diff options
Diffstat (limited to 'debian/NEWS')
| -rw-r--r-- | debian/NEWS | 523 |
1 files changed, 523 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 0000000..9afbcb2 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,523 @@ +openssh (1:9.2p1-1) unstable; urgency=medium + + OpenSSH 9.2 includes a number of changes that may affect existing + configurations: + + * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that + controls whether the client-side ~C escape sequence that provides a + command-line is available. Among other things, the ~C command-line + could be used to add additional port-forwards at runtime. + + This option defaults to "no", disabling the ~C command-line that was + previously enabled by default. Turning off the command-line allows + platforms that support sandboxing of the ssh(1) client (currently only + OpenBSD) to use a stricter default sandbox policy. + + -- Colin Watson <cjwatson@debian.org> Wed, 08 Feb 2023 10:36:06 +0000 + +openssh (1:9.1p1-1) unstable; urgency=medium + + OpenSSH 9.1 includes a number of changes that may affect existing + configurations: + + * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are + now first-match-wins to match other directives. Previously if an + environment variable was multiply specified the last set value would + have been used. + + * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will + no longer generate DSA keys, as these are insecure and have not been + used by default for some years. + + -- Colin Watson <cjwatson@debian.org> Mon, 14 Nov 2022 16:35:59 +0000 + +openssh (1:9.0p1-1) unstable; urgency=medium + + OpenSSH 9.0 includes a number of changes that may affect existing + configurations: + + * This release switches scp(1) from using the legacy scp/rcp protocol to + using the SFTP protocol by default. + + Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. + "scp host:* .") through the remote shell. This has the side effect of + requiring double quoting of shell meta-characters in file names + included on scp(1) command-lines, otherwise they could be interpreted + as shell commands on the remote side. + + This creates one area of potential incompatibility: scp(1) when using + the SFTP protocol no longer requires this finicky and brittle quoting, + and attempts to use it may cause transfers to fail. We consider the + removal of the need for double-quoting shell characters in file names + to be a benefit and do not intend to introduce bug-compatibility for + legacy scp/rcp in scp(1) when using the SFTP protocol. + + Another area of potential incompatibility relates to the use of remote + paths relative to other user's home directories, for example - "scp + host:~user/file /tmp". The SFTP protocol has no native way to expand a + ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a + protocol extension "expand-path@openssh.com" to support this. + + In case of incompatibility, the scp(1) client may be instructed to use + the legacy scp/rcp using the -O flag. + + -- Colin Watson <cjwatson@debian.org> Sat, 09 Apr 2022 14:14:10 +0100 + +openssh (1:8.8p1-1) unstable; urgency=medium + + OpenSSH 8.8 includes a number of changes that may affect existing + configurations: + + * This release disables RSA signatures using the SHA-1 hash algorithm by + default. This change has been made as the SHA-1 hash algorithm is + cryptographically broken, and it is possible to create chosen-prefix + hash collisions for <USD$50K. + + For most users, this change should be invisible and there is no need to + replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 + signatures since release 7.2 and existing ssh-rsa keys will + automatically use the stronger algorithm where possible. + + Incompatibility is more likely when connecting to older SSH + implementations that have not been upgraded or have not closely tracked + improvements in the SSH protocol. For these cases, it may be necessary + to selectively re-enable RSA/SHA1 to allow connection and/or user + authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms + options. For example, the following stanza in ~/.ssh/config will enable + RSA/SHA1 for host and user authentication for a single destination + host: + + Host old-host + HostkeyAlgorithms +ssh-rsa + PubkeyAcceptedAlgorithms +ssh-rsa + + We recommend enabling RSA/SHA1 only as a stopgap measure until legacy + implementations can be upgraded or reconfigured with another key type + (such as ECDSA or Ed25519). + + -- Colin Watson <cjwatson@debian.org> Tue, 15 Feb 2022 19:20:21 +0000 + +openssh (1:8.7p1-1) unstable; urgency=medium + + OpenSSH 8.7 includes a number of changes that may affect existing + configurations: + + * scp(1): this release changes the behaviour of remote to remote copies + (e.g. "scp host-a:/path host-b:") to transfer through the local host by + default. This