Back to openssh PTS page

Accepted openssh 1:8.4p1-1 (source) into unstable

Hash: SHA256

Format: 1.8
Date: Tue, 20 Oct 2020 14:15:17 +0100
Source: openssh
Architecture: source
Version: 1:8.4p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <>
Changed-By: Colin Watson <>
Closes: 368657 481250
 openssh (1:8.4p1-1) unstable; urgency=medium
   * New upstream release (
     - [SECURITY] ssh-agent(1): restrict ssh-agent from signing web
       challenges for FIDO/U2F keys.
     - [SECURITY] ssh-keygen(1): Enable FIDO 2.1 credProtect extension when
       generating a FIDO resident key.
     - ssh-keygen(1): the format of the attestation information optionally
       recorded when a FIDO key is generated has changed. It now includes the
       authenticator data needed to validate attestation signatures.
     - The API between OpenSSH and the FIDO token middleware has changed and
       the SSH_SK_VERSION_MAJOR version has been incremented as a result.
       Third-party middleware libraries must support the current API version
       (7) to work with OpenSSH 8.4.
     - ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
       each use. These keys may be generated using ssh-keygen using a new
       "verify-required" option. When a PIN-required key is used, the user
       will be prompted for a PIN to complete the signature operation.
     - sshd(8): authorized_keys now supports a new "verify-required" option
       to require FIDO signatures assert that the token verified that the
       user was present before making the signature. The FIDO protocol
       supports multiple methods for user-verification, but currently OpenSSH
       only supports PIN verification.
     - sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
       signatures. Webauthn is a standard for using FIDO keys in web
       browsers. These signatures are a slightly different format to plain
       FIDO signatures and thus require explicit support.
     - ssh(1): allow some keywords to expand shell-style ${ENV} environment
       variables. The supported keywords are CertificateFile, ControlPath,
       IdentityAgent and IdentityFile, plus LocalForward and RemoteForward
       when used for Unix domain socket paths.
     - ssh(1), ssh-agent(1): allow some additional control over the use of
       ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
       including forcibly enabling and disabling its use (closes: #368657).
     - ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
       limit for keys in addition to its current flag options. Time-limited
       keys will automatically be removed from ssh-agent after their expiry
       time has passed.
     - scp(1), sftp(1): allow the -A flag to explicitly enable agent
       forwarding in scp and sftp. The default remains to not forward an
       agent, even when ssh_config enables it.
     - ssh(1): add a '%k' TOKEN that expands to the effective HostKey of the
       destination. This allows, e.g., keeping host keys in individual files
       using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k" (closes: #481250).
     - ssh(1): add %-TOKEN, environment variable and tilde expansion to the
       UserKnownHostsFile directive, allowing the path to be completed by the
     - ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted from
     - sshd(8): improve logging for MaxStartups connection throttling.  sshd
       will now log when it starts and stops throttling and periodically
       while in this state.
     - ssh(1), ssh-keygen(1): better support for multiple attached FIDO
       tokens. In cases where OpenSSH cannot unambiguously determine which
       token to direct a request to, the user is now required to select a
       token by touching it. In cases of operations that require a PIN to be
       verified, this avoids sending the wrong PIN to the wrong token and
       incrementing the token's PIN failure counter (tokens effectively erase
       their keys after too many PIN failures).
     - sshd(8): fix Include before Match in sshd_config (LP: #1885990).
     - ssh(1): close stdin/out/error when forking after authentication
       completes ("ssh -f ...").
     - ssh(1), sshd(8): limit the amount of channel input data buffered,
       avoiding peers that advertise large windows but are slow to read from
       causing high memory consumption.
     - ssh-agent(1): handle multiple requests sent in a single write() to the
