summaryrefslogtreecommitdiff
path: root/debian/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'debian/NEWS')
-rw-r--r--debian/NEWS107
1 files changed, 107 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 000000000..6f4564ba7
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,107 @@
1openssh (1:7.2p1-1) unstable; urgency=medium
2
3 OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
4 default in ssh:
5
6 * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
7 rijndael-cbc aliases for AES.
8 * MD5-based and truncated HMAC algorithms.
9
10 These algorithms are already disabled by default in sshd.
11
12 -- Colin Watson <cjwatson@debian.org> Tue, 08 Mar 2016 11:47:20 +0000
13
14openssh (1:7.1p1-2) unstable; urgency=medium
15
16 OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
17 cryptography.
18
19 * Support for the legacy SSH version 1 protocol is disabled by default at
20 compile time. Note that this also means that the Cipher keyword in
21 ssh_config(5) is effectively no longer usable; use Ciphers instead for
22 protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1",
23 and "ssh-keygen1" binaries which you can use if you have no alternative
24 way to connect to an outdated SSH1-only server; please contact the
25 server administrator or system vendor in such cases and ask them to
26 upgrade.
27 * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
28 disabled by default at run-time. It may be re-enabled using the
29 instructions at http://www.openssh.com/legacy.html
30 * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
31 default at run-time. These may be re-enabled using the instructions at
32 http://www.openssh.com/legacy.html
33 * Support for the legacy v00 cert format has been removed.
34
35 Future releases will retire more legacy cryptography, including:
36
37 * Refusing all RSA keys smaller than 1024 bits (the current minimum is
38 768 bits).
39 * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
40 all arcfour variants, and the rijndael-cbc aliases for AES.
41 * MD5-based HMAC algorithms will be disabled by default.
42
43 -- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000
44
45openssh (1:6.9p1-1) unstable; urgency=medium
46
47 UseDNS now defaults to 'no'. Configurations that match against the client
48 host name (via sshd_config or authorized_keys) may need to re-enable it or
49 convert to matching against addresses.
50
51 -- Colin Watson <cjwatson@debian.org> Thu, 20 Aug 2015 10:38:58 +0100
52
53openssh (1:6.7p1-5) unstable; urgency=medium
54
55 openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
56 a number of specific LC_FOO variables rather than the wildcard LC_*. I
57 have since been persuaded that this was a bad idea and have reverted it,
58 but it is difficult to automatically undo the change to
59 /etc/ssh/sshd_config without compounding the problem (that of modifying
60 configuration that some users did not want to be modified) further. Most
61 users who upgraded via version 1:6.7p1-4 should restore the previous value
62 of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
63
64 -- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000
65
66openssh (1:5.4p1-2) unstable; urgency=low
67
68 Smartcard support is now available using PKCS#11 tokens. If you were
69 previously using an unofficial build of Debian's OpenSSH package with
70 OpenSC-based smartcard support added, then note that commands like
71 'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
72 /usr/lib/opensc-pkcs11.so' instead.
73
74 -- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100
75
76openssh (1:3.8.1p1-9) experimental; urgency=low
77
78 The ssh package has been split into openssh-client and openssh-server. If
79 you had previously requested that the sshd server should not be run, then
80 that request will still be honoured. However, the recommended approach is
81 now to remove the openssh-server package if you do not want to run sshd.
82 You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
83 that.
84
85 -- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100
86
87openssh (1:3.5p1-1) unstable; urgency=low
88
89 This version of OpenSSH disables the environment option for public keys by
90 default, in order to avoid certain attacks (for example, LD_PRELOAD). If
91 you are using this option in an authorized_keys file, beware that the keys
92 in question will no longer work until the option is removed.
93
94 To re-enable this option, set "PermitUserEnvironment yes" in
95 /etc/ssh/sshd_config after the upgrade is complete, taking note of the
96 warning in the sshd_config(5) manual page.
97
98 -- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100
99
100openssh (1:3.0.1p1-1) unstable; urgency=high
101
102 As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
103 keys. This means the authorized_keys2 and known_hosts2 files are no longer
104 needed. They will still be read in order to maintain backward
105 compatibility.
106
107 -- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000