openssh (1:9.7p1-6) UNRELEASED; urgency=medium Debian's PAM configuration for OpenSSH no longer reads the ~/.pam_environment file. The implementation of this in pam_env has a history of security problems and has been deprecated by the upstream Linux-PAM maintainers due to the possibility that "user supplied environment variables in the PAM environment could affect behavior of subsequent modules in the stack without the consent of the system administrator". Instead, environment variables need to be set somewhere that will be handled by the session process; for most users, this will be shell initialization files such as ~/.bash_profile or ~/.bashrc. -- Colin Watson Thu, 23 May 2024 19:17:29 +0100 openssh (1:9.5p1-1) experimental; urgency=medium OpenSSH 9.5p1 includes a number of changes that may affect existing configurations: * ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys are very convenient due to their small size. Ed25519 keys are specified in RFC 8709 and OpenSSH has supported them since version 6.5 (January 2014). * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. This may change behaviour for exotic configurations, but the most common subsystem configuration (sftp-server) is unlikely to be affected. -- Colin Watson Thu, 23 Nov 2023 17:38:07 +0000 openssh (1:9.4p1-1) unstable; urgency=medium OpenSSH 9.4p1 includes a number of changes that may affect existing configurations: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. -- Colin Watson Sat, 02 Sep 2023 21:02:53 +0100 openssh (1:9.3p2-1) unstable; urgency=high OpenSSH 9.3p2 includes a number of changes that may affect existing configurations: * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. -- Colin Watson Wed, 19 Jul 2023 21:57:53 +0100 openssh (1:9.2p1-1) unstable; urgency=medium OpenSSH 9.2 includes a number of changes that may affect existing configurations: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. This option defaults to "no", disabling the ~C command-line that was previously enabled by default. Turning off the command-line allows platforms that support sandboxing of the ssh(1) client (currently only OpenBSD) to use a stricter default sandbox policy. -- Colin Watson Wed, 08 Feb 2023 10:36:06 +0000 openssh (1:9.1p1-1) unstable; urgency=medium OpenSSH 9.1 includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. -- Colin Watson Mon, 14 Nov 2022 16:35:59 +0000 openssh (1:9.0p1-1) unstable; urgency=medium OpenSSH 9.0 includes a number of changes that may affect existing configurations: * This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. In case of incompatibility, the scp(1) client may be instructed to use the legacy scp/rcp using the -O flag. -- Colin Watson Sat, 09 Apr 2022 14:14:10 +0100 openssh (1:8.8p1-1) unstable; urgency=medium OpenSSH 8.8 includes a number of changes that may affect existing configurations: * This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for Tue, 15 Feb 2022 19:20:21 +0000 openssh (1:8.7p1-1) unstable; urgency=medium OpenSSH 8.7 includes a number of changes that may affect existing configurations: * scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. This was previously available via the -3 flag. This mode avoids the need to expose credentials on the origin hop, avoids triplicate interpretation of filenames by the shell (by the local system, the copy origin and the destination) and, in conjunction with the SFTP support for scp(1) mentioned below, allows use of all authentication methods to the remote hosts (previously, only non-interactive methods could be used). A -R flag has been added to select the old behaviour. * ssh(1)/sshd(8): both the client and server are now using a stricter configuration file parser. The new parser uses more shell-like rules for quotes, space and escape characters. It is also more strict in rejecting configurations that include options lacking arguments. Previously some options (e.g. DenyUsers) could appear on a line with no subsequent arguments. This release will reject such configurations. The new parser will also reject configurations with unterminated quotes and multiple '=' characters after the option name. * ssh(1): when using SSHFP DNS records for host key verification, ssh(1) will verify all matching records instead of just those with the specific signature type requested. This may cause host key verification problems if stale SSHFP records of a different or legacy signature type exist alongside other records for a particular host. bz#3322 * ssh-keygen(1): when generating a FIDO key and specifying an explicit attestation challenge (using -Ochallenge), the challenge will now be hashed by the builtin security key middleware. This removes the (undocumented) requirement that challenges be exactly 32 bytes in length and matches the expectations of libfido2. * sshd(8): environment="..." directives in authorized_keys files are now first-match-wins and limited to 1024 discrete environment variable names. OpenSSH 8.5 includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers. -- Colin Watson Sat, 06 Nov 2021 12:23:47 +0000 openssh (1:8.4p1-1) unstable; urgency=medium OpenSSH 8.4 includes a number of changes that may affect existing configurations: * ssh-keygen(1): the format of the attestation information optionally recorded when a FIDO key is generated has changed. It now includes the authenticator data needed to validate attestation signatures. * The API between OpenSSH and the FIDO token