summaryrefslogtreecommitdiffstats
path: root/debian/NEWS
blob: 2898018dc264b8575ac8434d5cc72f3cbbdffa2e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
openssh (1:9.8p1-1) unstable; urgency=medium

  OpenSSH 9.8p1 includes a number of changes that may affect existing
  configurations:

   * DSA keys, as specified in the SSH protocol, are inherently weak: they
     are limited to 160-bit private keys and the SHA-1 digest.  The SSH
     implementation provided by the openssh-client and openssh-server
     packages has disabled support for DSA keys by default since OpenSSH
     7.0p1 in 2015, released with Debian 9 ("stretch"), although it could
     still be enabled using the HostKeyAlgorithms and
     PubkeyAcceptedAlgorithms configuration options for host and user keys
     respectively.

     The only remaining uses of DSA at this point should be connecting to
     some very old devices.  For all other purposes, the other key types
     supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior.

     As of OpenSSH 9.8p1, DSA keys are no longer supported even with the
     above configuration options.  If you have a device that you can only
     connect to using DSA, then you can use the ssh1 command provided by the
     openssh-client-ssh1 package to do so.

     In the unlikely event that you are still using DSA keys to connect to a
     Debian server (if you are unsure, you can check by adding the -v option
     to the ssh command line you use to connect to that server and looking
     for the "Server accepts key:" line), then you must generate replacement
     keys before upgrading.

   * sshd(8): the server will now block client addresses that repeatedly
     fail authentication, repeatedly connect without ever completing
     authentication or that crash the server.  Operators of servers that
     accept connections from many users, or servers that accept connections
     from addresses behind NAT or proxies may need to consider these
     settings.

   * sshd(8): several log messages have changed.  In particular, some log
     messages will be tagged with as originating from a process named
     "sshd-session" rather than "sshd".

   * ssh-keyscan(1): this tool previously emitted comment lines containing
     the hostname and SSH protocol banner to standard error.  This release
     now emits them to standard output, but adds a new "-q" flag to silence
     them altogether.

   * sshd(8): sshd will no longer use argv[0] as the PAM service name.  A
     new "PAMServiceName" sshd_config(5) directive allows selecting the
     service name at runtime.  This defaults to "sshd".

 -- Colin Watson <cjwatson@debian.org>  Wed, 31 Jul 2024 17:16:04 +0100

openssh (1:9.7p1-6) unstable; urgency=medium

  Debian's PAM configuration for OpenSSH no longer reads the
  ~/.pam_environment file.  The implementation of this in pam_env has a
  history of security problems and has been deprecated by the upstream
  Linux-PAM maintainers due to the possibility that "user supplied
  environment variables in the PAM environment could affect behavior of
  subsequent modules in the stack without the consent of the system
  administrator".

  Instead, environment variables need to be set somewhere that will be
  handled by the session process; for most users, this will be shell
  initialization files such as ~/.bash_profile or ~/.bashrc.

 -- Colin Watson <cjwatson@debian.org>  Tue, 25 Jun 2024 14:20:44 +0100

openssh (1:9.5p1-1) experimental; urgency=medium

  OpenSSH 9.5p1 includes a number of changes that may affect existing
  configurations:

   * ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
     are very convenient due to their small size. Ed25519 keys are specified
     in RFC 8709 and OpenSSH has supported them since version 6.5 (January
     2014).

   * sshd(8): the Subsystem directive now accurately preserves quoting of
     subsystem commands and arguments. This may change behaviour for exotic
     configurations, but the most common subsystem configuration
     (sftp-server) is unlikely to be affected.

 -- Colin Watson <cjwatson@debian.org>  Thu, 23 Nov 2023 17:38:07 +0000

openssh (1:9.4p1-1) unstable; urgency=medium

  OpenSSH 9.4p1 includes a number of changes that may affect existing
  configurations:

   * ssh-agent(1): PKCS#11 modules must now be specified by their full
     paths. Previously dlopen(3) could search for them in system library
     directories.

 -- Colin Watson <cjwatson@debian.org>  Sat, 02 Sep 2023 21:02:53 +0100

openssh (1:9.3p2-1) unstable; urgency=high

  OpenSSH 9.3p2 includes a number of changes that may affect existing
  configurations:

   * ssh-agent(8): the agent will now refuse requests to load PKCS#11
     modules issued by remote clients by default. A flag has been added to
     restore the previous behaviour "-Oallow-remote-pkcs11".

