openssh_8.2p1-3_source.changes ACCEPTED into unstable
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 23 Feb 2020 13:30:01 +0000
Source: openssh
Architecture: source
Version: 1:8.2p1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 275458 631189 845315 951220 951582 951640
Changes:
openssh (1:8.2p1-3) unstable; urgency=medium
.
* Reupload with -sa to work around confusion with 1:8.2p1-1 being in NEW.
.
openssh (1:8.2p1-2) unstable; urgency=medium
.
* Move ssh-sk-helper into openssh-client rather than shipping it in a
separate package. The extra library dependencies are pretty small, so
it doesn't seem worth bloating the Packages file. Suggested by Bastian
Blank.
.
openssh (1:8.2p1-1) unstable; urgency=medium
.
* New upstream release (https://www.openssh.com/txt/release-8.2, closes:
#951582):
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will use
the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
CA signs new certificates.
- ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
key exchange proposal for both the client and server.
- ssh-keygen(1): The command-line options related to the generation and
screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have changed.
Most options have been folded under the -O flag.
- sshd(8): The sshd listener process title visible to ps(1) has changed
to include information about the number of connections that are
currently attempting authentication and the limits configured by
MaxStartups.
- Add support for FIDO/U2F hardware authenticators.
- ssh-keygen(1): Add a "no-touch-required" option when generating
FIDO-hosted keys, that disables their default behaviour of requiring a
physical touch/tap on the token during authentication. Note: not all
tokens support disabling the touch requirement.
- sshd(8): Add a sshd_config PubkeyAuthOptions directive that collects
miscellaneous public key authentication-related options for sshd(8).
At present it supports only a single option "no-touch-required". This
causes sshd to skip its default check for FIDO/U2F keys that the
signature was authorised by a touch or press event on the token
hardware.
- ssh(1), sshd(8), ssh-keygen(1): Add a "no-touch-required" option for
authorized_keys and a similar extension for certificates. This option
disables the default requirement that FIDO key signatures attest that
the user touched their key to authorize them, mirroring the similar
PubkeyAuthOptions sshd_config option.
- ssh-keygen(1): Add support for the writing the FIDO attestation
information that is returned when new keys are generated via the "-O
write-attestation=/path" option. FIDO attestation certificates may be
used to verify that a FIDO key is hosted in trusted hardware. OpenSSH
does not currently make use of this information, beyond optionally
writing it to disk.
- Add support for FIDO2 resident keys.
- sshd(8): Add an Include sshd_config keyword that allows including
additional configuration files via glob(3) patterns (closes: #631189).
- ssh(1)/sshd(8): Make the LE (low effort) DSCP code point available via
the IPQoS directive.
- ssh(1): When AddKeysToAgent=yes is set and the key contains no
comment, add the key to the agent with the key's path as the comment.
- ssh-keygen(1), ssh-agent(1): Expose PKCS#11 key labels and X.509
subjects as key comments, rather than simply listing the PKCS#11
provider library path.
- ssh-keygen(1): Allow PEM export of DSA and ECDSA keys.
- sshd(8): When clients get denied by MaxStartups, send a notification
prior to the SSH2 protocol banner according to RFC4253 section 4.2
(closes: #275458).
- ssh(1), ssh-agent(1): When invoking the $SSH_ASKPASS prompt program,
pass a hint to the program to describe the type of desired prompt.
The possible values are "confirm" (indicating that a yes/no
confirmation dialog with no text entry should be shown), "none" (to
indicate an informational message only), or blank for the original
ssh-askpass behaviour of requesting a password/phrase.
- ssh(1): Allow forwarding a different agent socket to the path
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
option to accepting an explicit path or the name of an environment
variable in addition to yes/no.
- ssh-keygen(1): Add a new signature operations "find-principals" to
look up the principal associated with a signature from an
allowed-signers file.
- sshd(8): Expose the number of currently-authenticating connections
along with the MaxStartups limit in the process title visible to "ps".
- sshd(8): Make ClientAliveCountMax=0 have sensible semantics: it will
now disable connection killing entirely rather than the current
behaviour of instantly killing the connection after the first liveness
test regardless of success.
- sshd(8): Clarify order of AllowUsers / DenyUsers vs AllowGroups /
DenyGroups in the sshd(8) manual page.
- sshd(8): Better describe HashKnownHosts in the manual page.
- sshd(8): Clarify that that permitopen=/PermitOpen do no name or
address translation in the manual page.
- sshd(8): Allow the UpdateHostKeys feature to function when multiple
known_hosts files are in use. When updating host keys, ssh will now
search subsequent known_hosts files, but will add updated host keys to
the first specified file only.
