openssh 1:8.1p1-1 source package in Ubuntu
Changelog
openssh (1:8.1p1-1) unstable; urgency=medium * New upstream release (https://www.openssh.com/txt/release-8.1): - ssh(1), sshd(8), ssh-agent(1): Add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed. This release encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large "prekey" consisting of random data (currently 16KB). - ssh(1): Allow %n to be expanded in ProxyCommand strings. - ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, e.g. "HostKeyAlgorithms ^ssh-ed25519". - ssh-keygen(1): Add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email). - ssh-keygen(1): Print key comment when extracting public key from a private key. - ssh-keygen(1): Accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. - All: Support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. - ssh(1): If a PKCS#11 token returns no keys then try to login and refetch them. - ssh(1): Produce a useful error message if the user's shell is set incorrectly during "match exec" processing. - sftp(1): Allow the maximum uint32 value for the argument passed to -b which allows better error messages from later validation. - ssh-keyscan(1): Include SHA2-variant RSA key algorithms in KEX proposal; allows ssh-keyscan to harvest keys from servers that disable old SHA1 ssh-rsa. - sftp(1): Print explicit "not modified" message if a file was requested for resumed download but was considered already complete. - sftp(1): Fix a typo and make <esc><right> move right to the closest end of a word just like <esc><left> moves left to the closest beginning of a word. - sshd(8): Cap the number of permitopen/permitlisten directives allowed to appear on a single authorized_keys line. - All: Fix a number of memory leaks (one-off or on exit paths). - ssh(1), sshd(8): Check for convtime() refusing to accept times that resolve to LONG_MAX. - ssh(1): Slightly more instructive error message when the user specifies multiple -J options on the command-line (closes: #929669). - ssh-agent(1): Process agent requests for RSA certificate private keys using correct signature algorithm when requested. - sftp(1): Check for user@host when parsing sftp target. This allows user@[1.2.3.4] to work without a path. - sshd(8): Enlarge format buffer size for certificate serial number so the log message can record any 64-bit integer without truncation. - sshd(8): For PermitOpen violations add the remote host and port to be able to more easily ascertain the source of the request. Add the same logging for PermitListen violations which were not previously logged at all. - scp(1), sftp(1): Use the correct POSIX format style for left justification for the transfer progress meter. - sshd(8): When examining a configuration using sshd -T, assume any attribute not provided by -C does not match, which allows it to work when sshd_config contains a Match directive with or without -C. - ssh(1), ssh-keygen(1): Downgrade PKCS#11 "provider returned no slots" warning from log level error to debug. This is common when attempting to enumerate keys on smartcard readers with no cards plugged in. - ssh(1), ssh-keygen(1): Do not unconditionally log in to PKCS#11 tokens. Avoids spurious PIN prompts for keys not selected for authentication in ssh(1) and when listing public keys available in a token using ssh-keygen(1). - ssh(1), sshd(8): Fix typo that prevented detection of Linux VRF. - sshd(8): In the Linux seccomp-bpf sandbox, allow mprotect(2) with PROT_(READ|WRITE|NONE) only. This syscall is used by some hardened heap allocators. - sshd(8): In the Linux seccomp-bpf sandbox, allow the s390-specific ioctl for ECC hardware support. * Re-enable hardening on hppa, since the corresponding GCC bug is apparently fixed. -- Colin Watson <email address hidden> Thu, 10 Oct 2019 10:23:19 +0100
Upload details
- Uploaded by:
- Debian OpenSSH Maintainers
- Uploaded to:
- Sid
- Original maintainer:
- Debian OpenSSH Maintainers
- Architectures:
- any all
- Section:
- net
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
openssh_8.1p1-1.dsc | 3.2 KiB | 01e3152f72f1352078308842357f56f5206edcad7c5228ff8c13be83be69349b |
openssh_8.1p1.orig.tar.gz | 1.6 MiB | 02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff |
openssh_8.1p1.orig.tar.gz.asc | 683 bytes | da3f623f0131b55c8199fbbd86be0748d00c6e1e098dfc0ebea664901c9a7ab4 |
openssh_8.1p1-1.debian.tar.xz | 167.6 KiB | d93a83ebd34b917a307c2876d7a3ad778277f745f38634b961cba65bf07cd10c |
Available diffs
No changes file available.
Binary packages built by this source
- openssh-client: secure shell (SSH) client, for secure access to remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the ssh, scp and sftp clients, the ssh-agent
and ssh-add programs to make public key authentication more convenient,
and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
.
ssh replaces the insecure rsh, rcp and rlogin programs, which are
obsolete for most purposes.
- openssh-client-dbgsym: debug symbols for openssh-client
- openssh-client-udeb: secure shell client for the Debian installer
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
This package provides the ssh client for use in debian-installer.
- openssh-server: secure shell (SSH) server, for secure access from remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the sshd server.
.
In some countries it may be illegal to use any encryption at all
without a special permit.
.
sshd replaces the insecure rshd program, which is obsolete for most
purposes.
- openssh-server-dbgsym: debug symbols for openssh-server
- openssh-server-udeb: secure shell server for the Debian installer
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
This package provides the sshd server for use in debian-installer.
Since it is expected to be used in specialized situations (e.g. S/390
installs with no console), it does not provide any configuration.
- openssh-sftp-server: secure shell (SSH) sftp server module, for SFTP access from remote machines
This is the portable version of OpenSSH, a free implementation of
the Secure Shell protocol as specified by the IETF secsh working
group.
.
Ssh (Secure Shell) is a program for logging into a remote machine
and for executing commands on a remote machine.
It provides secure encrypted communications between two untrusted
hosts over an insecure network. X11 connections and arbitrary TCP/IP
ports can also be forwarded over the secure channel.
It can be used to provide applications with a secure communication
channel.
.
This package provides the SFTP server module for the SSH server. It
is needed if you want to access your SSH server with SFTP. The SFTP
server module also works with other SSH daemons like dropbear.
.
OpenSSH's sftp and sftp-server implement revision 3 of the SSH filexfer
protocol described in:
.
http://www.openssh. com/txt/ draft-ietf- secsh-filexfer- 02.txt
.
Newer versions of the draft will not be supported, though some features
are individually implemented as extensions.
- openssh-sftp-server-dbgsym: debug symbols for openssh-sftp-server
- openssh-tests: OpenSSH regression tests
This package provides OpenSSH's regression test suite. It is mainly
intended for use with the autopkgtest system, though can also be run
directly using /usr/lib/openssh/ regress/ run-tests.
- openssh-tests-dbgsym: debug symbols for openssh-tests
- ssh: secure shell client and server (metapackage)
This metapackage is a convenient way to install both the OpenSSH client
and the OpenSSH server. It provides nothing in and of itself, so you
may remove it if nothing depends on it.
- ssh-askpass-gnome: interactive X program to prompt users for a passphrase for ssh-add
This has been split out of the main openssh-client package so that
openssh-client does not need to depend on GTK+.
.
You probably want the ssh-askpass package instead, but this is
provided to add to your choice and/or confusion.
- ssh-askpass-gnome-dbgsym: debug symbols for ssh-askpass-gnome