Your message dated Tue, 20 Oct 2020 13:34:23 +0000 with message-id <E1kUrmR-0005iw-Fo@fasolo.debian.org> and subject line Bug#481250: fixed in openssh 1:8.4p1-1 has caused the Debian Bug report #481250, regarding support for .ssh/known_hosts.d to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 481250: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481250 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: support for .ssh/known_hosts.d
- From: martin f krafft <madduck@debian.org>
- Date: Wed, 14 May 2008 21:00:50 +0100
- Message-id: <20080514200050.GA20511@lapse.madduck.net>
Package: openssh-client Version: 1:4.7p1-8 Severity: wishlist It would be nice if openssh-client would read-only files from .ssh/known_hosts.d/*, which would make it a lot easier to maintain a known_hosts database for people like me, who have accounts on hundreds of machines. Also, it makes things easier if a VCS is used to manage .ssh. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24-1+scoflowctrl.1-686 (SMP w/1 CPU core) Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-client depends on: ii adduser 3.107 add and remove users and groups ii debconf [debconf-2.0] 1.5.21 Debian configuration management sy ii dpkg 1.14.19 package maintenance system for Deb ii libc6 2.7-11 GNU C Library: Shared libraries ii libcomerr2 1.40.8-2 common error description library ii libedit2 2.9.cvs.20050518-4 BSD editline and history libraries ii libkrb53 1.6.dfsg.3-2 MIT Kerberos runtime libraries ii libncurses5 5.6+20080503-1 Shared libraries for terminal hand ii libssl0.9.8 0.9.8g-10 SSL shared libraries ii passwd 1:4.1.1-1 change and administer password and ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime Versions of packages openssh-client recommends: ii xauth 1:1.0.3-1 X authentication utility -- no debconf information -- .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systemsAttachment: digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
--- End Message ---
--- Begin Message ---
- To: 481250-close@bugs.debian.org
- Subject: Bug#481250: fixed in openssh 1:8.4p1-1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Tue, 20 Oct 2020 13:34:23 +0000
- Message-id: <E1kUrmR-0005iw-Fo@fasolo.debian.org>
- Reply-to: Colin Watson <cjwatson@debian.org>
Source: openssh Source-Version: 1:8.4p1-1 Done: Colin Watson <cjwatson@debian.org> We believe that the bug you reported is fixed in the latest version of openssh, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 481250@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <cjwatson@debian.org> (supplier of updated openssh package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 20 Oct 2020 14:15:17 +0100 Source: openssh Architecture: source Version: 1:8.4p1-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> Changed-By: Colin Watson <cjwatson@debian.org> Closes: 368657 481250 Changes: openssh (1:8.4p1-1) unstable; urgency=medium . * New upstream release (https://www.openssh.com/txt/release-8.4): - [SECURITY] ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. - [SECURITY] ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key. - ssh-keygen(1): the format of the attestation information optionally recorded when a FIDO key is generated has changed. It now includes the authenticator data needed to validate attestation signatures. - The API between OpenSSH and the FIDO token middleware has changed and the SSH_SK_VERSION_MAJOR version has been incremented as a result. Third-party middleware libraries must support the current API version (7) to work with OpenSSH 8.4. - ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for each use. These keys may be generated using ssh-keygen using a new "verify-required" option. When a PIN-required key is used, the user will be prompted for a PIN to complete the signature operation. - sshd(8): authorized_keys now supports a new "verify-required" option to require FIDO signatures assert that the token verified that the user was present before making the signature. The FIDO protocol supports multiple methods for user-verification, but currently OpenSSH only supports PIN verification. - sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn signatures. Webauthn is a standard for using FIDO keys in web browsers. These signatures are a slightly different format to plain FIDO signatures and thus require explicit support. - ssh(1): allow some keywords to expand shell-style ${ENV} environment variables. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. - ssh(1), ssh-agent(1): allow some additional control over the use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, including forcibly enabling and disabling its use (closes: #368657). - ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time limit for keys in addition to its current flag options. Time-limited keys will automatically be removed from ssh-agent after their expiry time has passed. - scp(1), sftp(1): allow the -A flag to explicitly enable agent forwarding in scp and sftp. The default remains to not forward an agent, even when ssh_config enables it. - ssh(1): add a '%k' TOKEN that expands to the effective HostKey of the destination. This allows, e.g., keeping host keys in individual files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k" (closes: #481250). - ssh(1): add %-TOKEN, environment variable and tilde expansion to the UserKnownHostsFile directive, allowing the path to be completed by the configuration. - ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted from stdin. - sshd(8): improve logging for MaxStartups connection throttling. sshd will now log when it starts and stops throttling and periodically while in this state. - ssh(1), ssh-keygen(1): better support for multiple attached FIDO tokens. In cases where OpenSSH cannot unambiguously determine