was previously available via the -3 flag. This mode + avoids the need to expose credentials on the origin hop, avoids + triplicate interpretation of filenames by the shell (by the local + system, the copy origin and the destination) and, in conjunction with + the SFTP support for scp(1) mentioned below, allows use of all + authentication methods to the remote hosts (previously, only + non-interactive methods could be used). A -R flag has been added to + select the old behaviour. + + * ssh(1)/sshd(8): both the client and server are now using a stricter + configuration file parser. The new parser uses more shell-like rules + for quotes, space and escape characters. It is also more strict in + rejecting configurations that include options lacking arguments. + Previously some options (e.g. DenyUsers) could appear on a line with no + subsequent arguments. This release will reject such configurations. The + new parser will also reject configurations with unterminated quotes and + multiple '=' characters after the option name. + + * ssh(1): when using SSHFP DNS records for host key verification, ssh(1) + will verify all matching records instead of just those with the + specific signature type requested. This may cause host key verification + problems if stale SSHFP records of a different or legacy signature type + exist alongside other records for a particular host. bz#3322 + + * ssh-keygen(1): when generating a FIDO key and specifying an explicit + attestation challenge (using -Ochallenge), the challenge will now be + hashed by the builtin security key middleware. This removes the + (undocumented) requirement that challenges be exactly 32 bytes in + length and matches the expectations of libfido2. + + * sshd(8): environment="..." directives in authorized_keys files are now + first-match-wins and limited to 1024 discrete environment variable + names. + + OpenSSH 8.5 includes a number of changes that may affect existing + configurations: + + * ssh(1), sshd(8): this release changes the first-preference signature + algorithm from ECDSA to ED25519. + + * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for + interactive use prior to TCP connect. The connection phase of the SSH + session is time-sensitive and often explicitly interactive. The + ultimate interactive/bulk TOS/DSCP will be set after authentication + completes. + + * ssh(1), sshd(8): remove the pre-standardization cipher + rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it + was standardized in RFC4253 (2006), has been deprecated and disabled by + default since OpenSSH 7.2 (2016) and was only briefly documented in + ssh.1 in 2001. + + * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid + key exchange method based on Streamlined NTRU Prime coupled with + X25519. + + The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced + with sntrup761x25519-sha512@openssh.com. Per its designers, the + sntrup4591761 algorithm was superseded almost two years ago by + sntrup761. + + (note this both the updated method and the one that it replaced are + disabled by default) + + * ssh(1): disable CheckHostIP by default. It provides insignificant + benefits while making key rotation significantly more difficult, + especially for hosts behind IP-based load-balancers. + + -- Colin Watson <cjwatson@debian.org> Sat, 06 Nov 2021 12:23:47 +0000 + +openssh (1:8.4p1-1) unstable; urgency=medium + + OpenSSH 8.4 includes a number of changes that may affect existing + configurations: + + * ssh-keygen(1): the format of the attestation information optionally + recorded when a FIDO key is generated has changed. It now includes the + authenticator data needed to validate attestation signatures. + + * The API between OpenSSH and the FIDO token middleware has changed and + the SSH_SK_VERSION_MAJOR version has been incremented as a result. + Third-party middleware libraries must support the current API version + (7) to work with OpenSSH 8.4. + + -- Colin Watson <cjwatson@debian.org> Sun, 18 Oct 2020 12:07:48 +0100 + +openssh (1:8.3p1-1) unstable; urgency=medium + + OpenSSH 8.3 includes a number of changes that may affect existing + configurations: + + * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1) + do instead of accepting and silently ignoring it. + + -- Colin Watson <cjwatson@debian.org> Sun, 07 Jun 2020 13:44:04 +0100 + +openssh (1:8.2p1-1) unstable; urgency=medium + + OpenSSH 8.2 includes a number of changes that may affect existing + configurations: + + * ssh(1), sshd(8), ssh-keygen(1): This release removes the "ssh-rsa" + (RSA/SHA1) algorithm from those accepted for certificate signatures + (i.e. the client and server CASignatureAlgorithms option) and will use + the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) + CA signs new certificates. + + Certificates are at special risk to SHA1 collision