summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2007-12-24 10:29:57 +0000
committerColin Watson <cjwatson@debian.org>2007-12-24 10:29:57 +0000
commitc3e531b12b2335b7fa5a6bcc9a309d3c523ff64b (patch)
treeb72c0867348e7e7914d64af6fc5e25c728922e03 /ssh.1
parent6b222fdf3cb54c11a446df38e027fe7acf2220cb (diff)
parent70847d299887abb96f8703ca99db6d817b78960e (diff)
* New upstream release (closes: #453367).
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec (closes: #444738). - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. - The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. - ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. - A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. - Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. - ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work. - Make scp(1) skip FIFOs rather than hanging (closes: #246774). - Encode non-printing characters in scp(1) filenames. These could cause copies to be aborted with a "protocol error". - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated. - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms. - Improve documentation for ssh-add(1)'s -d option. - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. - Delay execution of ssh(1)'s LocalCommand until after all forwardings have been established. - In scp(1), do not truncate non-regular files. - Improve exit message from ControlMaster clients. - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error (closes: #365541). - pam_end() was not being called if authentication failed (closes: #405041). - Manual page datestamps updated (closes: #433181).
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.19
1 files changed, 5 insertions, 4 deletions
diff --git a/ssh.1 b/ssh.1
index b0d23fea1..33b8a4cda 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $ 37.\" $OpenBSD: ssh.1,v 1.270 2007/06/12 13:43:55 jmc Exp $
38.Dd September 25, 1999 38.Dd $Mdocdate: June 12 2007 $
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -316,7 +316,8 @@ It is possible to have multiple
316options (and multiple identities specified in 316options (and multiple identities specified in
317configuration files). 317configuration files).
318.It Fl K 318.It Fl K
319Enables forwarding (delegation) of GSSAPI credentials to the server. 319Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
320credentials to the server.
320.It Fl k 321.It Fl k
321Disables forwarding (delegation) of GSSAPI credentials to the server. 322Disables forwarding (delegation) of GSSAPI credentials to the server.
322.It Fl L Xo 323.It Fl L Xo
@@ -681,7 +682,7 @@ Both protocols support similar authentication methods,
681but protocol 2 is preferred since 682but protocol 2 is preferred since
682it provides additional mechanisms for confidentiality 683it provides additional mechanisms for confidentiality
683(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) 684(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
684and integrity (hmac-md5, hmac-sha1, hmac-ripemd160). 685and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
685Protocol 1 lacks a strong mechanism for ensuring the 686Protocol 1 lacks a strong mechanism for ensuring the
686integrity of the connection. 687integrity of the connection.
687.Pp 688.Pp