1 files changed, 347 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 000000000..2d38891ea
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,347 @@
+openssh (1:8.4p1-1) unstable; urgency=medium
+  OpenSSH 8.4 includes a number of changes that may affect existing
+  configurations:
+   * ssh-keygen(1): the format of the attestation information optionally
+     recorded when a FIDO key is generated has changed. It now includes the
+     authenticator data needed to validate attestation signatures. 
+   * The API between OpenSSH and the FIDO token middleware has changed and
+     the SSH_SK_VERSION_MAJOR version has been incremented as a result.
+     Third-party middleware libraries must support the current API version
+     (7) to work with OpenSSH 8.4.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 18 Oct 2020 12:07:48 +0100
+openssh (1:8.3p1-1) unstable; urgency=medium
+  OpenSSH 8.3 includes a number of changes that may affect existing
+  configurations:
+  * sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1)
+    do instead of accepting and silently ignoring it.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 07 Jun 2020 13:44:04 +0100
+openssh (1:8.2p1-1) unstable; urgency=medium
+  OpenSSH 8.2 includes a number of changes that may affect existing
+  configurations:
+   * ssh(1), sshd(8), ssh-keygen(1): This release removes the "ssh-rsa"
+     (RSA/SHA1) algorithm from those accepted for certificate signatures
+     (i.e.  the client and server CASignatureAlgorithms option) and will use
+     the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
+     CA signs new certificates.
+     Certificates are at special risk to SHA1 collision vulnerabilities as
+     an attacker has effectively unlimited time in which to craft a
+     collision that yields them a valid certificate, far more than the
+     relatively brief LoginGraceTime window that they have to forge a host
+     key signature.
+     The OpenSSH certificate format includes a CA-specified (typically
+     random) nonce value near the start of the certificate that should make
+     exploitation of chosen-prefix collisions in this context challenging,
+     as the attacker does not have full control over the prefix that
+     actually gets signed. Nonetheless, SHA1 is now a demonstrably broken
+     algorithm and further improvements in attacks are highly likely.
+     OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
+     algorithms and will refuse to accept certificates signed by an OpenSSH
+     8.2+ CA using RSA keys unless the unsafe algorithm is explicitly
+     selected during signing ("ssh-keygen -t ssh-rsa").  Older
+     clients/servers may use another CA key type such as ssh-ed25519
+     (supported since OpenSSH 6.5) or one of the ecdsa-sha2-nistp256/384/521
+     types (supported since OpenSSH 5.7) instead if they cannot be upgraded.
+   * ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
+     key exchange proposal for both the client and server.
+   * ssh-keygen(1): The command-line options related to the generation and
+     screening of safe prime numbers used by the
+     diffie-hellman-group-exchange-* key exchange algorithms have changed.
+     Most options have been folded under the -O flag.
+   * sshd(8): The sshd listener process title visible to ps(1) has changed
+     to include information about the number of connections that are
+     currently attempting authentication and the limits configured by
+     MaxStartups.
+ -- Colin Watson <cjwatson@debian.org>  Fri, 21 Feb 2020 16:36:37 +0000
+openssh (1:8.1p1-1) unstable; urgency=medium
+  OpenSSH 8.1 includes a number of changes that may affect existing
+  configurations:
+   * ssh-keygen(1): when acting as a CA and signing certificates with an RSA
+     key, default to using the rsa-sha2-512 signature algorithm.
+     Certificates signed by RSA keys will therefore be incompatible with
+     OpenSSH versions prior to 7.2 unless the default is overridden (using
+     "ssh-keygen -t ssh-rsa -s ...").
+ -- Colin Watson <cjwatson@debian.org>  Thu, 10 Oct 2019 10:23:19 +0100
+openssh (1:8.0p1-1) experimental; urgency=medium
+  OpenSSH 8.0 includes a number of changes that may affect existing
+  configurations:
+   * sshd(8): Remove support for obsolete "host/port" syntax.
+     Slash-separated host/port was added in 2001 as an alternative to
+     host:port syntax for the benefit of IPv6 users.  These days there are
+     established standards for this like [::1]:22 and the slash syntax is
+     easily mistaken for CIDR notation, which OpenSSH supports for some
+     things.  Remove the slash notation from ListenAddress and PermitOpen.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 09 Jun 2019 22:47:27 +0100
+openssh (1:7.9p1-1) unstable; urgency=medium
+  OpenSSH 7.9 includes a number of changes that may affect existing
+  configurations:
+   * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option
+     bans the use of DSA keys as certificate authorities.
+   * sshd(8): the authentication success/failure log message has changed
+     format slightly.  It now includes the certificate fingerprint
+     (previously it included only key ID and CA key fingerprint).
+ -- Colin Watson <cjwatson@debian.org>  Sun, 21 Oct 2018 10:39:24 +0100
+openssh (1:7.8p1-1) unstable; urgency=medium
+  OpenSSH 7.8 includes a number of changes that may affect existing
+  configurations:
+   * ssh-keygen(1): Write OpenSSH format private keys by default instead of
+     using OpenSSL's PEM format.  The OpenSSH format, supported in OpenSSH
+     releases since 2014 and described in the PROTOCOL.key file in the
+     source distribution, offers substantially better protection against
+     offline password guessing and supports key comments in private keys.
+     If necessary, it is possible to write old PEM-style keys by adding "-m
+     PEM" to ssh-keygen's arguments when generating or updating a key.
+   * sshd(8): Remove internal support for S/Key multiple factor
+     authentication.  S/Key may still be used via PAM or BSD auth.
+   * ssh(1): Remove vestigial support for running ssh(1) as setuid.  This
+     used to be required for hostbased authentication and the (long gone)
+     rhosts-style authentication, but has not been necessary for a long
+     time.  Attempting to execute ssh as a setuid binary, or with uid !=
+     effective uid will now yield a fatal error at runtime.
+   * sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
+     HostbasedAcceptedKeyTypes options have changed.  These now specify
+     signature algorithms that are accepted for their respective
+     authentication mechanism, where previously they specified accepted key
+     types.  This distinction matters when using the RSA/SHA2 signature
+     algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
+     counterparts.  Configurations that override these options but omit
+     these algorithm names may cause unexpected authentication failures (no
+     action is required for configurations that accept the default for these
+     options).
+   * sshd(8): The precedence of session environment variables has changed.
+     ~/.ssh/environment and environment="..." options in authorized_keys
+     files can no longer override SSH_* variables set implicitly by sshd.
+   * ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed.  They
+     will now use DSCP AF21 for interactive traffic and CS1 for bulk.  For a
+     detailed rationale, please see the commit message:
+     https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
+ -- Colin Watson <cjwatson@debian.org>  Thu, 30 Aug 2018 15:35:27 +0100
+openssh (1:7.6p1-1) unstable; urgency=medium
+  OpenSSH 7.6 includes a number of changes that may affect existing
+  configurations:
+   * ssh(1): Delete SSH protocol version 1 support, associated configuration
+     options and documentation.
+   * ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
+   * ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
+     ciphers.
+   * Refuse RSA keys <1024 bits in length and improve reporting for keys
+     that do not meet this requirement.
+   * ssh(1): Do not offer CBC ciphers by default.
+ -- Colin Watson <cjwatson@debian.org>  Fri, 06 Oct 2017 12:36:48 +0100
+openssh (1:7.5p1-1) experimental; urgency=medium
+  OpenSSH 7.5 includes a number of changes that may affect existing
+  configurations:
+   * This release deprecates the sshd_config UsePrivilegeSeparation option,
+     thereby making privilege separation mandatory.