- All: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the
handler preventing races between handlers, and sets SA_RESTART which
should reduce the potential for short read/write operations.
- sftp(1): Fix a race condition in the SIGCHILD handler that could turn
in to a kill(-1).
- sshd(8): Fix a case where valid (but extremely large) SSH channel IDs
were being incorrectly rejected.
- ssh(1): When checking host key fingerprints as answers to new hostkey
prompts, ignore whitespace surrounding the fingerprint itself.
- All: Wait for file descriptors to be readable or writeable during
non-blocking connect, not just readable. Prevents a timeout when the
server doesn't immediately send a banner (e.g. multiplexers like
sslh).
- sshd_config(5): Document the sntrup4591761x25519-sha512@tinyssh.org
key exchange algorithm.
* Add more historical md5sums of /etc/ssh/sshd_config between 1:7.4p1-1
and 1:7.8p1-1 inclusive (closes: #951220).
* ssh(1): Explain that -Y is equivalent to -X in the default configuration
(closes: #951640).
* Include /etc/ssh/ssh_config.d/*.conf from /etc/ssh/ssh_config and
/etc/ssh/sshd_config.d/*.conf from /etc/ssh/sshd_config (closes:
#845315).
Checksums-Sha1:
6b2d760e407d66abc925608ea02918aaecf60dd0 3342 openssh_8.2p1-3.dsc
f4ff0b48bd4ea5b10a12bbd93a8e7abda761500f 173988 openssh_8.2p1-3.debian.tar.xz
d1ab35a93507321c5db885e02d41ce1414f0507c 1701197 openssh_8.2p1.orig.tar.gz
d3814ab57572c13bdee2037ad1477e2f7c51e1b0 683 openssh_8.2p1.orig.tar.gz.asc
Checksums-Sha256:
78c26e23d7258237c69502a12d25f1e1598274ef789e5fc5faef9b801fddbf5c 3342 openssh_8.2p1-3.dsc
427f68ab8dbfa1b70c742490d7edf565cc1ced2969854a5777b9b8dc7e9fd8f0 173988 openssh_8.2p1-3.debian.tar.xz
43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671 1701197 openssh_8.2p1.orig.tar.gz
4f358bb57cb5446a7a8bf986ff5cd835fd1e03f33561df883dfd3f893cd6fe86 683 openssh_8.2p1.orig.tar.gz.asc
Files:
0f9db36ab2aed3e898aa1a2f8dda3db6 3342 net standard openssh_8.2p1-3.dsc
d7573df7de8d81abf1c47d692e795138 173988 net standard openssh_8.2p1-3.debian.tar.xz
3076e6413e8dbe56d33848c1054ac091 1701197 net standard openssh_8.2p1.orig.tar.gz
8501565a766e1a50a7e6179079f3c671 683 net standard openssh_8.2p1.orig.tar.gz.asc
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl5TFKMACgkQOTWH2X2G
UAv6TQ//bC29/uoHiZPAWpGhrl1UUv6P56fkIdKsApQlydkNWohwKlxYbutye0pc
BVl3Q9jIclXt2kKgudTpTJNXlpJgoTnhQWwBotUKN9WPNPwsr7f1OM1hROth0Gw7
x7GnwD3BUycwtcjk6FY3m/L/k443nIAfTwNcIqHZ+Lvb+egIQdx8a1WXRhGxWeqK
gF1UNdhrQJ56zzI5/Dvz9ut0YzCXqljvexuygZYUDbKsmvn2Zzr91xh5i0ahEYwU
Kz/+4ma5QHu+U0ggh1ceHnpjkO5Aop2XaxEpkD7m7w7eAOlhEe2+5ng0MH66XzEz
Rf9Avh/wVD9p3zdYVCYGMCoOkoHttjjFQKZYXGY9cQIMiwkhO9B3bKz5T1AXhBIk
te81q2Wr4bx/+AULiD5+TmNSaYJzd3sOjQkmH0P3f+3CwtkeKMKWstScQbuA3fkj
7kxn/wb7ConVazBdeqpP0UI/260Jx6oeWXU3OoU2tngcPeoLtAQEk5UuE0Rw53yE
T1bc23ODkAjn5eVPYNlWu4Q85D5RAzHFZ3ALTT0FT6m5tzpGkGtHWae9J50R2g0+
ndLXY0T1iLce1HgjHxXVhHzY4qjOa3bLFE5YiHjEZvQlBMPTabvPzqaXSeo76oOV
NPdkDsMZsFtFflEEoE7LJzTDQJHuqJSYZAwhai3P0UnkmH5vkXg=
=DKtX
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
Reply to: