Openssh-7.0 is dead. Live long openssh-7.1 [1]
TL;DR version: Last release went out too fast and upstream missed a bug
in PermitRootLogin=prohibit-password so another release rolled out.
Basically nothing more than bugfixes are there, so just don't be
surprised that Fedora 23 will probably come with 7.1 version instead of
announced 7.0.
New bodhi update can be found here [2].
[1] http://www.openssh.com/txt/release-7.1
[2] https://bodhi.fedoraproject.org/updates/openssh-7.1p1-1.fc23
On 08/13/2015 06:41 PM, Jakub Jelen wrote:
Hi folks,
this is announcement, that the-new-hotness version of openssh is baked
and ready to reach Fedora 23. As some of you noticed, upstream is
pushing few important changes in this version:
1) Disable SSHv1 in compile time. Yes. It is time to say hello to this
protocol and move on. I heard your voices, that some people needs to
use the clients to connect to old hardware so after discussion we came
with solution, that we will ship these clients with enabled SSHv1 in
sub-package called openssh-clients-ssh1, which contains only two
binaries, ssh1, ssh-keygen1 and scp1, just for the people in need.
With default tools you should not be able to connect to SSHv1 only
servers.
2) PermitRootLogin=prohibit-password is upstream default. I am not
going to revert this change as I did in openssh-6.9, which landed in
Fedora 22, after all the discussion about this topic and with bz89216.
I changed only default value in sshd_config. This means two things: 1)
You are still able to log in as root with clean Fedora 23 install. 2)
If you will do update from previous versions and you have modified
this file, you need to take care about this on your own!
3) Disabling at run-time key exchange algorithm
diffie-hellman-group1-sha1 and key/cert algorithms ssh-dss,
ssh-dss-cert-* . This can be also problem when connecting to older
systems/with older keys, but upstream prepared new feature that will
help with this issue and special page [1] describing how to simply
enable these algorithms if you really need to for specific connection
or host.
4) And of course there are packaged some security fixes that were
found since last release. You can find description in release notes
and in CVE-2015-5600.
You can find whole release notes on upstream website [2] and update
for Fedora 23 is in bodhi [3].
I hope everything will work for you with the new version and if not,
feel free to fill a bug or discuss issues in this thread.
[1] http://www.openssh.com/legacy.html
[2] http://www.openssh.com/txt/release-7.0
[3] https://admin.fedoraproject.org/updates/openssh-7.0p1-1.fc23
Best regards,
--
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