+   * The format of several log messages emitted by the packet code has
+     changed to include additional information about the user and their
+     authentication state. Software that monitors ssh/sshd logs may need to
+     account for these changes. For example:
+       Connection closed by user x 1.1.1.1 port 1234 [preauth]
+       Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
+       Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
+     Affected messages include connection closure, timeout, remote
+     disconnection, negotiation failure and some other fatal messages
+     generated by the packet code.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 02 Apr 2017 02:58:01 +0100
+openssh (1:7.4p1-7) unstable; urgency=medium
+  This version restores the default for AuthorizedKeysFile to search both
+  ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
+  Debian configurations before 1:7.4p1-1.  Upstream intends to phase out
+  searching ~/.ssh/authorized_keys2 by default, so you should ensure that
+  you are only using ~/.ssh/authorized_keys, at least for critical
+  administrative access; do not assume that the current default will remain
+  in place forever.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 05 Mar 2017 02:12:42 +0000
+openssh (1:7.4p1-1) unstable; urgency=medium
+  OpenSSH 7.4 includes a number of changes that may affect existing
+  configurations:
+   * ssh(1): Remove 3des-cbc from the client's default proposal.  64-bit
+     block ciphers are not safe in 2016 and we don't want to wait until
+     attacks like SWEET32 are extended to SSH.  As 3des-cbc was the only
+     mandatory cipher in the SSH RFCs, this may cause problems connecting to
+     older devices using the default configuration, but it's highly likely
+     that such devices already need explicit configuration for key exchange
+     and hostkey algorithms already anyway.
+   * sshd(8): Remove support for pre-authentication compression.  Doing
+     compression early in the protocol probably seemed reasonable in the
+     1990s, but today it's clearly a bad idea in terms of both cryptography
+     (cf. multiple compression oracle attacks in TLS) and attack surface.
+     Pre-auth compression support has been disabled by default for >10
+     years.  Support remains in the client.
+   * ssh-agent will refuse to load PKCS#11 modules outside a whitelist of
+     trusted paths by default.  The path whitelist may be specified at
+     run-time.
+   * sshd(8): When a forced-command appears in both a certificate and an
+     authorized keys/principals command= restriction, sshd will now refuse
+     to accept the certificate unless they are identical.  The previous
+     (documented) behaviour of having the certificate forced-command
+     override the other could be a bit confusing and error-prone.
+   * sshd(8): Remove the UseLogin configuration directive and support for
+     having /bin/login manage login sessions.
+  The unprivileged sshd process that deals with pre-authentication network
+  traffic is now subject to additional sandboxing restrictions by default:
+  that is, the default sshd_config now sets UsePrivilegeSeparation to
+  "sandbox" rather than "yes".  This has been the case upstream for a while,
+  but until now the Debian configuration diverged unnecessarily.
+ -- Colin Watson <cjwatson@debian.org>  Tue, 27 Dec 2016 18:01:46 +0000
+openssh (1:7.2p1-1) unstable; urgency=medium
+  OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
+  default in ssh:
+   * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
+     rijndael-cbc aliases for AES.
+   * MD5-based and truncated HMAC algorithms.
+  These algorithms are already disabled by default in sshd.
+ -- Colin Watson <cjwatson@debian.org>  Tue, 08 Mar 2016 11:47:20 +0000
+openssh (1:7.1p1-2) unstable; urgency=medium
+  OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
+  cryptography.
+   * Support for the legacy SSH version 1 protocol is disabled by default at
+     compile time.  Note that this also means that the Cipher keyword in
+     ssh_config(5) is effectively no longer usable; use Ciphers instead for
+     protocol 2.  The openssh-client-ssh1 package includes "ssh1", "scp1",
+     and "ssh-keygen1" binaries which you can use if you have no alternative
+     way to connect to an outdated SSH1-only server; please contact the
+     server administrator or system vendor in such cases and ask them to
+     upgrade.
+   * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
+     disabled by default at run-time.  It may be re-enabled using the
+     instructions at http://www.openssh.com/legacy.html
+   * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
+     default at run-time.  These may be re-enabled using the instructions at
+     http://www.openssh.com/legacy.html
+   * Support for the legacy v00 cert format has been removed.
