diff options
Diffstat (limited to 'debian/NEWS')
| -rw-r--r-- | debian/NEWS | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 000000000..4dc9ffd92 --- /dev/null +++ b/debian/NEWS | |||
| @@ -0,0 +1,86 @@ | |||
| 1 | openssh (1:7.1p1-2) unstable; urgency=medium | ||
| 2 | |||
| 3 | OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe | ||
| 4 | cryptography. | ||
| 5 | |||
| 6 | * Support for the legacy SSH version 1 protocol is disabled by default at | ||
| 7 | compile time. Note that this also means that the Cipher keyword in | ||
| 8 | ssh_config(5) is effectively no longer usable; use Ciphers instead for | ||
| 9 | protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1", | ||
| 10 | and "ssh-keygen1" binaries which you can use if you have no alternative | ||
| 11 | way to connect to an outdated SSH1-only server; please contact the | ||
| 12 | server administrator or system vendor in such cases and ask them to | ||
| 13 | upgrade. | ||
| 14 | * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is | ||
| 15 | disabled by default at run-time. It may be re-enabled using the | ||
| 16 | instructions at http://www.openssh.com/legacy.html | ||
| 17 | * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by | ||
| 18 | default at run-time. These may be re-enabled using the instructions at | ||
| 19 | http://www.openssh.com/legacy.html | ||
| 20 | * Support for the legacy v00 cert format has been removed. | ||
| 21 | |||
| 22 | Future releases will retire more legacy cryptography, including: | ||
| 23 | |||
| 24 | * Refusing all RSA keys smaller than 1024 bits (the current minimum is | ||
| 25 | 768 bits). | ||
| 26 | * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, | ||
| 27 | all arcfour variants, and the rijndael-cbc aliases for AES. | ||
| 28 | * MD5-based HMAC algorithms will be disabled by default. | ||
| 29 | |||
| 30 | -- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000 | ||
| 31 | |||
| 32 | openssh (1:6.7p1-5) unstable; urgency=medium | ||
| 33 | |||
| 34 | openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list | ||
| 35 | a number of specific LC_FOO variables rather than the wildcard LC_*. I | ||
| 36 | have since been persuaded that this was a bad idea and have reverted it, | ||
| 37 | but it is difficult to automatically undo the change to | ||
| 38 | /etc/ssh/sshd_config without compounding the problem (that of modifying | ||
| 39 | configuration that some users did not want to be modified) further. Most | ||
| 40 | users who upgraded via version 1:6.7p1-4 should restore the previous value | ||
| 41 | of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config. | ||
| 42 | |||
| 43 | -- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000 | ||
| 44 | |||
| 45 | openssh (1:5.4p1-2) unstable; urgency=low | ||
| 46 | |||
| 47 | Smartcard support is now available using PKCS#11 tokens. If you were | ||
| 48 | previously using an unofficial build of Debian's OpenSSH package with | ||
| 49 | OpenSC-based smartcard support added, then note that commands like | ||
| 50 | 'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s | ||
| 51 | /usr/lib/opensc-pkcs11.so' instead. | ||
| 52 | |||
| 53 | -- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100 | ||
| 54 | |||
| 55 | openssh (1:3.8.1p1-9) experimental; urgency=low | ||
| 56 | |||
| 57 | The ssh package has been split into openssh-client and openssh-server. If | ||
| 58 | you had previously requested that the sshd server should not be run, then | ||
| 59 | that request will still be honoured. However, the recommended approach is | ||
| 60 | now to remove the openssh-server package if you do not want to run sshd. | ||
| 61 | You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing | ||
| 62 | that. | ||
| 63 | |||
| 64 | -- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100 | ||
| 65 | |||
| 66 | openssh (1:3.5p1-1) unstable; urgency=low | ||
| 67 | |||
| 68 | This version of OpenSSH disables the environment option for public keys by | ||
| 69 | default, in order to avoid certain attacks (for example, LD_PRELOAD). If | ||
| 70 | you are using this option in an authorized_keys file, beware that the keys | ||
| 71 | in question will no longer work until the option is removed. | ||
| 72 | |||
| 73 | To re-enable this option, set "PermitUserEnvironment yes" in | ||
| 74 | /etc/ssh/sshd_config after the upgrade is complete, taking note of the | ||
| 75 | warning in the sshd_config(5) manual page. | ||
| 76 | |||
| 77 | -- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100 | ||
| 78 | |||
| 79 | openssh (1:3.0.1p1-1) unstable; urgency=high | ||
| 80 | |||
| 81 | As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2 | ||
| 82 | keys. This means the authorized_keys2 and known_hosts2 files are no longer | ||
| 83 | needed. They will still be read in order to maintain backward | ||
| 84 | compatibility. | ||
| 85 | |||
| 86 | -- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000 | ||