     Note that ssh-agent(8) depends on the SSH client to identify requests
     that are remote. The OpenSSH >=8.9 ssh(1) client does this, but
     forwarding access to an agent socket using other tools may circumvent
     this restriction.

 -- Colin Watson <cjwatson@debian.org>  Wed, 19 Jul 2023 21:57:53 +0100

openssh (1:9.2p1-1) unstable; urgency=medium

  OpenSSH 9.2 includes a number of changes that may affect existing
  configurations:

   * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
     controls whether the client-side ~C escape sequence that provides a
     command-line is available. Among other things, the ~C command-line
     could be used to add additional port-forwards at runtime.

     This option defaults to "no", disabling the ~C command-line that was
     previously enabled by default. Turning off the command-line allows
     platforms that support sandboxing of the ssh(1) client (currently only
     OpenBSD) to use a stricter default sandbox policy.

 -- Colin Watson <cjwatson@debian.org>  Wed, 08 Feb 2023 10:36:06 +0000

openssh (1:9.1p1-1) unstable; urgency=medium

  OpenSSH 9.1 includes a number of changes that may affect existing
  configurations:

   * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are
     now first-match-wins to match other directives. Previously if an
     environment variable was multiply specified the last set value would
     have been used.

   * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will
     no longer generate DSA keys, as these are insecure and have not been
     used by default for some years.

 -- Colin Watson <cjwatson@debian.org>  Mon, 14 Nov 2022 16:35:59 +0000

openssh (1:9.0p1-1) unstable; urgency=medium

  OpenSSH 9.0 includes a number of changes that may affect existing
  configurations:

   * This release switches scp(1) from using the legacy scp/rcp protocol to
     using the SFTP protocol by default.

     Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
     "scp host:* .") through the remote shell. This has the side effect of
     requiring double quoting of shell meta-characters in file names
     included on scp(1) command-lines, otherwise they could be interpreted
     as shell commands on the remote side.

     This creates one area of potential incompatibility: scp(1) when using
     the SFTP protocol no longer requires this finicky and brittle quoting,
     and attempts to use it may cause transfers to fail. We consider the
     removal of the need for double-quoting shell characters in file names
     to be a benefit and do not intend to introduce bug-compatibility for
     legacy scp/rcp in scp(1) when using the SFTP protocol.

     Another area of potential incompatibility relates to the use of remote
     paths relative to other user's home directories, for example - "scp
     host:~user/file /tmp". The SFTP protocol has no native way to expand a
     ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a
     protocol extension "expand-path@openssh.com" to support this.

     In case of incompatibility, the scp(1) client may be instructed to use
     the legacy scp/rcp using the -O flag.

 -- Colin Watson <cjwatson@debian.org>  Sat, 09 Apr 2022 14:14:10 +0100

openssh (1:8.8p1-1) unstable; urgency=medium

  OpenSSH 8.8 includes a number of changes that may affect existing
  configurations:

   * This release disables RSA signatures using the SHA-1 hash algorithm by
     default. This change has been made as the SHA-1 hash algorithm is
     cryptographically broken, and it is possible to create chosen-prefix
     hash collisions for <USD$50K.

     For most users, this change should be invisible and there is no need to
     replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512
     signatures since release 7.2 and existing ssh-rsa keys will
     automatically use the stronger algorithm where possible.

     Incompatibility is more likely when connecting to older SSH
     implementations that have not been upgraded or have not closely tracked
     improvements in the SSH protocol. For these cases, it may be necessary
     to selectively re-enable RSA/SHA1 to allow connection and/or user
     authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
     options. For example, the following stanza in ~/.ssh/config will enable
     RSA/SHA1 for host and user authentication for a single destination
     host:

         Host old-host
             HostkeyAlgorithms +ssh-rsa
             PubkeyAcceptedAlgorithms +ssh-rsa

     We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
     implementations can be upgraded or reconfigured with another key type
     (such as ECDSA or Ed25519).