+  Future releases will retire more legacy cryptography, including:
+   * Refusing all RSA keys smaller than 1024 bits (the current minimum is
+     768 bits).
+   * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
+     all arcfour variants, and the rijndael-cbc aliases for AES.
+   * MD5-based HMAC algorithms will be disabled by default.
+ -- Colin Watson <cjwatson@debian.org>  Tue, 08 Dec 2015 15:33:08 +0000
+openssh (1:6.9p1-1) unstable; urgency=medium
+  UseDNS now defaults to 'no'.  Configurations that match against the client
+  host name (via sshd_config or authorized_keys) may need to re-enable it or
+  convert to matching against addresses.
+ -- Colin Watson <cjwatson@debian.org>  Thu, 20 Aug 2015 10:38:58 +0100
+openssh (1:6.7p1-5) unstable; urgency=medium
+  openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
+  a number of specific LC_FOO variables rather than the wildcard LC_*.  I
+  have since been persuaded that this was a bad idea and have reverted it,
+  but it is difficult to automatically undo the change to
+  /etc/ssh/sshd_config without compounding the problem (that of modifying
+  configuration that some users did not want to be modified) further.  Most
+  users who upgraded via version 1:6.7p1-4 should restore the previous value
+  of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 22 Mar 2015 23:09:32 +0000
+openssh (1:5.4p1-2) unstable; urgency=low
+  Smartcard support is now available using PKCS#11 tokens.  If you were
+  previously using an unofficial build of Debian's OpenSSH package with
+  OpenSC-based smartcard support added, then note that commands like
+  'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
+  /usr/lib/opensc-pkcs11.so' instead.
+ -- Colin Watson <cjwatson@debian.org>  Sat, 10 Apr 2010 01:08:59 +0100
+openssh (1:3.8.1p1-9) experimental; urgency=low
+  The ssh package has been split into openssh-client and openssh-server. If
+  you had previously requested that the sshd server should not be run, then
+  that request will still be honoured. However, the recommended approach is
+  now to remove the openssh-server package if you do not want to run sshd.
+  You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
+  that.
+ -- Colin Watson <cjwatson@debian.org>  Mon,  2 Aug 2004 20:48:54 +0100
+openssh (1:3.5p1-1) unstable; urgency=low
+  This version of OpenSSH disables the environment option for public keys by
+  default, in order to avoid certain attacks (for example, LD_PRELOAD). If
+  you are using this option in an authorized_keys file, beware that the keys
+  in question will no longer work until the option is removed.
+  To re-enable this option, set "PermitUserEnvironment yes" in
+  /etc/ssh/sshd_config after the upgrade is complete, taking note of the
+  warning in the sshd_config(5) manual page.
+ -- Colin Watson <cjwatson@debian.org>  Sat, 26 Oct 2002 19:41:51 +0100
+openssh (1:3.0.1p1-1) unstable; urgency=high
+  As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
+  keys. This means the authorized_keys2 and known_hosts2 files are no longer
+  needed. They will still be read in order to maintain backward
+  compatibility.
+ -- Matthew Vernon <matthew@debian.org>  Thu, 28 Nov 2001 17:43:01 +0000

diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 000000000..2d38891ea --- /dev/null +++ b/debian/NEWS
@@ -0,0 +1,347 @@
	1	openssh (1:8.4p1-1) unstable; urgency=medium
	2
	3	OpenSSH 8.4 includes a number of changes that may affect existing
	4	configurations:
	5
	6	* ssh-keygen(1): the format of the attestation information optionally
	7	recorded when a FIDO key is generated has changed. It now includes the
	8	authenticator data needed to validate attestation signatures.
	9
	10	* The API between OpenSSH and the FIDO token middleware has changed and
	11	the SSH_SK_VERSION_MAJOR version has been incremented as a result.