middleware has changed and the SSH_SK_VERSION_MAJOR version has been incremented as a result. Third-party middleware libraries must support the current API version (7) to work with OpenSSH 8.4. -- Colin Watson Sun, 18 Oct 2020 12:07:48 +0100 openssh (1:8.3p1-1) unstable; urgency=medium OpenSSH 8.3 includes a number of changes that may affect existing configurations: * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) do instead of accepting and silently ignoring it. -- Colin Watson Sun, 07 Jun 2020 13:44:04 +0100 openssh (1:8.2p1-1) unstable; urgency=medium OpenSSH 8.2 includes a number of changes that may affect existing configurations: * ssh(1), sshd(8), ssh-keygen(1): This release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates. Certificates are at special risk to SHA1 collision vulnerabilities as an attacker has effectively unlimited time in which to craft a collision that yields them a valid certificate, far more than the relatively brief LoginGraceTime window that they have to forge a host key signature. The OpenSSH certificate format includes a CA-specified (typically random) nonce value near the start of the certificate that should make exploitation of chosen-prefix collisions in this context challenging, as the attacker does not have full control over the prefix that actually gets signed. Nonetheless, SHA1 is now a demonstrably broken algorithm and further improvements in attacks are highly likely. OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2 algorithms and will refuse to accept certificates signed by an OpenSSH 8.2+ CA using RSA keys unless the unsafe algorithm is explicitly selected during signing ("ssh-keygen -t ssh-rsa"). Older clients/servers may use another CA key type such as ssh-ed25519 (supported since OpenSSH 6.5) or one of the ecdsa-sha2-nistp256/384/521 types (supported since OpenSSH 5.7) instead if they cannot be upgraded. * ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. * ssh-keygen(1): The command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-exchange-* key exchange algorithms have changed. Most options have been folded under the -O flag. * sshd(8): The sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. -- Colin Watson Fri, 21 Feb 2020 16:36:37 +0000 openssh (1:8.1p1-1) unstable; urgency=medium OpenSSH 8.1 includes a number of changes that may affect existing configurations: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ..."). -- Colin Watson Thu, 10 Oct 2019 10:23:19 +0100 openssh (1:8.0p1-1) experimental; urgency=medium OpenSSH 8.0 includes a number of changes that may affect existing configurations: * sshd(8): Remove support for obsolete "host/port" syntax. Slash-separated host/port was added in 2001 as an alternative to host:port syntax for the benefit of IPv6 users. These days there are established standards for this like [::1]:22 and the slash syntax is easily mistaken for CIDR notation, which OpenSSH supports for some things. Remove the slash notation from ListenAddress and PermitOpen. -- Colin Watson Sun, 09 Jun 2019 22:47:27 +0100 openssh (1:7.9p1-1) unstable; urgency=medium OpenSSH 7.9 includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option bans the use of DSA keys as certificate authorities. * sshd(8): the authentication success/failure log message has changed format slightly. It now includes the certificate fingerprint (previously it included only key ID and CA key fingerprint). -- Colin Watson Sun, 21 Oct 2018 10:39:24 +0100 openssh (1:7.8p1-1) unstable; urgency=medium OpenSSH 7.8 includes a number of changes that may affect existing configurations: * ssh-keygen(1): Write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): Remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): Remove vestigial support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): The precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284 -- Colin Watson Thu, 30 Aug 2018 15:35:27 +0100 openssh (1:7.6p1-1) unstable; urgency=medium OpenSSH 7.6 includes a number of changes that may affect existing configurations: * ssh(1): Delete SSH protocol version 1 support, associated configuration options and documentation. * ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC. * ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST ciphers. * Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement. * ssh(1): Do not offer CBC ciphers by default. -- Colin Watson Fri, 06 Oct 2017 12:36:48 +0100 openssh (1:7.5p1-1) experimental; urgency=medium OpenSSH 7.5 includes a number of changes that may affect existing configurations: * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. * The format of several log messages emitted by the packet code has changed to include additional information about the user and their authentication state. Software that monitors ssh/sshd logs may need to account for these changes. For example: Connection closed by user x 1.1.1.1 port 1234 [preauth] Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] Affected messages include connection closure, timeout, remote disconnection, negotiation failure and some other fatal messages generated by the packet code. -- Colin Watson Sun, 02 Apr 2017 02:58:01 +0100 openssh (1:7.4p1-7) unstable; urgency=medium This version restores the default for AuthorizedKeysFile to search both ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in Debian configurations before 1:7.4p1-1. Upstream intends to phase out searching ~/.ssh/authorized_keys2 