Format: 1.8 Date: Fri, 21 Feb 2020 16:36:37 +0000 Source: openssh Binary: openssh-client openssh-client-udeb openssh-server openssh-server-udeb openssh-sftp-server openssh-sk-helper openssh-tests ssh-askpass-gnome Architecture: armhf armhf_translations Version: 1:8.2p1-1 Distribution: focal-proposed Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-sk-helper - OpenSSH helper for FIDO authenticator support openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 275458 631189 845315 951220 951582 951640 Changes: openssh (1:8.2p1-1) unstable; urgency=medium . * New upstream release (https://www.openssh.com/txt/release-8.2, closes: #951582): - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates. - ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. - ssh-keygen(1): The command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-exchange-* key exchange algorithms have changed. Most options have been folded under the -O flag. - sshd(8): The sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. - Add support for FIDO/U2F hardware authenticators. - ssh-keygen(1): Add a "no-touch-required" option when generating FIDO-hosted keys, that disables their default behaviour of requiring a physical touch/tap on the token during authentication. Note: not all tokens support disabling the touch requirement. - sshd(8): Add a sshd_config PubkeyAuthOptions directive that collects miscellaneous public key authentication-related options for sshd(8). At present it supports only a single option "no-touch-required". This causes sshd to skip its default check for FIDO/U2F keys that the signature was authorised by a touch or press event on the token hardware. - ssh(1), sshd(8), ssh-keygen(1): Add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that FIDO key signatures attest that the user touched their key to authorize them, mirroring the similar PubkeyAuthOptions sshd_config option. - ssh-keygen(1): Add support for the writing the FIDO attestation information that is returned when new keys are generated via the "-O write-attestation=/path" option. FIDO attestation certificates may be used to verify that a FIDO key is hosted in trusted hardware. OpenSSH does not currently make use of this information, beyond optionally writing it to disk. - Add support for FIDO2 resident keys. - sshd(8): Add an Include sshd_config keyword that allows including additional configuration files via glob(3) patterns (closes: #631189). - ssh(1)/sshd(8): Make the LE (low effort) DSCP code point available via the IPQoS directive. - ssh(1): When AddKeysToAgent=yes is set and the key contains no comment, add the key to the agent with the key's path as the comment. - ssh-keygen(1), ssh-agent(1): Expose PKCS#11 key labels and X.509 subjects as key comments, rather than simply listing the PKCS#11 provider library path. - ssh-keygen(1): Allow PEM export of DSA and ECDSA keys. - sshd(8): When clients get denied by MaxStartups, send a notification prior to the SSH2 protocol banner according to RFC4253 section 4.2 (closes: #275458). - ssh(1), ssh-agent(1): When invoking the $SSH_ASKPASS prompt program, pass a hint to the program to describe the type of desired prompt. The possible values are "confirm" (indicating that a yes/no confirmation dialog with no text entry should be shown), "none" (to indicate an informational message only), or blank for the original ssh-askpass behaviour of requesting a password/phrase. - ssh(1): Allow