	12	Third-party middleware libraries must support the current API version
	13	(7) to work with OpenSSH 8.4.
	14
	15	-- Colin Watson <cjwatson@debian.org> Sun, 18 Oct 2020 12:07:48 +0100
	16
	17	openssh (1:8.3p1-1) unstable; urgency=medium
	18
	19	OpenSSH 8.3 includes a number of changes that may affect existing
	20	configurations:
	21
	22	* sftp(1): reject an argument of "-1" in the same way as ssh(1) and scp(1)
	23	do instead of accepting and silently ignoring it.
	24
	25	-- Colin Watson <cjwatson@debian.org> Sun, 07 Jun 2020 13:44:04 +0100
	26
	27	openssh (1:8.2p1-1) unstable; urgency=medium
	28
	29	OpenSSH 8.2 includes a number of changes that may affect existing
	30	configurations:
	31
	32	* ssh(1), sshd(8), ssh-keygen(1): This release removes the "ssh-rsa"
	33	(RSA/SHA1) algorithm from those accepted for certificate signatures
	34	(i.e. the client and server CASignatureAlgorithms option) and will use
	35	the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
	36	CA signs new certificates.
	37
	38	Certificates are at special risk to SHA1 collision vulnerabilities as
	39	an attacker has effectively unlimited time in which to craft a
	40	collision that yields them a valid certificate, far more than the
	41	relatively brief LoginGraceTime window that they have to forge a host
	42	key signature.
	43
	44	The OpenSSH certificate format includes a CA-specified (typically
	45	random) nonce value near the start of the certificate that should make
	46	exploitation of chosen-prefix collisions in this context challenging,
	47	as the attacker does not have full control over the prefix that
	48	actually gets signed. Nonetheless, SHA1 is now a demonstrably broken
	49	algorithm and further improvements in attacks are highly likely.
	50
	51	OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
	52	algorithms and will refuse to accept certificates signed by an OpenSSH
	53	8.2+ CA using RSA keys unless the unsafe algorithm is explicitly
	54	selected during signing ("ssh-keygen -t ssh-rsa"). Older
	55	clients/servers may use another CA key type such as ssh-ed25519
	56	(supported since OpenSSH 6.5) or one of the ecdsa-sha2-nistp256/384/521
	57	types (supported since OpenSSH 5.7) instead if they cannot be upgraded.
	58
	59	* ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
	60	key exchange proposal for both the client and server.
	61
	62	* ssh-keygen(1): The command-line options related to the generation and
	63	screening of safe prime numbers used by the
	64	diffie-hellman-group-exchange-* key exchange algorithms have changed.
	65	Most options have been folded under the -O flag.
	66
	67	* sshd(8): The sshd listener process title visible to ps(1) has changed
	68	to include information about the number of connections that are
	69	currently attempting authentication and the limits configured by
	70	MaxStartups.
	71
	72	-- Colin Watson <cjwatson@debian.org> Fri, 21 Feb 2020 16:36:37 +0000
	73
	74	openssh (1:8.1p1-1) unstable; urgency=medium
	75
	76	OpenSSH 8.1 includes a number of changes that may affect existing
	77	configurations:
	78
	79	* ssh-keygen(1): when acting as a CA and signing certificates with an RSA
	80	key, default to using the rsa-sha2-512 signature algorithm.
	81	Certificates signed by RSA keys will therefore be incompatible with
	82	OpenSSH versions prior to 7.2 unless the default is overridden (using
	83	"ssh-keygen -t ssh-rsa -s ...").
	84
	85	-- Colin Watson <cjwatson@debian.org> Thu, 10 Oct 2019 10:23:19 +0100
	86
	87	openssh (1:8.0p1-1) experimental; urgency=medium
	88
	89	OpenSSH 8.0 includes a number of changes that may affect existing
	90	configurations:
	91
	92	* sshd(8): Remove support for obsolete "host/port" syntax.