vulnerabilities as + an attacker has effectively unlimited time in which to craft a + collision that yields them a valid certificate, far more than the + relatively brief LoginGraceTime window that they have to forge a host + key signature. + + The OpenSSH certificate format includes a CA-specified (typically + random) nonce value near the start of the certificate that should make + exploitation of chosen-prefix collisions in this context challenging, + as the attacker does not have full control over the prefix that + actually gets signed. Nonetheless, SHA1 is now a demonstrably broken + algorithm and further improvements in attacks are highly likely. + + OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2 + algorithms and will refuse to accept certificates signed by an OpenSSH + 8.2+ CA using RSA keys unless the unsafe algorithm is explicitly + selected during signing ("ssh-keygen -t ssh-rsa"). Older + clients/servers may use another CA key type such as ssh-ed25519 + (supported since OpenSSH 6.5) or one of the ecdsa-sha2-nistp256/384/521 + types (supported since OpenSSH 5.7) instead if they cannot be upgraded. + + * ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default + key exchange proposal for both the client and server. + + * ssh-keygen(1): The command-line options related to the generation and + screening of safe prime numbers used by the + diffie-hellman-group-exchange-* key exchange algorithms have changed. + Most options have been folded under the -O flag. + + * sshd(8): The sshd listener process title visible to ps(1) has changed + to include information about the number of connections that are + currently attempting authentication and the limits configured by + MaxStartups. + + -- Colin Watson <cjwatson@debian.org> Fri, 21 Feb 2020 16:36:37 +0000 + +openssh (1:8.1p1-1) unstable; urgency=medium + + OpenSSH 8.1 includes a number of changes that may affect existing + configurations: + + * ssh-keygen(1): when acting as a CA and signing certificates with an RSA + key, default to using the rsa-sha2-512 signature algorithm. + Certificates signed by RSA keys will therefore be incompatible with + OpenSSH versions prior to 7.2 unless the default is overridden (using + "ssh-keygen -t ssh-rsa -s ..."). + + -- Colin Watson <cjwatson@debian.org> Thu, 10 Oct 2019 10:23:19 +0100 + +openssh (1:8.0p1-1) experimental; urgency=medium + + OpenSSH 8.0 includes a number of changes that may affect existing + configurations: + + * sshd(8): Remove support for obsolete "host/port" syntax. + Slash-separated host/port was added in 2001 as an alternative to + host:port syntax for the benefit of IPv6 users. These days there are + established standards for this like [::1]:22 and the slash syntax is + easily mistaken for CIDR notation, which OpenSSH supports for some + things. Remove the slash notation from ListenAddress and PermitOpen. + + -- Colin Watson <cjwatson@debian.org> Sun, 09 Jun 2019 22:47:27 +0100 + +openssh (1:7.9p1-1) unstable; urgency=medium + + OpenSSH 7.9 includes a number of changes that may affect existing + configurations: + + * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option + bans the use of DSA keys as certificate authorities. + * sshd(8): the authentication success/failure log message has changed + format slightly. It now includes the certificate fingerprint + (previously it included only key ID and CA key fingerprint). + + -- Colin Watson <cjwatson@debian.org> Sun, 21 Oct 2018 10:39:24 +0100 + +openssh (1:7.8p1-1) unstable; urgency=medium + + OpenSSH 7.8 includes a number of changes that may affect existing + configurations: + + * ssh-keygen(1): Write OpenSSH format private keys by default instead of + using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH + releases since 2014 and described in the PROTOCOL.key file in the + source distribution, offers substantially better protection against + offline password guessing and supports key comments in private keys. + If necessary, it is possible to write old PEM-style keys by adding "-m + PEM" to ssh-keygen's arguments when generating or updating a key. + * sshd(8): Remove internal support for S/Key multiple factor + authentication. S/Key may still be used via PAM or BSD auth. + * ssh(1): Remove vestigial support for running ssh(1) as setuid. This + used to be required for hostbased authentication and the (long gone) + rhosts-style authentication, but has not been necessary for a long + time. Attempting to execute ssh as a setuid binary, or with uid != + effective uid will now yield a fatal error at runtime. + * sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar + HostbasedAcceptedKeyTypes options have changed. These now specify + signature algorithms that are accepted for their respective + authentication mechanism, where previously they specified accepted key + types. This distinction matters when using the RSA/SHA2 signature + algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate + counterparts. Configurations that override these options but omit + these algorithm names may cause unexpected authentication failures (no + action is required for configurations that accept the default for these + options). + * sshd(8): The precedence of session environment variables has changed. + ~/.ssh/environment and environment="..." options in authorized_keys + files can no longer override SSH_* variables set implicitly by sshd. + * ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They + will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a + detailed rationale, please see the commit message: + https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284 + + -- Colin Watson <cjwatson@debian.org> Thu, 30 Aug 2018 15:35:27 +0100 + +openssh (1:7.6p1-1) unstable; urgency=medium + + OpenSSH 7.6 includes a number of changes that may affect existing + configurations: + + * ssh(1): Delete SSH protocol version 1 support, associated configuration + options and documentation. + * ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC. + * ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST + ciphers. + * Refuse RSA keys <1024 bits in length and improve reporting for keys + that do not meet this requirement. + * ssh(1): Do not offer CBC ciphers by default. + + -- Colin Watson <cjwatson@debian.org> Fri, 06 Oct 2017 12:36:48 +0100 + +openssh (1:7.5p1-1) experimental; urgency=medium + + OpenSSH 7.5 includes a number of changes that may affect existing + configurations: + + * This release deprecates the sshd_config UsePrivilegeSeparation option, + thereby making privilege separation mandatory. + + * The format of several log messages emitted by the packet code has + changed to include additional information about the user and their + authentication state. Software that monitors ssh/sshd logs may need to + account for these changes. For example: + + Connection closed by user x 1.1.1.1 port 1234 [preauth] + Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] + Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] + + Affected messages include connection closure, timeout, remote + disconnection, negotiation failure and some other fatal messages + generated by the packet code. + + -- Colin Watson <cjwatson@debian.org> Sun, 02 Apr 2017 02:58:01 +0100 + +openssh (1:7.4p1-7) unstable; urgency=medium + + This version restores the default for AuthorizedKeysFile to search both + ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in + Debian configurations before 1:7.4p1-1. Upstream intends to phase out + searching ~/.ssh/authorized_keys2 by default, so you should ensure that + you are only using ~/.ssh/authorized_keys, at least for critical + administrative access; do not assume that the current default will remain + in place forever. + + -- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000 + +openssh (1:7.4p1-1) unstable; urgency=medium + + OpenSSH 7.4 includes a number of changes that may affect existing + configurations: + + * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit + block ciphers are not safe in 2016 and we don't want to wait until + attacks like SWEET32 are extended to SSH. As 3des-cbc was the only + mandatory cipher in the SSH RFCs, this may cause problems connecting to + older devices using the default configuration, but it's highly likely + that such devices already need explicit configuration for key exchange + and hostkey algorithms already anyway. + * sshd(8): Remove support for pre-authentication compression. Doing + compression early in the protocol probably seemed reasonable in the + 1990s, but today it's clearly a bad idea in terms of both cryptography + (cf. multiple compression oracle attacks in TLS) and attack surface. + Pre-auth compression support has been disabled by default for >10 + years. Support remains in the client. + * ssh-agent will refuse to load PKCS#11 modules outside a whitelist of + trusted paths by default. The path whitelist may be specified at + run-time. + * sshd(8): When a forced-command appears in both a certificate and an + authorized keys/principals command= restriction, sshd will now refuse + to accept the certificate unless they are identical. The previous + (documented) behaviour of having the certificate forced-command + override the other could be a bit confusing and error-prone. + * sshd(8): Remove the UseLogin configuration directive and support for + having /bin/login manage login sessions. + + The unprivileged sshd process that deals with pre-authentication network + traffic is now subject to additional sandboxing restrictions by default: + that is, the default sshd_config now sets UsePrivilegeSeparation to + "sandbox" rather than "yes". This has been