 -- Colin Watson <cjwatson@debian.org>  Tue, 15 Feb 2022 19:20:21 +0000

openssh (1:8.7p1-1) unstable; urgency=medium

  OpenSSH 8.7 includes a number of changes that may affect existing
  configurations:

   * scp(1): this release changes the behaviour of remote to remote copies
     (e.g. "scp host-a:/path host-b:") to transfer through the local host by
     default. This was previously available via the -3 flag. This mode
     avoids the need to expose credentials on the origin hop, avoids
     triplicate interpretation of filenames by the shell (by the local
     system, the copy origin and the destination) and, in conjunction with
     the SFTP support for scp(1) mentioned below, allows use of all
     authentication methods to the remote hosts (previously, only
     non-interactive methods could be used). A -R flag has been added to
     select the old behaviour.

   * ssh(1)/sshd(8): both the client and server are now using a stricter
     configuration file parser. The new parser uses more shell-like rules
     for quotes, space and escape characters. It is also more strict in
     rejecting configurations that include options lacking arguments.
     Previously some options (e.g. DenyUsers) could appear on a line with no
     subsequent arguments. This release will reject such configurations. The
     new parser will also reject configurations with unterminated quotes and
     multiple '=' characters after the option name.

   * ssh(1): when using SSHFP DNS records for host key verification, ssh(1)
     will verify all matching records instead of just those with the
     specific signature type requested. This may cause host key verification
     problems if stale SSHFP records of a different or legacy signature type
     exist alongside other records for a particular host. bz#3322

   * ssh-keygen(1): when generating a FIDO key and specifying an explicit
     attestation challenge (using -Ochallenge), the challenge will now be
     hashed by the builtin security key middleware. This removes the
     (undocumented) requirement that challenges be exactly 32 bytes in
     length and matches the expectations of libfido2.

   * sshd(8): environment="..." directives in authorized_keys files are now
     first-match-wins and limited to 1024 discrete environment variable
     names.

  OpenSSH 8.5 includes a number of changes that may affect existing
  configurations:

   * ssh(1), sshd(8): this release changes the first-preference signature
     algorithm from ECDSA to ED25519.

   * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for
     interactive use prior to TCP connect. The connection phase of the SSH
     session is time-sensitive and often explicitly interactive.  The
     ultimate interactive/bulk TOS/DSCP will be set after authentication
     completes.

   * ssh(1), sshd(8): remove the pre-standardization cipher
     rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it
     was standardized in RFC4253 (2006), has been deprecated and disabled by
     default since OpenSSH 7.2 (2016) and was only briefly documented in
     ssh.1 in 2001.

   * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid
     key exchange method based on Streamlined NTRU Prime coupled with
     X25519.

     The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced
     with sntrup761x25519-sha512@openssh.com. Per its designers, the
     sntrup4591761 algorithm was superseded almost two years ago by
     sntrup761.

     (note this both the updated method and the one that it replaced are
     disabled by default)

   * ssh(1): disable CheckHostIP by default. It provides insignificant
     benefits while making key rotation significantly more difficult,
     especially for hosts behind IP-based load-balancers.

 -- Colin Watson <cjwatson@debian.org>  Sat, 06 Nov 2021 12:23:47 +0000

openssh (1:8.4p1-1) unstable; urgency=medium

  OpenSSH 8.4 includes a number of changes that may affect existing
  configurations:

   * ssh-keygen(1): the format of the attestation information optionally
     recorded when a FIDO key is generated has changed. It now includes the
     authenticator data needed to validate attestation signatures.

   * The API between OpenSSH and the FIDO token middleware has changed and
     the SSH_SK_VERSION_MAJOR version has been incremented as a result.
     Third-party middleware libraries must support the current API version
     (7) to work with OpenSSH 8.4.

 -- Colin Watson <cjwatson@debian.org>  Sun, 18 Oct 2020 12:07:48 +0100

openssh (1:8.3p1-1) unstable; urgency=medium

  OpenSSH 8.3 includes a number of changes that may affect existing
  configurations:

  * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1)
    do instead of accepting and silently ignoring it.

 -- Colin Watson <cjwatson@debian.org>  Sun, 07 Jun 2020 13:44:04 +0100

openssh (1:8.2p1-1) unstable; urgency=medium

  OpenSSH 8.2 includes a number of changes that may affect existing
  configurations:

   * ssh(1), sshd(8), ssh-keygen(1): This release removes the "ssh-rsa"
     (RSA/SHA1) algorithm from those accepted for certificate signatures
     (i.e.  the client and server CASignatureAlgorithms option) and will use
     the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
     CA signs new certificates.

     Certificates are at special risk to SHA1 collision vulnerabilities as
     an attacker has effectively unlimited time in which to craft a
     collision that yields them a valid certificate, far more than the
     relatively brief LoginGraceTime window that they have to forge a host
     key signature.