	93	Slash-separated host/port was added in 2001 as an alternative to
	94	host:port syntax for the benefit of IPv6 users. These days there are
	95	established standards for this like [::1]:22 and the slash syntax is
	96	easily mistaken for CIDR notation, which OpenSSH supports for some
	97	things. Remove the slash notation from ListenAddress and PermitOpen.
	98
	99	-- Colin Watson <cjwatson@debian.org> Sun, 09 Jun 2019 22:47:27 +0100
	100
	101	openssh (1:7.9p1-1) unstable; urgency=medium
	102
	103	OpenSSH 7.9 includes a number of changes that may affect existing
	104	configurations:
	105
	106	* ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option
	107	bans the use of DSA keys as certificate authorities.
	108	* sshd(8): the authentication success/failure log message has changed
	109	format slightly. It now includes the certificate fingerprint
	110	(previously it included only key ID and CA key fingerprint).
	111
	112	-- Colin Watson <cjwatson@debian.org> Sun, 21 Oct 2018 10:39:24 +0100
	113
	114	openssh (1:7.8p1-1) unstable; urgency=medium
	115
	116	OpenSSH 7.8 includes a number of changes that may affect existing
	117	configurations:
	118
	119	* ssh-keygen(1): Write OpenSSH format private keys by default instead of
	120	using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH
	121	releases since 2014 and described in the PROTOCOL.key file in the
	122	source distribution, offers substantially better protection against
	123	offline password guessing and supports key comments in private keys.
	124	If necessary, it is possible to write old PEM-style keys by adding "-m
	125	PEM" to ssh-keygen's arguments when generating or updating a key.
	126	* sshd(8): Remove internal support for S/Key multiple factor
	127	authentication. S/Key may still be used via PAM or BSD auth.
	128	* ssh(1): Remove vestigial support for running ssh(1) as setuid. This
	129	used to be required for hostbased authentication and the (long gone)
	130	rhosts-style authentication, but has not been necessary for a long
	131	time. Attempting to execute ssh as a setuid binary, or with uid !=
	132	effective uid will now yield a fatal error at runtime.
	133	* sshd(8): The semantics of PubkeyAcceptedKeyTypes and the similar
	134	HostbasedAcceptedKeyTypes options have changed. These now specify
	135	signature algorithms that are accepted for their respective
	136	authentication mechanism, where previously they specified accepted key
	137	types. This distinction matters when using the RSA/SHA2 signature
	138	algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate
	139	counterparts. Configurations that override these options but omit
	140	these algorithm names may cause unexpected authentication failures (no
	141	action is required for configurations that accept the default for these
	142	options).
	143	* sshd(8): The precedence of session environment variables has changed.
	144	~/.ssh/environment and environment="..." options in authorized_keys
	145	files can no longer override SSH_* variables set implicitly by sshd.
	146	* ssh(1)/sshd(8): The default IPQoS used by ssh/sshd has changed. They
	147	will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a
	148	detailed rationale, please see the commit message:
	149	https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
	150
	151	-- Colin Watson <cjwatson@debian.org> Thu, 30 Aug 2018 15:35:27 +0100
	152
	153	openssh (1:7.6p1-1) unstable; urgency=medium
	154
	155	OpenSSH 7.6 includes a number of changes that may affect existing
	156	configurations:
	157
	158	* ssh(1): Delete SSH protocol version 1 support, associated configuration
	159	options and documentation.
	160	* ssh(1)/sshd(8): Remove support for the hmac-ripemd160 MAC.
	161	* ssh(1)/sshd(8): Remove support for the arcfour, blowfish and CAST
	162	ciphers.
	163	* Refuse RSA keys <1024 bits in length and improve reporting for keys
	164	that do not meet this requirement.
	165	* ssh(1): Do not offer CBC ciphers by default.