the case upstream for a while, + but until now the Debian configuration diverged unnecessarily. + + -- Colin Watson <cjwatson@debian.org> Tue, 27 Dec 2016 18:01:46 +0000 + +openssh (1:7.2p1-1) unstable; urgency=medium + + OpenSSH 7.2 disables a number of legacy cryptographic algorithms by + default in ssh: + + * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the + rijndael-cbc aliases for AES. + * MD5-based and truncated HMAC algorithms. + + These algorithms are already disabled by default in sshd. + + -- Colin Watson <cjwatson@debian.org> Tue, 08 Mar 2016 11:47:20 +0000 + +openssh (1:7.1p1-2) unstable; urgency=medium + + OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe + cryptography. + + * Support for the legacy SSH version 1 protocol is disabled by default at + compile time. Note that this also means that the Cipher keyword in + ssh_config(5) is effectively no longer usable; use Ciphers instead for + protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1", + and "ssh-keygen1" binaries which you can use if you have no alternative + way to connect to an outdated SSH1-only server; please contact the + server administrator or system vendor in such cases and ask them to + upgrade. + * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is + disabled by default at run-time. It may be re-enabled using the + instructions at http://www.openssh.com/legacy.html + * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by + default at run-time. These may be re-enabled using the instructions at + http://www.openssh.com/legacy.html + * Support for the legacy v00 cert format has been removed. + + Future releases will retire more legacy cryptography, including: + + * Refusing all RSA keys smaller than 1024 bits (the current minimum is + 768 bits). + * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, + all arcfour variants, and the rijndael-cbc aliases for AES. + * MD5-based HMAC algorithms will be disabled by default. + + -- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000 + +openssh (1:6.9p1-1) unstable; urgency=medium + + UseDNS now defaults to 'no'. Configurations that match against the client + host name (via sshd_config or authorized_keys) may need to re-enable it or + convert to matching against addresses. + + -- Colin Watson <cjwatson@debian.org> Thu, 20 Aug 2015 10:38:58 +0100 + +openssh (1:6.7p1-5) unstable; urgency=medium + + openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list + a number of specific LC_FOO variables rather than the wildcard LC_*. I + have since been persuaded that this was a bad idea and have reverted it, + but it is difficult to automatically undo the change to + /etc/ssh/sshd_config without compounding the problem (that of modifying + configuration that some users did not want to be modified) further. Most + users who upgraded via version 1:6.7p1-4 should restore the previous value + of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config. + + -- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000 + +openssh (1:5.4p1-2) unstable; urgency=low + + Smartcard support is now available using PKCS#11 tokens. If you were + previously using an unofficial build of Debian's OpenSSH package with + OpenSC-based smartcard support added, then note that commands like + 'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s + /usr/lib/opensc-pkcs11.so' instead. + + -- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100 + +openssh (1:3.8.1p1-9) experimental; urgency=low + + The ssh package has been split into openssh-client and openssh-server. If + you had previously requested that the sshd server should not be run, then + that request will still be honoured. However, the recommended approach is + now to remove the openssh-server package if you do not want to run sshd. + You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing + that. + + -- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100 + +openssh (1:3.5p1-1) unstable; urgency=low + + This version of OpenSSH disables the environment option for public keys by + default, in order to avoid certain attacks (for example, LD_PRELOAD). If + you are using this option in an authorized_keys file, beware that the keys + in question will no longer work until the option is removed. + + To re-enable this option, set "PermitUserEnvironment yes" in + /etc/ssh/sshd_config after the upgrade is complete, taking note of the + warning in the sshd_config(5) manual page. + + -- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100 + +openssh (1:3.0.1p1-1) unstable; urgency=high + + As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2 + keys. This means the authorized_keys2 and known_hosts2 files are no longer + needed. They will still be read in order to maintain backward + compatibility. + + -- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000 |