by default, so you should ensure that you are only using ~/.ssh/authorized_keys, at least for critical administrative access; do not assume that the current default will remain in place forever. -- Colin Watson Sun, 05 Mar 2017 02:12:42 +0000 openssh (1:7.4p1-1) unstable; urgency=medium OpenSSH 7.4 includes a number of changes that may affect existing configurations: * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like SWEET32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the default configuration, but it's highly likely that such devices already need explicit configuration for key exchange and hostkey algorithms already anyway. * sshd(8): Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client. * ssh-agent will refuse to load PKCS#11 modules outside a whitelist of trusted paths by default. The path whitelist may be specified at run-time. * sshd(8): When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, sshd will now refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced-command override the other could be a bit confusing and error-prone. * sshd(8): Remove the UseLogin configuration directive and support for having /bin/login manage login sessions. The unprivileged sshd process that deals with pre-authentication network traffic is now subject to additional sandboxing restrictions by default: that is, the default sshd_config now sets UsePrivilegeSeparation to "sandbox" rather than "yes". This has been the case upstream for a while, but until now the Debian configuration diverged unnecessarily. -- Colin Watson Tue, 27 Dec 2016 18:01:46 +0000 openssh (1:7.2p1-1) unstable; urgency=medium OpenSSH 7.2 disables a number of legacy cryptographic algorithms by default in ssh: * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES. * MD5-based and truncated HMAC algorithms. These algorithms are already disabled by default in sshd. -- Colin Watson Tue, 08 Mar 2016 11:47:20 +0000 openssh (1:7.1p1-2) unstable; urgency=medium OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe cryptography. * Support for the legacy SSH version 1 protocol is disabled by default at compile time. Note that this also means that the Cipher keyword in ssh_config(5) is effectively no longer usable; use Ciphers instead for protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1", and "ssh-keygen1" binaries which you can use if you have no alternative way to connect to an outdated SSH1-only server; please contact the server administrator or system vendor in such cases and ask them to upgrade. * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html * Support for the legacy v00 cert format has been removed. Future releases will retire more legacy cryptography, including: * Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits). * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants, and the rijndael-cbc aliases for AES. * MD5-based HMAC algorithms will be disabled by default. -- Colin Watson Tue, 08 Dec 2015 15:33:08 +0000 openssh (1:6.9p1-1) unstable; urgency=medium UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses. -- Colin Watson Thu, 20 Aug 2015 10:38:58 +0100 openssh (1:6.7p1-5) unstable; urgency=medium openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list a number of specific LC_FOO variables rather than the wildcard LC_*. I have since been persuaded that this was a bad idea and have reverted it, but it is difficult to automatically undo the change to /etc/ssh/sshd_config without compounding the problem (that of modifying configuration that some users did not want to be modified) further. Most users who upgraded via version 1:6.7p1-4 should restore the previous value of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config. -- Colin Watson Sun, 22 Mar 2015 23:09:32 +0000 openssh (1:5.4p1-2) unstable; urgency=low Smartcard support is now available using PKCS#11 tokens. If you were previously using an unofficial build of Debian's OpenSSH package with OpenSC-based smartcard support added, then note that commands like 'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s /usr/lib/opensc-pkcs11.so' instead. -- Colin Watson Sat, 10 Apr 2010 01:08:59 +0100 openssh (1:3.8.1p1-9) experimental; urgency=low The ssh package has been split into openssh-client and openssh-server. If you had previously requested that the sshd server should not be run, then that request will still be honoured. However, the recommended approach is now to remove the openssh-server package if you do not want to run sshd. You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing that. -- Colin Watson Mon, 2 Aug 2004 20:48:54 +0100 openssh (1:3.5p1-1) unstable; urgency=low This version of OpenSSH disables the environment option for public keys by default, in order to avoid certain attacks (for example, LD_PRELOAD). If you are using this option in an authorized_keys file, beware that the keys in question will no longer work until the option is removed. To re-enable this option, set "PermitUserEnvironment yes" in /etc/ssh/sshd_config after the upgrade is complete, taking note of the warning in the sshd_config(5) manual page. -- Colin Watson Sat, 26 Oct 2002 19:41:51 +0100 openssh (1:3.0.1p1-1) unstable; urgency=high As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2 keys. This means the authorized_keys2 and known_hosts2 files are no longer needed. They will still be read in order to maintain backward compatibility. -- Matthew Vernon Thu, 28 Nov 2001 17:43:01 +0000