summaryrefslogtreecommitdiff
path: root/debian/NEWS
blob: 6f4564ba74e3f8f7e424fff141b47c585671c233 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
openssh (1:7.2p1-1) unstable; urgency=medium

  OpenSSH 7.2 disables a number of legacy cryptographic algorithms by
  default in ssh:

   * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the
     rijndael-cbc aliases for AES.
   * MD5-based and truncated HMAC algorithms.

  These algorithms are already disabled by default in sshd.

 -- Colin Watson <cjwatson@debian.org>  Tue, 08 Mar 2016 11:47:20 +0000

openssh (1:7.1p1-2) unstable; urgency=medium

  OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
  cryptography.

   * Support for the legacy SSH version 1 protocol is disabled by default at
     compile time.  Note that this also means that the Cipher keyword in
     ssh_config(5) is effectively no longer usable; use Ciphers instead for
     protocol 2.  The openssh-client-ssh1 package includes "ssh1", "scp1",
     and "ssh-keygen1" binaries which you can use if you have no alternative
     way to connect to an outdated SSH1-only server; please contact the
     server administrator or system vendor in such cases and ask them to
     upgrade.
   * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
     disabled by default at run-time.  It may be re-enabled using the
     instructions at http://www.openssh.com/legacy.html
   * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
     default at run-time.  These may be re-enabled using the instructions at
     http://www.openssh.com/legacy.html
   * Support for the legacy v00 cert format has been removed.

  Future releases will retire more legacy cryptography, including:

   * Refusing all RSA keys smaller than 1024 bits (the current minimum is
     768 bits).
   * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
     all arcfour variants, and the rijndael-cbc aliases for AES.
   * MD5-based HMAC algorithms will be disabled by default.

 -- Colin Watson <cjwatson@debian.org>  Tue, 08 Dec 2015 15:33:08 +0000

openssh (1:6.9p1-1) unstable; urgency=medium

  UseDNS now defaults to 'no'.  Configurations that match against the client
  host name (via sshd_config or authorized_keys) may need to re-enable it or
  convert to matching against addresses.

 -- Colin Watson <cjwatson@debian.org>  Thu, 20 Aug 2015 10:38:58 +0100

openssh (1:6.7p1-5) unstable; urgency=medium

  openssh-server 1:6.7p1-4 changed the default setting of AcceptEnv to list
  a number of specific LC_FOO variables rather than the wildcard LC_*.  I
  have since been persuaded that this was a bad idea and have reverted it,
  but it is difficult to automatically undo the change to
  /etc/ssh/sshd_config without compounding the problem (that of modifying
  configuration that some users did not want to be modified) further.  Most
  users who upgraded via version 1:6.7p1-4 should restore the previous value
  of "AcceptEnv LANG LC_*" in /etc/ssh/sshd_config.

 -- Colin Watson <cjwatson@debian.org>  Sun, 22 Mar 2015 23:09:32 +0000

openssh (1:5.4p1-2) unstable; urgency=low

  Smartcard support is now available using PKCS#11 tokens.  If you were
  previously using an unofficial build of Debian's OpenSSH package with
  OpenSC-based smartcard support added, then note that commands like
  'ssh-add -s 0' will no longer work; you need to use 'ssh-add -s
  /usr/lib/opensc-pkcs11.so' instead.

 -- Colin Watson <cjwatson@debian.org>  Sat, 10 Apr 2010 01:08:59 +0100

openssh (1:3.8.1p1-9) experimental; urgency=low

  The ssh package has been split into openssh-client and openssh-server. If
  you had previously requested that the sshd server should not be run, then
  that request will still be honoured. However, the recommended approach is
  now to remove the openssh-server package if you do not want to run sshd.
  You can remove the old /etc/ssh/sshd_not_to_be_run marker file after doing
  that.

 -- Colin Watson <cjwatson@debian.org>  Mon,  2 Aug 2004 20:48:54 +0100

openssh (1:3.5p1-1) unstable; urgency=low

  This version of OpenSSH disables the environment option for public keys by
  default, in order to avoid certain attacks (for example, LD_PRELOAD). If
  you are using this option in an authorized_keys file, beware that the keys
  in question will no longer work until the option is removed.

  To re-enable this option, set "PermitUserEnvironment yes" in
  /etc/ssh/sshd_config after the upgrade is complete, taking note of the
  warning in the sshd_config(5) manual page.

 -- Colin Watson <cjwatson@debian.org>  Sat, 26 Oct 2002 19:41:51 +0100

openssh (1:3.0.1p1-1) unstable; urgency=high

  As of version 3, OpenSSH no longer uses separate files for ssh1 and ssh2
  keys. This means the authorized_keys2 and known_hosts2 files are no longer
  needed. They will still be read in order to maintain backward
  compatibility.

 -- Matthew Vernon <matthew@debian.org>  Thu, 28 Nov 2001 17:43:01 +0000