Accepted openssh 1:8.2p1-1 (all amd64 source) into unstable, unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 21 Feb 2020 16:36:37 +0000
Source: openssh
Binary: openssh-client openssh-server openssh-sftp-server openssh-sk-helper openssh-tests ssh ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: all amd64 source
Version: 1:8.2p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 275458 631189 845315 951220 951582 951640
Description:
openssh-client - secure shell (SSH) client, for secure access to remote machines
openssh-client-udeb - secure shell client for the Debian installer (udeb)
openssh-server - secure shell (SSH) server, for secure access from remote machines
openssh-server-udeb - secure shell server for the Debian installer (udeb)
openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
openssh-sk-helper - OpenSSH helper for FIDO authenticator support
openssh-tests - OpenSSH regression tests
ssh - secure shell client and server (metapackage)
ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
Changes:
openssh (1:8.2p1-1) unstable; urgency=medium
.
* New upstream release (https://www.openssh.com/txt/release-8.2, closes:
#951582):
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will use
the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1)
CA signs new certificates.
- ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default
key exchange proposal for both the client and server.
- ssh-keygen(1): The command-line options related to the generation and
screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have changed.
Most options have been folded under the -O flag.
- sshd(8): The sshd listener process title visible to ps(1) has changed
to include information about the number of connections that are
currently attempting authentication and the limits configured by
MaxStartups.
- Add support for FIDO/U2F hardware authenticators.
- ssh-keygen(1): Add a "no-touch-required" option when generating
FIDO-hosted keys, that disables their default behaviour of requiring a
physical touch/tap on the token during authentication. Note: not all
tokens support disabling the touch requirement.
- sshd(8): Add a sshd_config PubkeyAuthOptions directive that collects
miscellaneous public key authentication-related options for sshd(8).
At present it supports only a single option "no-touch-required". This
causes sshd to skip its default check for FIDO/U2F keys that the
signature was authorised by a touch or press event on the token
hardware.
- ssh(1), sshd(8), ssh-keygen(1): Add a "no-touch-required" option for
authorized_keys and a similar extension for certificates. This option
disables the default requirement that FIDO key signatures attest that
the user touched their key to authorize them, mirroring the similar
PubkeyAuthOptions sshd_config option.
- ssh-keygen(1): Add support for the writing the FIDO attestation
information that is returned when new keys are generated via the "-O
write-attestation=/path" option. FIDO attestation certificates may be
used to verify that a FIDO key is hosted in trusted hardware. OpenSSH
does not currently make use of this information, beyond optionally
writing it to disk.
- Add support for FIDO2 resident keys.
- sshd(8): Add an Include sshd_config keyword that allows including
additional configuration files via glob(3) patterns (closes: #631189).
- ssh(1)/sshd(8): Make the LE (low effort) DSCP code point available via
the IPQoS directive.
- ssh(1): When AddKeysToAgent=yes is set and the key contains no
comment, add the key to the agent with the key's path as the comment.
- ssh-keygen(1), ssh-agent(1): Expose PKCS#11 key labels and X.509
subjects as key comments, rather than simply listing the PKCS#11
provider library path.
- ssh-keygen(1): Allow PEM export of DSA and ECDSA keys.
- sshd(8): When clients get denied by MaxStartups, send a notification
prior to the SSH2 protocol banner according to RFC4253 section 4.2
(closes: #275458).
- ssh(1), ssh-agent(1): When invoking the $SSH_ASKPASS prompt program,
pass a hint to the program to describe the type of desired prompt.
The possible values are "confirm" (indicating that a yes/no
confirmation dialog with no text entry should be shown), "none" (to
indicate an informational message only), or blank for the original
ssh-askpass behaviour of requesting a password/phrase.
- ssh(1): Allow forwarding a different agent socket to the path
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
option to accepting an explicit path or the name of an environment
variable in addition to yes/no.
- ssh-keygen(1): Add a new signature operations "find-principals" to
look up the principal associated with a signature from an
allowed-signers file.
- sshd(8): Expose the number of currently-authenticating connections
along with the MaxStartups limit in the process title visible to "ps".