forwarding a different agent socket to the path specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. - ssh-keygen(1): Add a new signature operations "find-principals" to look up the principal associated with a signature from an allowed-signers file. - sshd(8): Expose the number of currently-authenticating connections along with the MaxStartups limit in the process title visible to "ps". - sshd(8): Make ClientAliveCountMax=0 have sensible semantics: it will now disable connection killing entirely rather than the current behaviour of instantly killing the connection after the first liveness test regardless of success. - sshd(8): Clarify order of AllowUsers / DenyUsers vs AllowGroups / DenyGroups in the sshd(8) manual page. - sshd(8): Better describe HashKnownHosts in the manual page. - sshd(8): Clarify that that permitopen=/PermitOpen do no name or address translation in the manual page. - sshd(8): Allow the UpdateHostKeys feature to function when multiple known_hosts files are in use. When updating host keys, ssh will now search subsequent known_hosts files, but will add updated host keys to the first specified file only. - All: Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. - sftp(1): Fix a race condition in the SIGCHILD handler that could turn in to a kill(-1). - sshd(8): Fix a case where valid (but extremely large) SSH channel IDs were being incorrectly rejected. - ssh(1): When checking host key fingerprints as answers to new hostkey prompts, ignore whitespace surrounding the fingerprint itself. - All: Wait for file descriptors to be readable or writeable during non-blocking connect, not just readable. Prevents a timeout when the server doesn't immediately send a banner (e.g. multiplexers like sslh). - sshd_config(5): Document the sntrup4591761x25519-sha512@tinyssh.org key exchange algorithm. * Add more historical md5sums of /etc/ssh/sshd_config between 1:7.4p1-1 and 1:7.8p1-1 inclusive (closes: #951220). * ssh(1): Explain that -Y is equivalent to -X in the default configuration (closes: #951640). * Include /etc/ssh/ssh_config.d/*.conf from /etc/ssh/ssh_config and /etc/ssh/sshd_config.d/*.conf from /etc/ssh/sshd_config (closes: #845315). Checksums-Sha1: 107af7f18f9ce9f09e592038547b6b8415c74f22 3615856 openssh-client-dbgsym_8.2p1-1_armhf.ddeb d110ecc4d04195596f963364800e93bcc314e6fd 266664 openssh-client-udeb_8.2p1-1_armhf.udeb ff3d9fafccd28b35e7c7ddd0b0a88c44db571ab5 571964 openssh-client_8.2p1-1_armhf.deb 351f6be2f21a0376f3df76f07996da09835f2c4b 1062632 openssh-server-dbgsym_8.2p1-1_armhf.ddeb e671d08fc7348c688942f34da0133123b8d51a14 291036 openssh-server-udeb_8.2p1-1_armhf.udeb d108992428e1dc05d74e008f608fea01525a9923 342728 openssh-server_8.2p1-1_armhf.deb 764c6ece533ccb572cef2f0a0226180f293669a6 164456 openssh-sftp-server-dbgsym_8.2p1-1_armhf.ddeb 7d2fc8ccc715856202ec9268f44a2ae2a69f395c 44452 openssh-sftp-server_8.2p1-1_armhf.deb cb3b49653a1bda962e18361a1d5358b9b1cde30d 293528 openssh-sk-helper-dbgsym_8.2p1-1_armhf.ddeb bff16016c7c2f73e92f33470dcbabcc6ea927917 98852 openssh-sk-helper_8.2p1-1_armhf.deb f6f918f7e419ce57c9772497366dc880331f0568 2342484 openssh-tests-dbgsym_8.2p1-1_armhf.ddeb 7090b744c4005c9747a6bb1867dbc537b5b7a846 591184 openssh-tests_8.2p1-1_armhf.deb 8e47cfb8841cb25ad16ed32df2249daea3b1e421 18495 openssh_8.2p1-1_armhf.buildinfo 0fbc8a85b5a5f928e18b8f52c7b9ea45c1dbb8f4 8534 openssh_8.2p1-1_armhf_translations.tar.gz 6140b3d1663a64a8be1836b67f60d7b59401904c 