	166
	167	-- Colin Watson <cjwatson@debian.org> Fri, 06 Oct 2017 12:36:48 +0100
	168
	169	openssh (1:7.5p1-1) experimental; urgency=medium
	170
	171	OpenSSH 7.5 includes a number of changes that may affect existing
	172	configurations:
	173
	174	* This release deprecates the sshd_config UsePrivilegeSeparation option,
	175	thereby making privilege separation mandatory.
	176
	177	* The format of several log messages emitted by the packet code has
	178	changed to include additional information about the user and their
	179	authentication state. Software that monitors ssh/sshd logs may need to
	180	account for these changes. For example:
	181
	182	Connection closed by user x 1.1.1.1 port 1234 [preauth]
	183	Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
	184	Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
	185
	186	Affected messages include connection closure, timeout, remote
	187	disconnection, negotiation failure and some other fatal messages
	188	generated by the packet code.
	189
	190	-- Colin Watson <cjwatson@debian.org> Sun, 02 Apr 2017 02:58:01 +0100
	191
	192	openssh (1:7.4p1-7) unstable; urgency=medium
	193
	194	This version restores the default for AuthorizedKeysFile to search both
	195	~/.ssh/authorized_keys and ~/.ssh/authorized_keys2, as was the case in
	196	Debian configurations before 1:7.4p1-1. Upstream intends to phase out
	197	searching ~/.ssh/authorized_keys2 by default, so you should ensure that
	198	you are only using ~/.ssh/authorized_keys, at least for critical
	199	administrative access; do not assume that the current default will remain
	200	in place forever.
	201
	202	-- Colin Watson <cjwatson@debian.org> Sun, 05 Mar 2017 02:12:42 +0000
	203
	204	openssh (1:7.4p1-1) unstable; urgency=medium
	205
	206	OpenSSH 7.4 includes a number of changes that may affect existing
	207	configurations:
	208
	209	* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
	210	block ciphers are not safe in 2016 and we don't want to wait until
	211	attacks like SWEET32 are extended to SSH. As 3des-cbc was the only
	212	mandatory cipher in the SSH RFCs, this may cause problems connecting to
	213	older devices using the default configuration, but it's highly likely
	214	that such devices already need explicit configuration for key exchange
	215	and hostkey algorithms already anyway.
	216	* sshd(8): Remove support for pre-authentication compression. Doing
	217	compression early in the protocol probably seemed reasonable in the
	218	1990s, but today it's clearly a bad idea in terms of both cryptography
	219	(cf. multiple compression oracle attacks in TLS) and attack surface.
	220	Pre-auth compression support has been disabled by default for >10
	221	years. Support remains in the client.
	222	* ssh-agent will refuse to load PKCS#11 modules outside a whitelist of
	223	trusted paths by default. The path whitelist may be specified at
	224	run-time.
	225	* sshd(8): When a forced-command appears in both a certificate and an
	226	authorized keys/principals command= restriction, sshd will now refuse
	227	to accept the certificate unless they are identical. The previous
	228	(documented) behaviour of having the certificate forced-command
	229	override the other could be a bit confusing and error-prone.
	230	* sshd(8): Remove the UseLogin configuration directive and support for
	231	having /bin/login manage login sessions.
	232
	233	The unprivileged sshd process that deals with pre-authentication network
	234	traffic is now subject to additional sandboxing restrictions by default:
	235	that is, the default sshd_config now sets UsePrivilegeSeparation to
	236	"sandbox" rather than "yes". This has been the case upstream for a while,
	237	but until now the Debian configuration diverged unnecessarily.
	238
	239	-- Colin Watson <cjwatson@debian.org> Tue, 27 Dec 2016 18:01:46 +0000
	240
	241	openssh (1:7.2p1-1) unstable; urgency=medium
	242
	243	OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
	244	default in ssh:
	245
	246	* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
	247	rijndael-cbc aliases for AES.
	248	* MD5-based and truncated HMAC algorithms.