     The OpenSSH certificate format includes a CA-specified (typically
     random) nonce value near the start of the certificate that should make
     exploitation of chosen-prefix collisions in this context challenging,
     as the attacker does not have full control over the prefix that
     actually gets signed. Nonetheless, SHA1 is now a demonstrably broken
     algorithm and further improvements in attacks are highly likely.

     OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
     algorithms and will refuse to accept certificates signed by an OpenSSH
     8.2+ CA using RSA keys unless the unsafe algorithm is explicitly
     selected during signing ("ssh-keygen -t ssh-rsa").  Older
     clients/servers may use another CA key type such as ssh-ed25519
     (supported since OpenSSH 6.5) or one of the ecdsa-sha2-nistp256/384/521
     types (supported since OpenSSH 5.7) instead if they cannot be upgraded.

   * ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
     key exchange proposal for both the client and server.

   * ssh-keygen(1): The command-line options related to the generation and
     screening of safe prime numbers used by the
     diffie-hellman-group-exchange-* key exchange algorithms have changed.
     Most options have been folded under the -O flag.

   * sshd(8): The sshd listener process title visible to ps(1) has changed
     to include information about the number of connections that are
     currently attempting authentication and the limits configured by
     MaxStartups.

 -- Colin Watson <cjwatson@debian.org>  Fri, 21 Feb 2020 16:36:37 +0000

openssh (1:8.1p1-1) unstable; urgency=medium

  OpenSSH 8.1 includes a number of changes that may affect existing
  configurations:

   * ssh-keygen(1): when acting as a CA and signing certificates with an RSA
     key, default to using the rsa-sha2-512 signature algorithm.
     Certificates signed by RSA keys will therefore be incompatible with
     OpenSSH versions prior to 7.2 unless the default is overridden (using
     "ssh-keygen -t ssh-rsa -s ...").

 -- Colin Watson <cjwatson@debian.org>  Thu, 10 Oct 2019 10:23:19 +0100

openssh (1:8.0p1-1) experimental; urgency=medium

  OpenSSH 8.0 includes a number of changes that may affect existing
  configurations:

   * sshd(8): Remove support for obsolete "host/port" syntax.
     Slash-separated host/port was added in 2001 as an alternative to
     host:port syntax for the benefit of IPv6 users.  These days there are
     established standards for this like [::1]:22 and the slash syntax is
     easily mistaken for CIDR notation, which OpenSSH supports for some
     things.  Remove the slash notation from ListenAddress and PermitOpen.

 -- Colin Watson <cjwatson@debian.org>  Sun, 09 Jun 2019 22:47:27 +0100

openssh (1:7.9p1-1) unstable; urgency=medium

  OpenSSH 7.9 includes a number of changes that may affect existing
  configurations:

   * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option
     bans the use of DSA keys as certificate authorities.
   * sshd(8): the authentication success/failure log message has changed
     format slightly.  It now includes the certificate fingerprint
     (previously it included only key ID and CA key fingerprint).

 -- Colin Watson <cjwatson@debian.org>  Sun, 21 Oct 2018 10:39:24 +0100

openssh (1:7.8p1-1) unstable; urgency=medium

  OpenSSH 7.8 includes a number of changes that may affect existing
  configurations:

   * ssh-keygen(1): Write OpenSSH format private keys by default instead of
     using OpenSSL's PEM format.  The OpenSSH format, supported in OpenSSH
     releases since 2014 and described in the PROTOCOL.key file in the
     source distribution, offers substantially better protection against
     offline password guessing and supports key comments in private keys.
     If necessary, it is possible to write old PEM-style keys by adding "-m
     PEM" to ssh-keygen's arguments when generating or updating a key.
   * sshd(8): Remove internal support for S/Key multiple factor
     authentication.  S/Key may still be used via PAM or BSD auth.
   * ssh(1): Remove vestigial support for running ssh(1) as setuid.  This
     used to be required for hostbased authentication and the (long gone)
     rhosts-style authentication, but has not been necessary for a long
     time.  Attempting to execute ssh as a setuid binary, or with uid !=
     effective uid will now yield a fatal error at runtime.
   * sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
     HostbasedAcceptedKeyTypes options have changed.  These now specify
     signature algorithms that are accepted for their respective
     authentication mechanism, where previously they specified accepted key
     types.  This distinction matters when using the RSA/SHA2 signature
     algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
     counterparts.  Configurations that override these options but omit
     these algorithm names may cause unexpected authentication failures (no
     action is required for configurations that accept the default for these
     options).
   * sshd(8): The precedence of session environment variables has changed.
     ~/.ssh/environment and environment="..." options in authorized_keys
     files can no longer override SSH_* variables set implicitly by sshd.
   * ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed.  They
     will now use DSCP AF21 for interactive traffic and CS1 for bulk.  For a
     detailed rationale, please see the commit message:
     https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284

