diff options
Diffstat (limited to 'debian/NEWS')
-rw-r--r-- | debian/NEWS | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 000000000..77c594c5a --- /dev/null +++ b/debian/NEWS | |||
@@ -0,0 +1,156 @@ | |||
1 | openssh (1:7.4p1-7) unstable; urgency=medium | ||
2 | |||
3 | This version restores the default for AuthorizedKeysFile to search both | ||
4 | ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in | ||
5 | Debian configurations before 1:7.4p1-1. Upstream intends to phase out | ||
6 | searching ~/.ssh/authorized_keys2 by default, so you should ensure that | ||
7 | you are only using ~/.ssh/authorized_keys, at least for critical | ||
8 | administrative access; do not assume that the current default will remain | ||
9 | in place forever. | ||
10 | |||
11 | -- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000 | ||
12 | |||
13 | openssh (1:7.4p1-1) unstable; urgency=medium | ||
14 | |||
15 | OpenSSH 7.4 includes a number of changes that may affect existing | ||
16 | configurations: | ||
17 | |||
18 | * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit | ||
19 | block ciphers are not safe in 2016 and we don't want to wait until | ||
20 | attacks like SWEET32 are extended to SSH. As 3des-cbc was the only | ||
21 | mandatory cipher in the SSH RFCs, this may cause problems connecting to | ||
22 | older devices using the default configuration, but it's highly likely | ||
23 | that such devices already need explicit configuration for key exchange | ||
24 | and hostkey algorithms already anyway. | ||
25 | * sshd(8): Remove support for pre-authentication compression. Doing | ||
26 | compression early in the protocol probably seemed reasonable in the | ||
27 | 1990s, but today it's clearly a bad idea in terms of both cryptography | ||
28 | (cf. multiple compression oracle attacks in TLS) and attack surface. | ||
29 | Pre-auth compression support has been disabled by default for >10 | ||
30 | years. Support remains in the client. | ||
31 | * ssh-agent will refuse to load PKCS#11 modules outside a whitelist of | ||
32 | trusted paths by default. The path whitelist may be specified at | ||
33 | run-time. | ||
34 | * sshd(8): When a forced-command appears in both a certificate and an | ||
35 | authorized keys/principals command= restriction, sshd will now refuse | ||
36 | to accept the certificate unless they are identical. The previous | ||
37 | (documented) behaviour of having the certificate forced-command | ||
38 | override the other could be a bit confusing and error-prone. | ||
39 | * sshd(8): Remove the UseLogin configuration directive and support for | ||
40 | having /bin/login manage login sessions. | ||
41 | |||
42 | The unprivileged sshd process that deals with pre-authentication network | ||
43 | traffic is now subject to additional sandboxing restrictions by default: | ||
44 | that is, the default sshd_config now sets UsePrivilegeSeparation to | ||
45 | "sandbox" rather than "yes". This has been the case upstream for a while, | ||
46 | but until now the Debian configuration diverged unnecessarily. | ||
47 | |||
48 | -- Colin Watson <cjwatson@debian.org> Tue, 27 Dec 2016 18:01:46 +0000 | ||
49 | |||
50 | openssh (1:7.2p1-1) unstable; urgency=medium | ||
51 | |||
52 | OpenSSH 7.2 disables a number of legacy cryptographic algorithms by | ||
53 | default in ssh: | ||
54 | |||
55 | * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the | ||
56 | rijndael-cbc aliases for AES. | ||
57 | * MD5-based and truncated HMAC algorithms. | ||
58 | |||
59 | These algorithms are already disabled by default in sshd. | ||
60 | |||
61 | -- Colin Watson <cjwatson@debian.org> Tue, 08 Mar 2016 11:47:20 +0000 | ||
62 | |||
63 | openssh (1:7.1p1-2) unstable; urgency=medium | ||
64 | |||
65 | OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe | ||
66 | cryptography. | ||
67 | |||
68 | * Support for the legacy SSH version 1 protocol is disabled by default at | ||
69 | compile time. Note that this also means that the Cipher keyword in | ||
70 | ssh_config(5) is effectively no longer usable; use Ciphers instead for | ||
71 | protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1", | ||
72 | and "ssh-keygen1" binaries which you can use if you have no alternative | ||
73 | way to connect to an outdated SSH1-only server; please contact the | ||
74 | server administrator or system vendor in such cases and ask them to | ||
75 | upgrade. | ||
76 | * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is | ||
77 | disabled by default at run-time. It may be re-enabled using the | ||
78 | instructions at http://www.openssh.com/legacy.html | ||
79 | * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by | ||
80 | default at run-time. These may be re-enabled using the instructions at | ||
81 | http://www.openssh.com/legacy.html | ||
82 | * Support for the legacy v00 cert format has been removed. | ||
83 | |||
84 | Future releases will retire more legacy cryptography, including: | ||
85 | |||
86 | * Refusing all RSA keys smaller than 1024 bits (the current minimum is | ||
87 | 768 bits). | ||
88 | * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, | ||
89 | all arcfour variants, and the rijndael-cbc aliases for AES. | ||
90 | * MD5-based HMAC algorithms will be disabled by default. | ||
91 | |||
92 | -- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000 | ||
93 | |||
94 | openssh (1:6.9p1-1) unstable; urgency=medium | ||
95 | |||
96 | UseDNS now defaults to 'no'. Configurations that match against the client | ||
97 | host name (via sshd_config or authorized_keys) may need to re-enable it or | ||
98 | convert to matching against addresses. | ||
99 | |||
100 | -- Colin Watson <cjwatson@debian.org> Thu, 20 Aug 2015 10:38:58 +0100 | ||
101 | |||
102 | openssh (1:6.7p1-5) unstable; urgency=medium | ||
103 | |||
104 | openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list | ||
105 | a number of specific LC_FOO variables rather than the wildcard LC_*. I | ||
106 | have since been persuaded that this was a bad idea and have reverted it, | ||
107 | but it is difficult to automatically undo the change to | ||
108 | /etc/ssh/sshd_config without compounding the problem (that of modifying | ||
109 | configuration that some users did not want to be modified) further. Most | ||
110 | users who upgraded via version 1:6.7p1-4 should restore the previous value | ||
111 | of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config. | ||
112 | |||
113 | -- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000 | ||
114 | |||
115 | openssh (1:5.4p1-2) unstable; urgency=low | ||
116 | |||
117 | Smartcard support is now available using PKCS#11 tokens. If you were | ||
118 | previously using an unofficial build of Debian's OpenSSH package with | ||
119 | OpenSC-based smartcard support added, then note that commands like | ||
120 | 'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s | ||
121 | /usr/lib/opensc-pkcs11.so' instead. | ||
122 | |||
123 | -- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100 | ||
124 | |||
125 | openssh (1:3.8.1p1-9) experimental; urgency=low | ||
126 | |||
127 | The ssh package has been split into openssh-client and openssh-server. If | ||
128 | you had previously requested that the sshd server should not be run, then | ||
129 | that request will still be honoured. However, the recommended approach is | ||
130 | now to remove the openssh-server package if you do not want to run sshd. | ||
131 | You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing | ||
132 | that. | ||
133 | |||
134 | -- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100 | ||
135 | |||
136 | openssh (1:3.5p1-1) unstable; urgency=low | ||
137 | |||
138 | This version of OpenSSH disables the environment option for public keys by | ||
139 | default, in order to avoid certain attacks (for example, LD_PRELOAD). If | ||
140 | you are using this option in an authorized_keys file, beware that the keys | ||
141 | in question will no longer work until the option is removed. | ||
142 | |||
143 | To re-enable this option, set "PermitUserEnvironment yes" in | ||
144 | /etc/ssh/sshd_config after the upgrade is complete, taking note of the | ||
145 | warning in the sshd_config(5) manual page. | ||
146 | |||
147 | -- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100 | ||
148 | |||
149 | openssh (1:3.0.1p1-1) unstable; urgency=high | ||
150 | |||
151 | As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2 | ||
152 | keys. This means the authorized_keys2 and known_hosts2 files are no longer | ||
153 | needed. They will still be read in order to maintain backward | ||
154 | compatibility. | ||
155 | |||
156 | -- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000 | ||