On Fri, 2014-01-17 at 11:26 +1100, Damien Miller wrote: > Hi, > > OpenSSH 6.5 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.4 > ========================= > > This is a feature-focused release. > > New features: > > * ssh(1), sshd(8): Add support for key exchange using elliptic-curve > Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange > method is the default when both the client and server support it. > > * ssh(1), sshd(8): Add support for Ed25519 as a public key type. > Ed25519 is a elliptic curve signature scheme that offers > better security than ECDSA and DSA and good performance. It may be > used for both user and host keys. > > * Add a new private key format that uses a bcrypt KDF to better > protect keys at rest. This format is used unconditionally for > Ed25519 keys, but may be requested when generating or saving > existing keys of other types via the -o ssh-keygen(1) option. > We intend to make the new format the default in the near future. > Details of the new format are in the PROTOCOL.key file. > > * ssh(1), sshd(8): Add a new transport cipher > "chacha20-poly1305 at openssh.com" that combines Daniel Bernstein's > ChaCha20 stream cipher and Poly1305 MAC to build an authenticated > encryption mode. Details are in the PROTOCOL.chacha20poly1305 file. > > * ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and > servers that use the obsolete RSA+MD5 signature scheme. It will > still be possible to connect with these clients/servers but only > DSA keys will be accepted, and OpenSSH will refuse connection > entirely in a future release. > > * ssh(1), sshd(8): Refuse old proprietary clients and servers that > use a weaker key exchange hash calculation. > > * ssh(1): Increase the size of the Diffie-Hellman groups requested > for each symmetric key size. New values from NIST Special > Publication 800-57 with the upper limit specified by RFC4419 > > * ssh(1), ssh-agent(1): Support pkcs#11 tokes that only provide > X.509 certs instead of raw public keys (requested as bz#1908). > > * ssh(1): Add a ssh_config(5) "Match" keyword that allows > conditional configuration to be applied by matching on hostname, > user and result of arbitrary commands. > > * ssh(1): Add support for client-side hostname canonicalisation > using a set of DNS suffixes and rules in ssh_config(5). This > allows unqualified names to be canonicalised to fully-qualified > domain names to eliminate ambiguity when looking up keys in > known_hosts or checking host certificate names. > > * sftp-server(8): Add the ability to whitelist and/or blacklist sftp > protocol requests by name. > > * sftp-server(8): Add a sftp "fsync at openssh.com" to support calling > fsync(2) on an open file handle. > > * sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation, > mirroring the longstanding no-pty authorized_keys option. > > * ssh(1): Add a ssh_config ProxyUseFDPass option that supports the > use of ProxyCommands that establish a connection and then pass a > connected file descriptor back to ssh(1). This allows the > ProxyCommand to exit rather than staying around to transfer data. > > Bugfixes: > > * ssh(1), sshd(8): Fix potential stack exhaustion caused by nested > certificates. > > * ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort. > > * sftp(1): bz#2137: fix the progress meter for resumed transfer. > > * ssh-add(1): bz#2187: do not request smartcard PIN when removing > keys from ssh-agent. > > * sshd(8): bz#2139: fix re-exec fallback when original sshd binary > cannot be executed. > > * ssh-keygen(1): Make relative-specified certificate expiry times > relative to current time and not the validity start time. > > * sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block. > > * sftp(1): bz#2129: symlinking a file would incorrectly canonicalise > the target path. > > * ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent > helper executable. > > * sshd(8): Improve logging of sessions to include the user name, > remote host and port, the session type (shell, command, etc.) and > allocated TTY (if any). > > * sshd(8): bz#1297: tell the client (via a debug message) when > their preferred listen address has been overridden by the > server's GatewayPorts setting. > > * sshd(8): bz#2162: include report port in bad protocol banner > message. > > * sftp(1): bz#2163: fix memory leak in error path in do_readdir() > > * sftp(1): bz#2171: don't leak file descriptor on error. > > * sshd(8): Include the local address and port in "Connection from > ..." message (only shown at loglevel>=verbose) > > Portable OpenSSH: > > * Switch to a ChaCha20-based arc4random() PRNG for platforms that do > not provide their own. > > * sshd(8): bz#2156: restore Linux oom_adj setting when handling > SIGHUP to maintain behaviour over retart. > > * sshd(8): bz#2032: use local username in krb5_kuserok check rather > than full client name which may be of form user at REALM. > > * ssh(1), sshd(8): Test for both the presence of ECC NID numbers in > OpenSSL and that they actually work. Fedora (at least) has > NID_secp521r1 that doesn't work. > > * bz#2173: use pkg-config --libs to include correct -L location for > libedit. > > Reporting Bugs: > =============== > > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev Salutations, Tested 1/23/2014 snapshot on Arch Linux 64-bit with following configure options: ./configure \ --prefix=/usr \ --sbindir=/usr/bin \ --libexecdir=/usr/lib/ssh \ --sysconfdir=/etc/ssh \ --with-ldns \ --with-libedit \ --with-ssl-engine \ --with-pam \ --with-privsep-user=nobody \ --with-kerberos5=/usr \ --with-xauth=/usr/bin/xauth \ --with-mantype=man \ --with-md5-passwords \ --with-pid-dir=/run \ Passed all tests. Regards, Mark -- Mark E. Lee <mark at markelee.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: This is a digitally signed message part URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140122/8a8aac61/attachment-0001.bin>