- sshd(8): Make ClientAliveCountMax=0 have sensible semantics: it will
now disable connection killing entirely rather than the current
behaviour of instantly killing the connection after the first liveness
test regardless of success.
- sshd(8): Clarify order of AllowUsers / DenyUsers vs AllowGroups /
DenyGroups in the sshd(8) manual page.
- sshd(8): Better describe HashKnownHosts in the manual page.
- sshd(8): Clarify that that permitopen=/PermitOpen do no name or
address translation in the manual page.
- sshd(8): Allow the UpdateHostKeys feature to function when multiple
known_hosts files are in use. When updating host keys, ssh will now
search subsequent known_hosts files, but will add updated host keys to
the first specified file only.
- All: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the
handler preventing races between handlers, and sets SA_RESTART which
should reduce the potential for short read/write operations.
- sftp(1): Fix a race condition in the SIGCHILD handler that could turn
in to a kill(-1).
- sshd(8): Fix a case where valid (but extremely large) SSH channel IDs
were being incorrectly rejected.
- ssh(1): When checking host key fingerprints as answers to new hostkey
prompts, ignore whitespace surrounding the fingerprint itself.
- All: Wait for file descriptors to be readable or writeable during
non-blocking connect, not just readable. Prevents a timeout when the
server doesn't immediately send a banner (e.g. multiplexers like
sslh).
- sshd_config(5): Document the sntrup4591761x25519-sha512@tinyssh.org
key exchange algorithm.
* Add more historical md5sums of /etc/ssh/sshd_config between 1:7.4p1-1
and 1:7.8p1-1 inclusive (closes: #951220).
* ssh(1): Explain that -Y is equivalent to -X in the default configuration
(closes: #951640).
* Include /etc/ssh/ssh_config.d/*.conf from /etc/ssh/ssh_config and
/etc/ssh/sshd_config.d/*.conf from /etc/ssh/sshd_config (closes:
#845315).
Checksums-Sha1:
292b9744ed64aad746d45861d0960a0c88b0156d 3406 openssh_8.2p1-1.dsc
d1ab35a93507321c5db885e02d41ce1414f0507c 1701197 openssh_8.2p1.orig.tar.gz
d3814ab57572c13bdee2037ad1477e2f7c51e1b0 683 openssh_8.2p1.orig.tar.gz.asc
3783ae7208865ee1afdbfea4a0923ec338b3c07c 174008 openssh_8.2p1-1.debian.tar.xz
0bf85be8ef3542842d4bc793590d8a414540c5d8 3678100 openssh-client-dbgsym_8.2p1-1_amd64.deb
0e1ef83e4d236e921ce3a64fb56a4c82287555e2 293744 openssh-client-udeb_8.2p1-1_amd64.udeb
dfc3143bf75a9e66ade5bf63a66a6d97fdc208cc 879648 openssh-client_8.2p1-1_amd64.deb
d275741c0b3a313c24d697f74c42695b6e332942 1080492 openssh-server-dbgsym_8.2p1-1_amd64.deb
efd8d7cb0304c60c667a3e8f7c265c2abb311e28 318236 openssh-server-udeb_8.2p1-1_amd64.udeb
344612e06ef8548f2d3212585b2af3edb7090756 377768 openssh-server_8.2p1-1_amd64.deb
