Dear Damien, Are there any chances that something from https://github.com/openssh/openssh-portable/pull/253 https://github.com/openssh/openssh-portable/pull/236 will be added to release? On Fri, Aug 13, 2021 at 2:12 AM Damien Miller <djm@xxxxxxxxxxx> wrote: > Hi, > > OpenSSH 8.7p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release has a mix of > bugfixes and new features. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported > directly to openssh@xxxxxxxxxxx. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Potentially-incompatible changes > ================================ > > This release includes a number of changes that may affect existing > configurations: > > * scp(1): this release changes the behaviour of remote to remote > copies (e.g. "scp host-a:/path host-b:") to transfer through the > local host by default. This was previously available via the -3 > flag. This mode avoids the need to expose credentials on the > origin hop, avoids triplicate interpretation of filenames by the > shell (by the local system, the copy origin and the destination) > and, in conjunction with the SFTP support for scp(1) mentioned > below, allows use of all authentication methods to the remote > hosts (previously, only non-interactive methods could be used). > A -R flag has been added to select the old behaviour. > > * ssh(1)/sshd(8): both the client and server are now using a more > strict configuration file parser. The new parser uses more > shell-like rules for quotes, space and escape characters. It is > also more strict in rejecting configurations that include options > lacking arguments. Previously some options (e.g. DenyUsers) to > appear on a line with no subsequent arguments. This release will > reject such configurations. The new parser will also reject > configurations with unterminated quotes and multiple '=' > characters after the option name. > > * ssh(1): when using SSHFP DNS records for host key verification, > ssh(1) will verify all matching records instead of just those > with the specific signature type requested. This may cause host > key verification problems if stale SSHFP records of a different > or legacy signature type exist alongside other records for a > particular host. bz#3322 > > * ssh-keygen(1): when generating a FIDO key and specifying an > explicit attestation challenge (using -Ochallenge), the challenge > will now be hashed by the builtin security key middleware. This > removes the (undocumented) requirement that challenges be exactly > 32 bytes in length and matches the expectations of libfido2. > > * sshd(8): environment="..." directives in authorized_keys files are > now first-match-wins and limited to 1024 discrete environment > variable names. > > Changes since OpenSSH 8.6 > ========================= > > This release contains a mix of new features and bug-fixes. > > New features > ------------ > > - scp(1): experimental support for transfers using the SFTP protocol > as a replacement for the venerable SCP/RCP protocol that it has > traditionally used. SFTP offers more predictable filename handling > and does not require expansion of glob(3) patterns via the shell > on the remote side. > > SFTP support may be enabled via a temporary scp -s flag. It is > intended for SFTP to become the default transfer mode in the > near future, at which time the -s flag will be removed. The -O > flag exists to force use of the original SCP/RCP protocol for > cases where SFTP may be unavailable or incompatible. > > - sftp-server(8): add a protocol extension to support expansion of > ~/ and ~user/ prefixed paths. This was added to support these > paths when used by scp(1) while in SFTP mode. > > - ssh(1): add a ForkAfterAuthentication ssh_config(5) counterpart to > the ssh(1) -f flag. GHPR#231 > > - ssh(1): add a StdinNull directive to ssh_config(5) that allows the > config file to do the same thing as -n does on the ssh(1) command- > line. GHPR#231 > > - ssh(1): add a SessionType directive to ssh_config, allowing the > configuration file to offer equivalent control to the -N (no > session) and -s (subsystem) command-line flags. GHPR#231 > > - ssh-keygen(1): let allowed signers files used by ssh-keygen(1) > signatures support key lifetimes, and allow the verification mode to > specify a signature time to check at. This is intended for use by > git to support signing objects using ssh keys. > > - ssh-keygen(8): support printing of the full public key in a sshsig > signature via a -Oprint-pubkey flag. > > Bugfixes > -------- > > * ssh(1)/sshd(8): start time-based re-keying exactly on schedule in > the client and server mainloops. Previously the re-key timeout > could expire but re-keying would not start until a packet was sent > or received, causing a spin in select() if the connection was > quiescent. > > * ssh-keygen(1): avoid Y2038 problem in printing certificate > validity lifetimes. Dates past 2^31-1 seconds since epoch were > displayed incorrectly on some platforms. bz#3329 > > * scp(1): allow spaces to appear in usernames for local to remote > and scp -3 remote to remote copies. bz#1164 > > * ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication > in favour of KbdInteractiveAuthentication. The former is what was in > SSHv1, the latter is what is in SSHv2 (RFC4256) and they were > treated as somewhat but not entirely equivalent. We retain the old > name as a deprecated alias so configuration files continue to work > as well as a reference in the man page for people looking for it. > bz#3303 > > * ssh(1)/ssh-add(1)/ssh-keygen(1): fix decoding of X.509 subject name > when extracting a key from a PKCS#11 certificate. bz#3327 > > * ssh(1): restore blocking status on stdio fds before close. ssh(1) > needs file descriptors in non-blocking mode to operate but it was > not restoring the original state on exit. This could cause > problems with fds shared with other programs via the shell, > bz#3280 and GHPR#246 > > * ssh(1)/sshd(8): switch both client and server mainloops from > select(3) to pselect(3). Avoids race conditions where a signal > may arrive immediately before select(3) and not be processed until > an event fires. bz#2158 > > * ssh(1): sessions started with ControlPersist were incorrectly > executing a shell when the -N (no shell) option was specified. > bz#3290 > > * ssh(1): check if IPQoS or TunnelDevice are already set before > overriding. Prevents values in config files from overriding values > supplied on the command line. bz#3319 > > * ssh(1): fix debug message when finding a private key to match a > certificate being attempted for user authentication. Previously it > would print the certificate's path, whereas it was supposed to be > showing the private key's path. GHPR#247 > > * sshd(8): match host certificates against host public keys, not > private keys. Allows use of certificates with private keys held in > a ssh-agent. bz#3524 > > * ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8), which > allows RSA/SHA2 signatures for public key authentication but fails > to advertise this correctly via SSH2_MSG_EXT_INFO. This causes > clients of these server to incorrectly match > PubkeyAcceptedAlgorithmse and potentially refuse to offer valid > keys. bz#3213 > > * sftp(1)/scp(1): degrade gracefully if a sftp-server offers the > limits@xxxxxxxxxxx extension but fails when the client tries to > invoke it. bz#3318 > > * ssh(1): allow ssh_config SetEnv to override $TERM, which is > otherwise handled specially by the protocol. Useful in ~/.ssh/config > to set TERM to something generic (e.g. "xterm" instead of > "xterm-256color") for destinations that lack terminfo entries. > > * sftp-server(8): the limits@xxxxxxxxxxx extension was incorrectly > marked as an operation that writes to the filesystem, which made it > unavailable in sftp-server read-only mode. bz#3318 > > * ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered when > the update removed more host keys than remain present. > > * many manual page fixes. > > Portability > ----------- > > * ssh(1): move closefrom() to before first malloc. When built against > tcmalloc, the closefrom() would stomp on file descriptors created > for tcmalloc's internal use. bz#3321 > > * sshd(8): handle GIDs > 2^31 in getgrouplist. When compiled in 32bit > mode, the getgrouplist implementation may fail for GIDs greater than > LONG_MAX. > > * ssh(1): xstrdup environment variable used by ForwardAgent. bz#3328 > > * sshd(8): don't sigdie() in signal handler in privsep child process; > this can end up causing sandbox violations per bz3286 > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- Dmitry Belyavskiy _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
