore the previous value
+ of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
+
+ -- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000
+
+openssh (1:5.4p1-2) unstable; urgency=low
+
+ Smartcard support is now available using PKCS#11 tokens. If you were
+ previously using an unofficial build of Debian's OpenSSH package with
+ OpenSC-based smartcard support added, then note that commands like
+ 'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
+ /usr/lib/opensc-pkcs11.so' instead.
+
+ -- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100
+
+openssh (1:3.8.1p1-9) experimental; urgency=low
+
+ The ssh package has been split into openssh-client and openssh-server. If
+ you had previously requested that the sshd server should not be run, then
+ that request will still be honoured. However, the recommended approach is
+ now to remove the openssh-server package if you do not want to run sshd.
+ You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
+ that.
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100
+
+openssh (1:3.5p1-1) unstable; urgency=low
+
+ This version of OpenSSH disables the environment option for public keys by
+ default, in order to avoid certain attacks (for example, LD_PRELOAD). If
+ you are using this option in an authorized_keys file, beware that the keys
+ in question will no longer work until the option is removed.
+
+ To re-enable this option, set "PermitUserEnvironment yes" in
+ /etc/ssh/sshd_config after the upgrade is complete, taking note of the
+ warning in the sshd_config(5) manual page.
+
+ -- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100
+
+openssh (1:3.0.1p1-1) unstable; urgency=high
+
+ As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
+ keys. This means the authorized_keys2 and known_hosts2 files are no longer
+ needed. They will still be read in order to maintain backward
+ compatibility.
+
+ -- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000