12952 ssh-askpass-gnome-dbgsym_8.2p1-1_armhf.ddeb efa1c12288c028bd46338f71a15638b59c223bbc 16780 ssh-askpass-gnome_8.2p1-1_armhf.deb Checksums-Sha256: a570fd7c61603cb6464ca7f74ca169f06c83dd08f396d9d32fa981a79afd50c5 3615856 openssh-client-dbgsym_8.2p1-1_armhf.ddeb d0833ea55cd90161fda3ed7550e33ee8e6419603d81534d419b1872556c0032b 266664 openssh-client-udeb_8.2p1-1_armhf.udeb 706a44939334d99d741e55bd5a0f2a8c502e91279c3998d9096b423bf7932991 571964 openssh-client_8.2p1-1_armhf.deb 9e072fca1352dae6ef4f1a54c3bb5f27aa680e4d41553072d3e224369cbcb6ff 1062632 openssh-server-dbgsym_8.2p1-1_armhf.ddeb ff4bf5933204597e03fdb66036ce8c2c2833a89a037de58c3899188adf5a647c 291036 openssh-server-udeb_8.2p1-1_armhf.udeb 074bbb4a185e1b86b0a35a495cddfd4d0136b51f8a783b932beefc8c1e43daa9 342728 openssh-server_8.2p1-1_armhf.deb 9c9bcd1d09fa5f9d3515530bb1c975d04a6dd506c8e9f4a2965b802cdae9b232 164456 openssh-sftp-server-dbgsym_8.2p1-1_armhf.ddeb 08f82814b1ebdc42259a5bb747340ddcc397cc06ff66d6f1048b6d6d21cb96bd 44452 openssh-sftp-server_8.2p1-1_armhf.deb b0a8832fbeefba04000555006cd59116bb88b9c7dbcf0d63383caeacf69f7a2b 293528 openssh-sk-helper-dbgsym_8.2p1-1_armhf.ddeb 37c04c28bade7486eaf256f7ed47bbb10e38dcd1d38c937296070736e03a9db6 98852 openssh-sk-helper_8.2p1-1_armhf.deb bb8fbdff1d47882b1f74f54117d86ca2c7ebc47ccafb01728c14148618260631 2342484 openssh-tests-dbgsym_8.2p1-1_armhf.ddeb 7c2c987fc67dffa02bc15b6b2a6a5e14275ad2741252817c300b081f242772f3 591184 openssh-tests_8.2p1-1_armhf.deb bb3bc09cf27d3017785ee53b510cae477f4869e119483e0682af10ffa400e4e7 18495 openssh_8.2p1-1_armhf.buildinfo 6b553ac396178f8aa09b9ed2ccb46d41c92fcb75fd520aef9b22723046b33674 8534 openssh_8.2p1-1_armhf_translations.tar.gz 741640f24bf375a84c37606c7640106a48f3023e3ad3307632f62376a2ec41e2 12952 ssh-askpass-gnome-dbgsym_8.2p1-1_armhf.ddeb 31d16090d3401887c1b9252a66ef8d1238687acd6234ff4b7fb573753c38cbf6 16780 ssh-askpass-gnome_8.2p1-1_armhf.deb Files: 03c880974c43cdbf9c1af808753ce926 3615856 debug optional openssh-client-dbgsym_8.2p1-1_armhf.ddeb 6fecdf7d902b204521679a3dd25e28e4 266664 debian-installer optional openssh-client-udeb_8.2p1-1_armhf.udeb b7273f1fdd5ddb263bc0e2285347f011 571964 net standard openssh-client_8.2p1-1_armhf.deb 855d7bb4e49ce1d1f0c5d37af1fad3b4 1062632 debug optional openssh-server-dbgsym_8.2p1-1_armhf.ddeb c7b425b5d2ff3bfd6bd6da06378f8242 291036 debian-installer optional openssh-server-udeb_8.2p1-1_armhf.udeb d29d109d43e8e3cf23eeeb6ab9c1e302 342728 net optional openssh-server_8.2p1-1_armhf.deb b7c1826cecfde0b79ee79f5f3f0f1e8e 164456 debug optional openssh-sftp-server-dbgsym_8.2p1-1_armhf.ddeb 9564bba5c1604bf7b7ce889c69e558af 44452 net optional openssh-sftp-server_8.2p1-1_armhf.deb 6e81ab5f4a8af96571ffe2cc35cc88d1 293528 debug optional openssh-sk-helper-dbgsym_8.2p1-1_armhf.ddeb 49cafa05a89fca5616a3471de41c668e 98852 net optional openssh-sk-helper_8.2p1-1_armhf.deb 5793150ed4dd6a3489ec6bb3bd7c3c01 2342484 debug optional openssh-tests-dbgsym_8.2p1-1_armhf.ddeb e709ea360282f642943724f259c55dfa 591184 net optional openssh-tests_8.2p1-1_armhf.deb 97b309c19af4d6016760f90a05ecb8e3 18495 net standard openssh_8.2p1-1_armhf.buildinfo 76a3432ccb7cf98b3f12c7f5d778e425 8534 raw-translations - openssh_8.2p1-1_armhf_translations.tar.gz 34506be606cfcfa254740bf471f0b0a4 12952 debug optional ssh-askpass-gnome-dbgsym_8.2p1-1_armhf.ddeb 06cc91e9b9c0d5e98ac6182d2e2d6462 16780 gnome optional ssh-askpass-gnome_8.2p1-1_armhf.deb