[arch-dev-public] [signoff] openssh-5.7p1-1
guillaume at archlinux.org
Tue Jan 25 17:19:16 EST 2011
On Mon, 2011-01-24 at 13:09 +0100, Gaetan Bisson wrote:
> Hi everyone,
> OpenSSH 5.7 has just been released. Due to Guillaume's work on this
> package, the upgrade was quite straightforward and openssh-5.7p1-1 is
> now in [testing]. All tests pass on both architectures.
> Enjoy your shiny new ECDSA keys!
> (And then please signoff.)
> Changes since OpenSSH 5.6
> * Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
> and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA
> offer better performance than plain DH and DSA at the same equivalent
> symmetric key length, as well as much shorter keys.
> Only the mandatory sections of RFC5656 are implemented, specifically
> the three REQUIRED curves nistp256, nistp384 and nistp521 and only
> ECDH and ECDSA. Point compression (optional in RFC5656) is NOT
> Certificate host and user keys using the new ECDSA key types are
> supported - an ECDSA key may be certified, and an ECDSA key may act
> as a CA to sign certificates.
> ECDH in a 256 bit curve field is the preferred key agreement
> algorithm when both the client and server support it. ECDSA host
> keys are preferred when learning a host's keys for the first time,
> or can be learned using ssh-keyscan(1).
> * sftp(1)/sftp-server(8): add a protocol extension to support a hard
> link operation. It is available through the "ln" command in the
> client. The old "ln" behaviour of creating a symlink is available
> using its "-s" option or through the preexisting "symlink" command
> * scp(1): Add a new -3 option to scp: Copies between two remote hosts
> are transferred through the local host. Without this option the
> data is copied directly between the two remote hosts.
> * ssh(1): automatically order the hostkeys requested by the client
> based on which hostkeys are already recorded in known_hosts. This
> avoids hostkey warnings when connecting to servers with new ECDSA
> keys, since these are now preferred when learning hostkeys for the
> first time.
> * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary
> TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
> * sftp(1): the sftp client is now significantly faster at performing
> directory listings, using OpenBSD glob(3) extensions to preserve
> the results of stat(3) operations performed in the course of its
> execution rather than performing expensive round trips to fetch
> them again afterwards.
> * ssh(1): "atomically" create the listening mux socket by binding it on
> a temporary name and then linking it into position after listen() has
> succeeded. This allows the mux clients to determine that the server
> socket is either ready or stale without races. stale server sockets
> are now automatically removed. (also fixes bz#1711)
> * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server
> configuration to allow selection of which key exchange methods are
> used by ssh(1) and sshd(8) and their order of preference.
> * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into
> a generic bandwidth limiter that can be attached using the atomicio
> callback mechanism and use it to add a bandwidth limit option to
> sftp(1). bz#1147
> * ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent
> temporary directories. bz#1809
> * ssh(1): avoid NULL deref on receiving a channel request on an unknown
> or invalid channel; bz#1842
> * sshd(8): remove a debug() that pollutes stderr on client connecting
> to a server in debug mode; bz#1719
> * scp(1): pass through ssh command-line flags and options when doing
> remote-remote transfers, e.g. to enable agent forwarding which is
> particularly useful in this case; bz#1837
> * sftp-server(8): umask should be parsed as octal
> * sftp(1): escape '[' in filename tab-completion
> * ssh(1): Typo in confirmation message. bz#1827
> * sshd(8): prevent free() of string in .rodata when overriding
> AuthorizedKeys in a Match block
> * sshd(8): Use default shell /bin/sh if $SHELL is ""
> * ssh(1): kill proxy command on fatal() (we already killed it on
> clean exit);
> * ssh(1): install a SIGCHLD handler to reap expiried child process;
> * Support building against openssl-1.0.0a
> Portable OpenSSH Bugfixes:
> * Use mandoc as preferred manpage formatter if it is present, followed
> by nroff and groff respectively.
> * sshd(8): Relax permission requirement on btmp logs to allow group
> * bz#1840: fix warning when configuring --with-ssl-engine
> * sshd(8): Use correct uid_t/pid_t types instead of int. bz#1817
> * sshd(8): bz#1824: Add Solaris Project support.
> * sshd(8): Check is_selinux_enabled for exact return code since it can
> apparently return -1 under some conditions.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 230 bytes
Desc: This is a digitally signed message part
More information about the arch-dev-public