 -- Colin Watson <cjwatson@debian.org>  Thu, 30 Aug 2018 15:35:27 +0100

openssh (1:7.6p1-1) unstable; urgency=medium

  OpenSSH 7.6 includes a number of changes that may affect existing
  configurations:

   * ssh(1): Delete SSH protocol version 1 support, associated configuration
     options and documentation.
   * ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
   * ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
     ciphers.
   * Refuse RSA keys <1024 bits in length and improve reporting for keys
     that do not meet this requirement.
   * ssh(1): Do not offer CBC ciphers by default.

 -- Colin Watson <cjwatson@debian.org>  Fri, 06 Oct 2017 12:36:48 +0100

openssh (1:7.5p1-1) experimental; urgency=medium

  OpenSSH 7.5 includes a number of changes that may affect existing
  configurations:

   * This release deprecates the sshd_config UsePrivilegeSeparation option,
     thereby making privilege separation mandatory.

   * The format of several log messages emitted by the packet code has
     changed to include additional information about the user and their
     authentication state. Software that monitors ssh/sshd logs may need to
     account for these changes. For example:

       Connection closed by user x 1.1.1.1 port 1234 [preauth]
       Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
       Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]

     Affected messages include connection closure, timeout, remote
     disconnection, negotiation failure and some other fatal messages
     generated by the packet code.

 -- Colin Watson <cjwatson@debian.org>  Sun, 02 Apr 2017 02:58:01 +0100

openssh (1:7.4p1-7) unstable; urgency=medium

  This version restores the default for AuthorizedKeysFile to search both
  ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
  Debian configurations before 1:7.4p1-1.  Upstream intends to phase out
  searching ~/.ssh/authorized_keys2 by default, so you should ensure that
  you are only using ~/.ssh/authorized_keys, at least for critical
  administrative access; do not assume that the current default will remain
  in place forever.

 -- Colin Watson <cjwatson@debian.org>  Sun, 05 Mar 2017 02:12:42 +0000

openssh (1:7.4p1-1) unstable; urgency=medium

  OpenSSH 7.4 includes a number of changes that may affect existing
  configurations:

   * ssh(1): Remove 3des-cbc from the client's default proposal.  64-bit
     block ciphers are not safe in 2016 and we don't want to wait until
     attacks like SWEET32 are extended to SSH.  As 3des-cbc was the only
     mandatory cipher in the SSH RFCs, this may cause problems connecting to
     older devices using the default configuration, but it's highly likely
     that such devices already need explicit configuration for key exchange
     and hostkey algorithms already anyway.
   * sshd(8): Remove support for pre-authentication compression.  Doing
     compression early in the protocol probably seemed reasonable in the
     1990s, but today it's clearly a bad idea in terms of both cryptography
     (cf. multiple compression oracle attacks in TLS) and attack surface.
     Pre-auth compression support has been disabled by default for >10
     years.  Support remains in the client.
   * ssh-agent will refuse to load PKCS#11 modules outside a whitelist of
     trusted paths by default.  The path whitelist may be specified at
     run-time.
   * sshd(8): When a forced-command appears in both a certificate and an
     authorized keys/principals command= restriction, sshd will now refuse
     to accept the certificate unless they are identical.  The previous
     (documented) behaviour of having the certificate forced-command
     override the other could be a bit confusing and error-prone.
   * sshd(8): Remove the UseLogin configuration directive and support for
     having /bin/login manage login sessions.

  The unprivileged sshd process that deals with pre-authentication network
  traffic is now subject to additional sandboxing restrictions by default:
  that is, the default sshd_config now sets UsePrivilegeSeparation to
  "sandbox" rather than "yes".  This has been the case upstream for a while,
  but until now the Debian configuration diverged unnecessarily.