7ac95e6befa7abcd06e0fcd8e1ab99a37aaf8faf 165652 openssh-sftp-server-dbgsym_8.2p1-1_amd64.deb
44a88d9b666f3498e0aa97c9ca860202a28fa3de 50888 openssh-sftp-server_8.2p1-1_amd64.deb
d2558312e66d335e5ef99e7cecc72a29e860391d 297932 openssh-sk-helper-dbgsym_8.2p1-1_amd64.deb
17912295024a3cc1c848917968908f4a2c65070e 111892 openssh-sk-helper_8.2p1-1_amd64.deb
13deb2c7ca84fa7140a19b800b7ba00bc4932364 2381024 openssh-tests-dbgsym_8.2p1-1_amd64.deb
9c264e58b942d577e44b02aec147878c7044de25 909288 openssh-tests_8.2p1-1_amd64.deb
344ac63c864276d897756a5d483b143f6efa5240 18110 openssh_8.2p1-1_amd64.buildinfo
13a4b885936b2865702871610c410eb8f35619a8 12824 ssh-askpass-gnome-dbgsym_8.2p1-1_amd64.deb
960f9d97e3c9b9d51d2067e83490ea923ac9749a 260708 ssh-askpass-gnome_8.2p1-1_amd64.deb
eec2f56def572d5572df04007ffc8f0e6276527c 248860 ssh_8.2p1-1_all.deb
Checksums-Sha256:
54d2d9e607f7165d4f36f6ab23ef77e8dda074cec74a50b1f1bfeabd4ff5d9ad 3406 openssh_8.2p1-1.dsc
43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671 1701197 openssh_8.2p1.orig.tar.gz
4f358bb57cb5446a7a8bf986ff5cd835fd1e03f33561df883dfd3f893cd6fe86 683 openssh_8.2p1.orig.tar.gz.asc
1eaac2056fe12fa3f6419505812be13e2dc9cd02727d9cabd7ea2bfdd0934b41 174008 openssh_8.2p1-1.debian.tar.xz
0ff015a7a56190c46afbed4b2b6ebdf2c24c8ad63e2c7409063b3186ca5ddffc 3678100 openssh-client-dbgsym_8.2p1-1_amd64.deb
5c9f2d347813a76242b231d48f4bfaf39141da5caa1876bd4db929a608d4ea98 293744 openssh-client-udeb_8.2p1-1_amd64.udeb
2111ca74489dde96b7c0536ec2f33f71c926512d9a352c57bdf5af44606a088c 879648 openssh-client_8.2p1-1_amd64.deb
057cafa2221a32b00bc4c245dc6033b1ea88753e535634bbcdabf72bdb4f0b8c 1080492 openssh-server-dbgsym_8.2p1-1_amd64.deb
36d4b689ba7b6edfbeb959b2a4580bc1c7099a3a1b8e1080a04cb73e28aae0e5 318236 openssh-server-udeb_8.2p1-1_amd64.udeb
5356bdb5a8342df734ab0259bacbf2d7ebc49ae86af4996da55201c2aa263efe 377768 openssh-server_8.2p1-1_amd64.deb
ad6fda847bb52eee200b264e3ee8c54d38f17cc3354e770cb8b79276486ff27f 165652 openssh-sftp-server-dbgsym_8.2p1-1_amd64.deb
dded1951c710ec6827f0d4462892063305a1b5fe70e48aca7eb9b380a9161d5b 50888 openssh-sftp-server_8.2p1-1_amd64.deb
fdab29f042876125d7c1faf5cc8156f035d4bc7af3805212237e5c6ce76cc1d5 297932 openssh-sk-helper-dbgsym_8.2p1-1_amd64.deb
20f6eba9b4793da43314631f61283e02b52ec1e8cc277cbdd81cc5615c73caae 111892 openssh-sk-helper_8.2p1-1_amd64.deb
eb5019b478daf8527f8222a3cc3558373fd2f782e0e7da49833963a8edebde2d 2381024 openssh-tests-dbgsym_8.2p1-1_amd64.deb
e2c406f30302f13609667dc1652533818e5b4bb5d4b0329fe43f9a2c98e5b415 909288 openssh-tests_8.2p1-1_amd64.deb
cc9e7da3c547228973a9bf0b92d7b2163a804d3a5e277002d8367a49c88f88f5 18110 openssh_8.2p1-1_amd64.buildinfo
13531409fca19fa5192635ede75619576b16a6162a723b4c06d175a214e6d9b8 12824 ssh-askpass-gnome-dbgsym_8.2p1-1_amd64.deb