     - sshd(8): allow sshd_config longer than 256k.
     - sshd(8): avoid spurious "Unable to load host key" message when sshd
       load a private key but no public counterpart.
     - ssh(1): prefer the default hostkey algorithm list whenever we have a
       hostkey that matches its best-preference algorithm.
     - sshd(1): when ordering the hostkey algorithms to request from a
       server, prefer certificate types if the known_hosts files contain a
       key marked as a @cert-authority.
     - ssh(1): perform host key fingerprint comparisons for the "Are you sure
       you want to continue connecting (yes/no/[fingerprint])?" prompt with
       case sensitivity.
     - sshd(8): ensure that address/masklen mismatches in sshd_config yield
       fatal errors at daemon start time rather than later when they are
     - ssh-keygen(1): ensure that certificate extensions are lexically
       sorted. Previously if the user specified a custom extension then the
       everything would be in order except the custom ones.
     - ssh(1): also compare username when checking for JumpHost loops.
     - ssh-keygen(1): preserve group/world read permission on known_hosts
       files across runs of "ssh-keygen -Rf /path". The old behaviour was to
       remove all rights for group/other.
     - ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen manual
       page and usage().
     - sshd(8): explicitly construct path to ~/.ssh/rc rather than relying on
       it being relative to the current directory, so that it can still be
       found if the shell startup changes its directory.
     - sshd(8): when redirecting sshd's log output to a file, undo this
       redirection after the session child process is forked(). Fixes missing
       log messages when using this feature under some circumstances.
     - sshd(8): start ClientAliveInterval bookkeeping before first pass
       through select() loop; fixed theoretical case where busy sshd may
       ignore timeouts from client.
     - ssh(1): only reset the ServerAliveInterval check when we receive
       traffic from the server and ignore traffic from a port forwarding
       client, preventing a client from keeping a connection alive when it
       should be terminated.
     - ssh-keygen(1): avoid spurious error message when ssh-keygen creates
       files outside ~/.ssh.
     - sftp-client(1): fix off-by-one error that caused sftp downloads to
       make one more concurrent request that desired. This prevented using
       sftp(1) in unpipelined request/response mode, which is useful when
     - ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect()
     - ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to
       write to it so we don't leave an empty .ssh directory when it's not
     - ssh(1), sshd(8): fix multiplier when parsing time specifications when
       handling seconds after other units.
     - sshd(8): always send any PAM account messages. If the PAM account
       stack returns any messages, always send them to the user and not just
       if the check succeeds.
     - gnome-ssh-askpass3: ensure the "close" button is not focused by
       default for SSH_ASKPASS_PROMPT=none prompts. Avoids space/enter
       accidentally dismissing FIDO touch notifications.
     - gnome-ssh-askpass3: allow some control over textarea colour via
       environment variables.
     - Detect the Frankenstein monster of Linux/X32 and allow the sandbox to
       function there.
 e864e8c1f16626b55602fc01ffab7ff83f51c366 3353 openssh_8.4p1-1.dsc
 69305059e10a60693ebe6f17731f962c9577535c 1742201 openssh_8.4p1.orig.tar.gz
 323573568682eac265e1f69206bc98149a8e423e 683 openssh_8.4p1.orig.tar.gz.asc
 be88025ebe71c0f58be2f83b8a7245f57e2ea1a6 177752 openssh_8.4p1-1.debian.tar.xz
 cb35733eef94d5b6cd85d8adbd7d44f5164fae6ca14cb00a885b98bd1cfb0dd9 3353 openssh_8.4p1-1.dsc
 5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24 1742201 openssh_8.4p1.orig.tar.gz
 ccd9dd484651ce4cc926228f6e1b46afaf0c5ab98a866217fa0ef1074370ea2b 683 openssh_8.4p1.orig.tar.gz.asc
 a384da62eb06352938740f020cd78621af403cabf44f9cec238a202faa4ddd61 177752 openssh_8.4p1-1.debian.tar.xz
 a2ae18b63060f660075dce5a5725b321 3353 net standard openssh_8.4p1-1.dsc
 8f897870404c088e4aa7d1c1c58b526b 1742201 net standard openssh_8.4p1.orig.tar.gz
 715c219a524631139bafa8a351cf44e7 683 net standard openssh_8.4p1.orig.tar.gz.asc
 d00fecf7d6d44f36eb03a49e6e670b58 177752 net standard openssh_8.4p1-1.debian.tar.xz