openssh 1:7.8p1-1 source package in Debian

Changelog

openssh (1:7.8p1-1) unstable; urgency=medium

  * New upstream release (https://www.openssh.com/txt/release-7.8, closes:
    #907534):
    - ssh-keygen(1): Write OpenSSH format private keys by default instead of
      using OpenSSL's PEM format (closes: #905407).  The OpenSSH format,
      supported in OpenSSH releases since 2014 and described in the
      PROTOCOL.key file in the source distribution, offers substantially
      better protection against offline password guessing and supports key
      comments in private keys.  If necessary, it is possible to write old
      PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when
      generating or updating a key.
    - sshd(8): Remove internal support for S/Key multiple factor
      authentication.  S/Key may still be used via PAM or BSD auth.
    - ssh(1): Remove vestigial support for running ssh(1) as setuid.  This
      used to be required for hostbased authentication and the (long gone)
      rhosts-style authentication, but has not been necessary for a long
      time.  Attempting to execute ssh as a setuid binary, or with uid !=
      effective uid will now yield a fatal error at runtime.
    - sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
      HostbasedAcceptedKeyTypes options have changed.  These now specify
      signature algorithms that are accepted for their respective
      authentication mechanism, where previously they specified accepted key
      types.  This distinction matters when using the RSA/SHA2 signature
      algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
      counterparts.  Configurations that override these options but omit
      these algorithm names may cause unexpected authentication failures (no
      action is required for configurations that accept the default for
      these options).
    - sshd(8): The precedence of session environment variables has changed.
      ~/.ssh/environment and environment="..." options in authorized_keys
      files can no longer override SSH_* variables set implicitly by sshd.
    - ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed.  They
      will now use DSCP AF21 for interactive traffic and CS1 for bulk.  For
      a detailed rationale, please see the commit message:
      https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
    - ssh(1)/sshd(8): Add new signature algorithms "rsa-sha2-256-cert-
      <email address hidden>" and "<email address hidden>" to explicitly
      force use of RSA/SHA2 signatures in authentication.
    - sshd(8): Extend the PermitUserEnvironment option to accept a whitelist
      of environment variable names in addition to global "yes" or "no"
      settings.
    - sshd(8): Add a PermitListen directive to sshd_config(5) and a
      corresponding permitlisten= authorized_keys option that control which
      listen addresses and port numbers may be used by remote forwarding
      (ssh -R ...).
    - sshd(8): Add some countermeasures against timing attacks used for
      account validation/enumeration.  sshd will enforce a minimum time or
      each failed authentication attempt consisting of a global 5ms minimum
      plus an additional per-user 0-4ms delay derived from a host secret.
    - sshd(8): Add a SetEnv directive to allow an administrator to
      explicitly specify environment variables in sshd_config.  Variables
      set by SetEnv override the default and client-specified environment.
    - ssh(1): Add a SetEnv directive to request that the server sets an
      environment variable in the session.  Similar to the existing SendEnv
      option, these variables are set subject to server configuration.
    - ssh(1): Allow "SendEnv -PATTERN" to clear environment variables
      previously marked for sending to the server (closes: #573316).
    - ssh(1)/sshd(8): Make UID available as a %-expansion everywhere that
      the username is available currently.
    - ssh(1): Allow setting ProxyJump=none to disable ProxyJump
      functionality.
    - sshd(8): Avoid observable differences in request parsing that could be
      used to determine whether a target user is valid.
    - ssh(1)/sshd(8): Fix some memory leaks.
    - ssh(1): Fix a pwent clobber (introduced in openssh-7.7) that could
      occur during key loading, manifesting as crash on some platforms.
    - sshd_config(5): Clarify documentation for AuthenticationMethods
      option.
    - ssh(1): Ensure that the public key algorithm sent in a public key
      SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob.
      Previously, these could be inconsistent when a legacy or non-OpenSSH
      ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2
      signature.
    - sshd(8): Fix failures to read authorized_keys caused by faulty
      supplemental group caching.
    - scp(1): Apply umask to directories, fixing potential mkdir/chmod race
      when copying directory trees.
    - ssh-keygen(1): Return correct exit code when searching for and hashing
      known_hosts entries in a single operation.
    - ssh(1): Prefer the ssh binary pointed to via argv[0] to $PATH when
      re-executing ssh for ProxyJump.
    - sshd(8): Do not ban PTY allocation when a sshd session is restricted
      because the user password is expired as it breaks password change
      dialog.
    - ssh(1)/sshd(8): Fix error reporting from select() failures.
    - ssh(1): Improve documentation for -w (tunnel) flag, emphasising that
      -w implicitly sets Tunnel=point-to-point.
    - ssh-agent(1): Implement EMFILE mitigation for ssh-agent.  ssh-agent
      will no longer spin when its file descriptor limit is exceeded.
    - ssh(1)/sshd(8): Disable SSH2_MSG_DEBUG messages for Twisted Conch
      clients.  Twisted Conch versions that lack a version number in their
      identification strings will mishandle these messages when running on
      Python 2.x (https://twistedmatrix.com/trac/ticket/9422).
    - sftp(1): Notify user immediately when underlying ssh process dies
      expectedly.
    - ssh(1)/sshd(8): Fix tunnel forwarding; regression in 7.7 release.
    - ssh-agent(1): Don't kill ssh-agent's listening socket entirely if it
      fails to accept(2) a connection.
    - ssh(1): Add some missing options in the configuration dump output (ssh
      -G).
    - sshd(8): Expose details of completed authentication to PAM auth
      modules via SSH_AUTH_INFO_0 in the PAM environment.
  * Switch debian/watch to HTTPS.
  * Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in
    regression tests.

 -- Colin Watson <email address hidden>  Thu, 30 Aug 2018 15:35:27 +0100

Upload details

Uploaded by:
Debian OpenSSH Maintainers
Uploaded to:
Sid
Original maintainer:
Debian OpenSSH Maintainers
Architectures:
any all
Section:
net
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Downloads

File Size SHA-256 Checksum
openssh_7.8p1-1.dsc 3.0 KiB 8ec0c6c21c59e00899e1102b2641ddfea63b1ca3aade5865db6c5aa6a628e266
openssh_7.8p1.orig.tar.gz 1.5 MiB 1a484bb15152c183bb2514e112aa30dd34138c3cfb032eee5490a66c507144ca
openssh_7.8p1.orig.tar.gz.asc 683 bytes 01649b5f618d9f19c861a038b981db456778dd7b38a20d039513e2639a022fe4
openssh_7.8p1-1.debian.tar.xz 158.1 KiB e9c101ac6c8123a8148702585c67880229a8d472fb74d4a9ad3767a72b3e7592

No changes file available.

Binary packages built by this source