which token to direct a request to, the user is now required to select a token by touching it. In cases of operations that require a PIN to be verified, this avoids sending the wrong PIN to the wrong token and incrementing the token's PIN failure counter (tokens effectively erase their keys after too many PIN failures). - sshd(8): fix Include before Match in sshd_config (LP: #1885990). - ssh(1): close stdin/out/error when forking after authentication completes ("ssh -f ..."). - ssh(1), sshd(8): limit the amount of channel input data buffered, avoiding peers that advertise large windows but are slow to read from causing high memory consumption. - ssh-agent(1): handle multiple requests sent in a single write() to the agent. - sshd(8): allow sshd_config longer than 256k. - sshd(8): avoid spurious "Unable to load host key" message when sshd load a private key but no public counterpart. - ssh(1): prefer the default hostkey algorithm list whenever we have a hostkey that matches its best-preference algorithm. - sshd(1): when ordering the hostkey algorithms to request from a server, prefer certificate types if the known_hosts files contain a key marked as a @cert-authority. - ssh(1): perform host key fingerprint comparisons for the "Are you sure you want to continue connecting (yes/no/[fingerprint])?" prompt with case sensitivity. - sshd(8): ensure that address/masklen mismatches in sshd_config yield fatal errors at daemon start time rather than later when they are evaluated. - ssh-keygen(1): ensure that certificate extensions are lexically sorted. Previously if the user specified a custom extension then the everything would be in order except the custom ones. - ssh(1): also compare username when checking for JumpHost loops. - ssh-keygen(1): preserve group/world read permission on known_hosts files across runs of "ssh-keygen -Rf /path". The old behaviour was to remove all rights for group/other. - ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen manual page and usage(). - sshd(8): explicitly construct path to ~/.ssh/rc rather than relying on it being relative to the current directory, so that it can still be found if the shell startup changes its directory. - sshd(8): when redirecting sshd's log output to a file, undo this redirection after the session child process is forked(). Fixes missing log messages when using this feature under some circumstances. - sshd(8): start ClientAliveInterval bookkeeping before first pass through select() loop; fixed theoretical case where busy sshd may ignore timeouts from client. - ssh(1): only reset the ServerAliveInterval check when we receive traffic from the server and ignore traffic from a port forwarding client, preventing a client from keeping a connection alive when it should be terminated. - ssh-keygen(1): avoid spurious error message when ssh-keygen creates files outside ~/.ssh. - sftp-client(1): fix off-by-one error that caused sftp downloads to make one more concurrent request that desired. This prevented using sftp(1) in unpipelined request/response mode, which is useful when debugging. - ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect() helpers. - ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to write to it so we don't leave an empty .ssh directory when it's not needed. - ssh(1), sshd(8): fix multiplier when parsing time specifications when handling seconds after other units. - sshd(8): always send any PAM account messages. If the PAM account stack returns any messages, always send them to the user and not just if the check succeeds. - gnome-ssh-askpass3: ensure the "close" button is not focused by default for SSH_ASKPASS_PROMPT=none prompts. Avoids space/enter accidentally dismissing FIDO touch notifications. - gnome-ssh-askpass3: allow some control over textarea colour via $GNOME_SSH_ASKPASS_FG_COLOR and $GNOME_SSH_ASKPASS_BG_COLOR environment variables. - Detect the Frankenstein monster of Linux/X32 and allow the sandbox to function there. Checksums-Sha1: e864e8c1f16626b55602fc01ffab7ff83f51c366 3353 openssh_8.4p1-1.dsc 69305059e10a60693ebe6f17731f962c9577535c 1742201 openssh_8.4p1.orig.tar.gz 323573568682eac265e1f69206bc98149a8e423e 683 openssh_8.4p1.orig.tar.gz.asc be88025ebe71c0f58be2f83b8a7245f57e2ea1a6 177752 openssh_8.4p1-1.debian.tar.xz Checksums-Sha256: cb35733eef94d5b6cd85d8adbd7d44f5164fae6ca14cb00a885b98bd1cfb0dd9 3353 openssh_8.4p1-1.dsc 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 1742201 openssh_8.4p1.orig.tar.gz ccd9dd484651ce4cc926228f6e1b46afaf0c5ab98a866217fa0ef1074370ea2b 683 openssh_8.4p1.orig.tar.gz.asc a384da62eb06352938740f020cd78621af403cabf44f9cec238a202faa4ddd61 177752 openssh_8.4p1-1.debian.tar.xz Files: a2ae18b63060f660075dce5a5725b321 3353 net standard openssh_8.4p1-1.dsc 8f897870404c088e4aa7d1c1c58b526b 1742201 net standard openssh_8.4p1.orig.tar.gz 715c219a524631139bafa8a351cf44e7 683 net standard openssh_8.4p1.orig.tar.gz.asc d00fecf7d6d44f36eb03a49e6e670b58 177752 net standard openssh_8.4p1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl+O4wYACgkQOTWH2X2G UAvA3A/8DY/uNkvp8PItmqF5rOgFuTgpe+NtfwlWBqJ9XVL8x5SoiEohV3ZycrS0 +vWMN9IMTi21yPocw0uTEbQVh3Df8fFQuf5539Zg6Bb9olOuZrhU5SUXVb1+N4h7 sgZDwQirK+PZ6YxRTuXeNmoAxHHdeQZmtzThHiMQSVHPEr/RQDIJoAUl+jV8M4KO Dhrk9iNqQASAl7Rm5kIxh9IlL2RbIO3KAwyLi6dUeKQn78seh90opy4+DtpGPHZn smcT7OAxQ0PapcNRTiDnY7A6iMqcUTopL8iS1fPtyum1cmQfTUTnyGqdxIwm4SXu aLvFfMiGARrcZqzVPTwieCeUcQkX006T/LRS0QjfR8qNUmJoLFq+N8kdLY6PSb5O j8vx2HSucQEAad3AaNyqHb/yqhEoy/chqSsJf0Nnll17TSkvwRfp1LMkoJBpUZ9k dtl5EhYqKSTmWLEK4G/yKRtCRRBOYxoWHck8blpC/JLxMx7YSPt5dMLD/f/U8wIV tvfXVDEgFB6MhEvyNW/vNLfbg3dHbOcR2rwF/OAEoVu4RFc5wZP4KUG72oBkQDEA ox+++CcDJZK0QXHaq4+Q0HmpL2KOS08ZY5dZ4PGcJkz32tV2g40Qyc+DN1ktEvmt W9vXjeXlPcOJPuRvKTW/fOabo5KnPgCH+mZfnvgDH7SPWkxKFvI= =573D -----END PGP SIGNATURE-----
--- End Message ---