	249
	250	These algorithms are already disabled by default in sshd.
	251
	252	-- Colin Watson <cjwatson@debian.org> Tue, 08 Mar 2016 11:47:20 +0000
	253
	254	openssh (1:7.1p1-2) unstable; urgency=medium
	255
	256	OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
	257	cryptography.
	258
	259	* Support for the legacy SSH version 1 protocol is disabled by default at
	260	compile time. Note that this also means that the Cipher keyword in
	261	ssh_config(5) is effectively no longer usable; use Ciphers instead for
	262	protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1",
	263	and "ssh-keygen1" binaries which you can use if you have no alternative
	264	way to connect to an outdated SSH1-only server; please contact the
	265	server administrator or system vendor in such cases and ask them to
	266	upgrade.
	267	* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
	268	disabled by default at run-time. It may be re-enabled using the
	269	instructions at http://www.openssh.com/legacy.html
	270	* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
	271	default at run-time. These may be re-enabled using the instructions at
	272	http://www.openssh.com/legacy.html
	273	* Support for the legacy v00 cert format has been removed.
	274
	275	Future releases will retire more legacy cryptography, including:
	276
	277	* Refusing all RSA keys smaller than 1024 bits (the current minimum is
	278	768 bits).
	279	* Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
	280	all arcfour variants, and the rijndael-cbc aliases for AES.
	281	* MD5-based HMAC algorithms will be disabled by default.
	282
	283	-- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000
	284
	285	openssh (1:6.9p1-1) unstable; urgency=medium
	286
	287	UseDNS now defaults to 'no'. Configurations that match against the client
	288	host name (via sshd_config or authorized_keys) may need to re-enable it or
	289	convert to matching against addresses.
	290
	291	-- Colin Watson <cjwatson@debian.org> Thu, 20 Aug 2015 10:38:58 +0100
	292
	293	openssh (1:6.7p1-5) unstable; urgency=medium
	294
	295	openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
	296	a number of specific LC_FOO variables rather than the wildcard LC_*. I
	297	have since been persuaded that this was a bad idea and have reverted it,
	298	but it is difficult to automatically undo the change to
	299	/etc/ssh/sshd_config without compounding the problem (that of modifying
	300	configuration that some users did not want to be modified) further. Most
	301	users who upgraded via version 1:6.7p1-4 should restore the previous value
	302	of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
	303
	304	-- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000
	305
	306	openssh (1:5.4p1-2) unstable; urgency=low
	307
	308	Smartcard support is now available using PKCS#11 tokens. If you were
	309	previously using an unofficial build of Debian's OpenSSH package with
	310	OpenSC-based smartcard support added, then note that commands like
	311	'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
	312	/usr/lib/opensc-pkcs11.so' instead.
	313
	314	-- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100
	315
	316	openssh (1:3.8.1p1-9) experimental; urgency=low
	317
	318	The ssh package has been split into openssh-client and openssh-server. If
	319	you had previously requested that the sshd server should not be run, then
	320	that request will still be honoured. However, the recommended approach is
	321	now to remove the openssh-server package if you do not want to run sshd.
	322	You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
	323	that.
	324
	325	-- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100
	326
	327	openssh (1:3.5p1-1) unstable; urgency=low
	328
	329	This version of OpenSSH disables the environment option for public keys by
	330	default, in order to avoid certain attacks (for example, LD_PRELOAD). If
	331	you are using this option in an authorized_keys file, beware that the keys
	332	in question will no longer work until the option is removed.
	333
	334	To re-enable this option, set "PermitUserEnvironment yes" in
	335	/etc/ssh/sshd_config after the upgrade is complete, taking note of the
	336	warning in the sshd_config(5) manual page.
	337
	338	-- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100
	339
	340	openssh (1:3.0.1p1-1) unstable; urgency=high
	341
	342	As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
	343	keys. This means the authorized_keys2 and known_hosts2 files are no longer
	344	needed. They will still be read in order to maintain backward
	345	compatibility.
	346
	347	-- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000