diff options
| author | Colin Watson <cjwatson@debian.org> | 2007-12-24 10:29:57 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2007-12-24 10:29:57 +0000 |
| commit | c3e531b12b2335b7fa5a6bcc9a309d3c523ff64b (patch) | |
| tree | b72c0867348e7e7914d64af6fc5e25c728922e03 /ssh.0 | |
| parent | 6b222fdf3cb54c11a446df38e027fe7acf2220cb (diff) | |
| parent | 70847d299887abb96f8703ca99db6d817b78960e (diff) | |
* New upstream release (closes: #453367).
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
creation of an untrusted cookie fails; found and fixed by Jan Pechanec
(closes: #444738).
- sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
installations are unchanged.
- The SSH channel window size has been increased, and both ssh(1)
sshd(8) now send window updates more aggressively. These improves
performance on high-BDP (Bandwidth Delay Product) networks.
- ssh(1) and sshd(8) now preserve MAC contexts between packets, which
saves 2 hash calls per packet and results in 12-16% speedup for
arcfour256/hmac-md5.
- A new MAC algorithm has been added, UMAC-64 (RFC4418) as
"umac-64@openssh.com". UMAC-64 has been measured to be approximately
20% faster than HMAC-MD5.
- Failure to establish a ssh(1) TunnelForward is now treated as a fatal
error when the ExitOnForwardFailure option is set.
- ssh(1) returns a sensible exit status if the control master goes away
without passing the full exit status.
- When using a ProxyCommand in ssh(1), set the outgoing hostname with
gethostname(2), allowing hostbased authentication to work.
- Make scp(1) skip FIFOs rather than hanging (closes: #246774).
- Encode non-printing characters in scp(1) filenames. These could cause
copies to be aborted with a "protocol error".
- Handle SIGINT in sshd(8) privilege separation child process to ensure
that wtmp and lastlog records are correctly updated.
- Report GSSAPI mechanism in errors, for libraries that support multiple
mechanisms.
- Improve documentation for ssh-add(1)'s -d option.
- Rearrange and tidy GSSAPI code, removing server-only code being linked
into the client.
- Delay execution of ssh(1)'s LocalCommand until after all forwardings
have been established.
- In scp(1), do not truncate non-regular files.
- Improve exit message from ControlMaster clients.
- Prevent sftp-server(8) from reading until it runs out of buffer space,
whereupon it would exit with a fatal error (closes: #365541).
- pam_end() was not being called if authentication failed
(closes: #405041).
- Manual page datestamps updated (closes: #433181).
Diffstat (limited to 'ssh.0')
| -rw-r--r-- | ssh.0 | 11 |
1 files changed, 7 insertions, 4 deletions
| @@ -4,7 +4,7 @@ NAME | |||
| 4 | ssh - OpenSSH SSH client (remote login program) | 4 | ssh - OpenSSH SSH client (remote login program) |
| 5 | 5 | ||
| 6 | SYNOPSIS | 6 | SYNOPSIS |
| 7 | ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] | 7 | ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] |
| 8 | [-D [bind_address:]port] [-e escape_char] [-F configfile] | 8 | [-D [bind_address:]port] [-e escape_char] [-F configfile] |
| 9 | [-i identity_file] [-L [bind_address:]port:host:hostport] | 9 | [-i identity_file] [-L [bind_address:]port:host:hostport] |
| 10 | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] | 10 | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] |
| @@ -147,6 +147,9 @@ DESCRIPTION | |||
| 147 | multiple -i options (and multiple identities specified in config- | 147 | multiple -i options (and multiple identities specified in config- |
| 148 | uration files). | 148 | uration files). |
| 149 | 149 | ||
| 150 | -K Enables GSSAPI-based authentication and forwarding (delegation) | ||
| 151 | of GSSAPI credentials to the server. | ||
| 152 | |||
| 150 | -k Disables forwarding (delegation) of GSSAPI credentials to the | 153 | -k Disables forwarding (delegation) of GSSAPI credentials to the |
| 151 | server. | 154 | server. |
| 152 | 155 | ||
| @@ -371,8 +374,8 @@ AUTHENTICATION | |||
| 371 | protocols support similar authentication methods, but protocol 2 is pre- | 374 | protocols support similar authentication methods, but protocol 2 is pre- |
| 372 | ferred since it provides additional mechanisms for confidentiality (the | 375 | ferred since it provides additional mechanisms for confidentiality (the |
| 373 | traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and | 376 | traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and |
| 374 | integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a | 377 | integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1 |
| 375 | strong mechanism for ensuring the integrity of the connection. | 378 | lacks a strong mechanism for ensuring the integrity of the connection. |
| 376 | 379 | ||
| 377 | The methods available for authentication are: GSSAPI-based authentica- | 380 | The methods available for authentication are: GSSAPI-based authentica- |
| 378 | tion, host-based authentication, public key authentication, challenge-re- | 381 | tion, host-based authentication, public key authentication, challenge-re- |
| @@ -829,4 +832,4 @@ AUTHORS | |||
| 829 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 832 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
| 830 | versions 1.5 and 2.0. | 833 | versions 1.5 and 2.0. |
| 831 | 834 | ||
| 832 | OpenBSD 4.1 September 25, 1999 13 | 835 | OpenBSD 4.2 June 12, 2007 13 |