 -- Colin Watson <cjwatson@debian.org>  Tue, 27 Dec 2016 18:01:46 +0000

openssh (1:7.2p1-1) unstable; urgency=medium

  OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
  default in ssh:

   * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
     rijndael-cbc aliases for AES.
   * MD5-based and truncated HMAC algorithms.

  These algorithms are already disabled by default in sshd.

 -- Colin Watson <cjwatson@debian.org>  Tue, 08 Mar 2016 11:47:20 +0000

openssh (1:7.1p1-2) unstable; urgency=medium

  OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
  cryptography.

   * Support for the legacy SSH version 1 protocol is disabled by default at
     compile time.  Note that this also means that the Cipher keyword in
     ssh_config(5) is effectively no longer usable; use Ciphers instead for
     protocol 2.  The openssh-client-ssh1 package includes "ssh1", "scp1",
     and "ssh-keygen1" binaries which you can use if you have no alternative
     way to connect to an outdated SSH1-only server; please contact the
     server administrator or system vendor in such cases and ask them to
     upgrade.
   * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
     disabled by default at run-time.  It may be re-enabled using the
     instructions at http://www.openssh.com/legacy.html
   * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
     default at run-time.  These may be re-enabled using the instructions at
     http://www.openssh.com/legacy.html
   * Support for the legacy v00 cert format has been removed.

  Future releases will retire more legacy cryptography, including:

   * Refusing all RSA keys smaller than 1024 bits (the current minimum is
     768 bits).
   * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
     all arcfour variants, and the rijndael-cbc aliases for AES.
   * MD5-based HMAC algorithms will be disabled by default.

 -- Colin Watson <cjwatson@debian.org>  Tue, 08 Dec 2015 15:33:08 +0000

openssh (1:6.9p1-1) unstable; urgency=medium

  UseDNS now defaults to 'no'.  Configurations that match against the client
  host name (via sshd_config or authorized_keys) may need to re-enable it or
  convert to matching against addresses.

 -- Colin Watson <cjwatson@debian.org>  Thu, 20 Aug 2015 10:38:58 +0100

openssh (1:6.7p1-5) unstable; urgency=medium

  openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
  a number of specific LC_FOO variables rather than the wildcard LC_*.  I
  have since been persuaded that this was a bad idea and have reverted it,
  but it is difficult to automatically undo the change to
  /etc/ssh/sshd_config without compounding the problem (that of modifying
  configuration that some users did not want to be modified) further.  Most
  users who upgraded via version 1:6.7p1-4 should restore the previous value
  of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.

 -- Colin Watson <cjwatson@debian.org>  Sun, 22 Mar 2015 23:09:32 +0000

openssh (1:5.4p1-2) unstable; urgency=low

  Smartcard support is now available using PKCS#11 tokens.  If you were
  previously using an unofficial build of Debian's OpenSSH package with
  OpenSC-based smartcard support added, then note that commands like
  'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
  /usr/lib/opensc-pkcs11.so' instead.

 -- Colin Watson <cjwatson@debian.org>  Sat, 10 Apr 2010 01:08:59 +0100

openssh (1:3.8.1p1-9) experimental; urgency=low

  The ssh package has been split into openssh-client and openssh-server. If
  you had previously requested that the sshd server should not be run, then
  that request will still be honoured. However, the recommended approach is
  now to remove the openssh-server package if you do not want to run sshd.
  You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
  that.

 -- Colin Watson <cjwatson@debian.org>  Mon,  2 Aug 2004 20:48:54 +0100

openssh (1:3.5p1-1) unstable; urgency=low

  This version of OpenSSH disables the environment option for public keys by
  default, in order to avoid certain attacks (for example, LD_PRELOAD). If
  you are using this option in an authorized_keys file, beware that the keys
  in question will no longer work until the option is removed.

  To re-enable this option, set "PermitUserEnvironment yes" in
  /etc/ssh/sshd_config after the upgrade is complete, taking note of the
  warning in the sshd_config(5) manual page.

 -- Colin Watson <cjwatson@debian.org>  Sat, 26 Oct 2002 19:41:51 +0100

openssh (1:3.0.1p1-1) unstable; urgency=high

  As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
  keys. This means the authorized_keys2 and known_hosts2 files are no longer
  needed. They will still be read in order to maintain backward
  compatibility.

 -- Matthew Vernon <matthew@debian.org>  Thu, 28 Nov 2001 17:43:01 +0000