1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
openssh (1:7.2p1-1) unstable; urgency=medium
OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
default in ssh:
* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
rijndael-cbc aliases for AES.
* MD5-based and truncated HMAC algorithms.
These algorithms are already disabled by default in sshd.
-- Colin Watson <cjwatson@debian.org> Tue, 08 Mar 2016 11:47:20 +0000
openssh (1:7.1p1-2) unstable; urgency=medium
OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
cryptography.
* Support for the legacy SSH version 1 protocol is disabled by default at
compile time. Note that this also means that the Cipher keyword in
ssh_config(5) is effectively no longer usable; use Ciphers instead for
protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1",
and "ssh-keygen1" binaries which you can use if you have no alternative
way to connect to an outdated SSH1-only server; please contact the
server administrator or system vendor in such cases and ask them to
upgrade.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
disabled by default at run-time. It may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
default at run-time. These may be re-enabled using the instructions at
http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
Future releases will retire more legacy cryptography, including:
* Refusing all RSA keys smaller than 1024 bits (the current minimum is
768 bits).
* Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
all arcfour variants, and the rijndael-cbc aliases for AES.
* MD5-based HMAC algorithms will be disabled by default.
-- Colin Watson <cjwatson@debian.org> Tue, 08 Dec 2015 15:33:08 +0000
openssh (1:6.9p1-1) unstable; urgency=medium
UseDNS now defaults to 'no'. Configurations that match against the client
host name (via sshd_config or authorized_keys) may need to re-enable it or
convert to matching against addresses.
-- Colin Watson <cjwatson@debian.org> Thu, 20 Aug 2015 10:38:58 +0100
openssh (1:6.7p1-5) unstable; urgency=medium
openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
a number of specific LC_FOO variables rather than the wildcard LC_*. I
have since been persuaded that this was a bad idea and have reverted it,
but it is difficult to automatically undo the change to
/etc/ssh/sshd_config without compounding the problem (that of modifying
configuration that some users did not want to be modified) further. Most
users who upgraded via version 1:6.7p1-4 should restore the previous value
of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.
-- Colin Watson <cjwatson@debian.org> Sun, 22 Mar 2015 23:09:32 +0000
openssh (1:5.4p1-2) unstable; urgency=low
Smartcard support is now available using PKCS#11 tokens. If you were
previously using an unofficial build of Debian's OpenSSH package with
OpenSC-based smartcard support added, then note that commands like
'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
/usr/lib/opensc-pkcs11.so' instead.
-- Colin Watson <cjwatson@debian.org> Sat, 10 Apr 2010 01:08:59 +0100
openssh (1:3.8.1p1-9) experimental; urgency=low
The ssh package has been split into openssh-client and openssh-server. If
you had previously requested that the sshd server should not be run, then
that request will still be honoured. However, the recommended approach is
now to remove the openssh-server package if you do not want to run sshd.
You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
that.
-- Colin Watson <cjwatson@debian.org> Mon, 2 Aug 2004 20:48:54 +0100
openssh (1:3.5p1-1) unstable; urgency=low
This version of OpenSSH disables the environment option for public keys by
default, in order to avoid certain attacks (for example, LD_PRELOAD). If
you are using this option in an authorized_keys file, beware that the keys
in question will no longer work until the option is removed.
To re-enable this option, set "PermitUserEnvironment yes" in
/etc/ssh/sshd_config after the upgrade is complete, taking note of the
warning in the sshd_config(5) manual page.
-- Colin Watson <cjwatson@debian.org> Sat, 26 Oct 2002 19:41:51 +0100
openssh (1:3.0.1p1-1) unstable; urgency=high
As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
keys. This means the authorized_keys2 and known_hosts2 files are no longer
needed. They will still be read in order to maintain backward
compatibility.
-- Matthew Vernon <matthew@debian.org> Thu, 28 Nov 2001 17:43:01 +0000
|