5972e3d0a16733507ca861bf4bb047e45ffbde397aa1f5cd18458f5b7fbd74b9 260708 ssh-askpass-gnome_8.2p1-1_amd64.deb
474b7a72466280743b3d65e3b33e1f2ba08b4b430024f85448f980f93ba26115 248860 ssh_8.2p1-1_all.deb
Files:
9aec5f2b30e06a45d04486e9f6ee7930 3406 net standard openssh_8.2p1-1.dsc
3076e6413e8dbe56d33848c1054ac091 1701197 net standard openssh_8.2p1.orig.tar.gz
8501565a766e1a50a7e6179079f3c671 683 net standard openssh_8.2p1.orig.tar.gz.asc
c1d3bedcda13837a88845f95e322ee0f 174008 net standard openssh_8.2p1-1.debian.tar.xz
572338e4b3fa8fcab009fe74385e03da 3678100 debug optional openssh-client-dbgsym_8.2p1-1_amd64.deb
b35d9d44f3c90438cbdb56b72dbb91f1 293744 debian-installer optional openssh-client-udeb_8.2p1-1_amd64.udeb
4f1807d2bbff57ec776da4163ded4a45 879648 net standard openssh-client_8.2p1-1_amd64.deb
47583684aba12aac65b1fc7e5a8c1fb8 1080492 debug optional openssh-server-dbgsym_8.2p1-1_amd64.deb
93f555206d7fec19a3cfb55c88d43631 318236 debian-installer optional openssh-server-udeb_8.2p1-1_amd64.udeb
fc40a8f79a5b4df2f49dd0516a387871 377768 net optional openssh-server_8.2p1-1_amd64.deb
9b1a12083d263985cc42041f5a61d322 165652 debug optional openssh-sftp-server-dbgsym_8.2p1-1_amd64.deb
6500a3f54fb51c8ea1b281fc1663df69 50888 net optional openssh-sftp-server_8.2p1-1_amd64.deb
0f3fc541dfcda26f59028d3c3533be0c 297932 debug optional openssh-sk-helper-dbgsym_8.2p1-1_amd64.deb
b2dc85e631bbe58af0ad6783d7d045db 111892 net optional openssh-sk-helper_8.2p1-1_amd64.deb
e879ef2489766af8223923ae634a6d56 2381024 debug optional openssh-tests-dbgsym_8.2p1-1_amd64.deb
97f3e570eb699fcdf6bdf77e78ce2b1a 909288 net optional openssh-tests_8.2p1-1_amd64.deb
0e43f99d13491c9adb5942e4b63be5e8 18110 net standard openssh_8.2p1-1_amd64.buildinfo
1059ea07a220bcc9e0cb333f89e25736 12824 debug optional ssh-askpass-gnome-dbgsym_8.2p1-1_amd64.deb
42df493e070d2d7bbd7364e63d787acb 260708 gnome optional ssh-askpass-gnome_8.2p1-1_amd64.deb
de859d711d25edbb25a13af10e893289 248860 net optional ssh_8.2p1-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl5QHBgACgkQOTWH2X2G
UAuVXxAAnCvWNqC4F7pY1UOfKIbYLhYSCniVNvopy6J5aWWO/P2aZ0tBocKIs4xf
63lsMP62tBO+Nf9wLl6FwhgVnkIdFVMH/9Qom6dVOin7+3Y3HuH61y5YYTbyGIq6
qFztghzFCwhmMILj6P4kYnJb+q+DL+ckyO3R+OIakNpWqR8yDO+czyQhU50ECEY+
nuohRdAl2av5JfRTaGhHiEqIcQqU6OC/9NJpes0NFIFm8U3/8kioO1Drnkf0JrGG
8bU+CM1hHYE0idZRXGhNAxmpLfA2O+JWQVrYbC45fvQOjfYmBBCdVZhTDI87qPNw
ZSYbBGrtRh2+LKGVml7bZqTDWyIoorYiYCDKCjHvO6havKPoRdOp/A7csVPO+XmR
PYCziV7JloakmxJKFWC7tWEgnvr0FlMfMasCChjMFJc9kS3HJgetuq5jSkyMpInB
sjKiqpk5lLJa4O020tx/0mhLc1Lets6bqNCx9zhLfppDduwcG5dxwfqxAOk197j8
Kr+sfxpizUCNMey9sk1k+fWRvEMmL4t/jUf6tgVpvECKeiKh8qPFeuz8ztojGb/R
+jktFgb2oJ1YIzQ9eEvfHB2uCsoec8T6gVuAm/NmnzP+b+2+p3JLf2w4Ph7oxPWJ
5VU7felUgelhy72e9dz/Y3AZgIgsatdb45nd5SvAmFVrJMMAohw=
=D97J
-----END PGP SIGNATURE-----