Format: 1.8 Date: Fri, 21 Feb 2020 16:36:37 +0000 Source: openssh Binary: openssh-client openssh-client-udeb openssh-server openssh-server-udeb openssh-sftp-server openssh-sk-helper openssh-tests ssh-askpass-gnome Architecture: s390x s390x_translations Version: 1:8.2p1-1 Distribution: focal-proposed Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-sk-helper - OpenSSH helper for FIDO authenticator support openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 275458 631189 845315 951220 951582 951640 Changes: openssh (1:8.2p1-1) unstable; urgency=medium . * New upstream release (https://www.openssh.com/txt/release-8.2, closes: #951582): - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates. - ssh(1), sshd(8): Remove diffie-hellman-group14-sha1 from the default key exchange proposal for both the client and server. - ssh-keygen(1): The command-line options related to the generation and screening of safe prime numbers used by the diffie-hellman-group-exchange-* key exchange algorithms have changed. Most options have been folded under the -O flag. - sshd(8): The sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. - Add support for FIDO/U2F hardware authenticators. - ssh-keygen(1): Add a "no-touch-required" option when generating FIDO-hosted keys, that disables their default behaviour of requiring a physical touch/tap on the token during authentication. Note: not all tokens support disabling the touch requirement. - sshd(8): Add a sshd_config PubkeyAuthOptions directive that collects miscellaneous public key authentication-related options for sshd(8). At present it supports only a single option "no-touch-required". This causes sshd to skip its default check for FIDO/U2F keys that the signature was authorised by a touch or press event on the token hardware. - ssh(1), sshd(8), ssh-keygen(1): Add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that FIDO key signatures attest that the user touched their key to authorize them, mirroring the similar PubkeyAuthOptions sshd_config option. - ssh-keygen(1): Add support for the writing the FIDO attestation information that is returned when new keys are generated via the "-O write-attestation=/path" option. FIDO attestation certificates may be used to verify that a FIDO key is hosted in trusted hardware. OpenSSH does not currently make use of this information, beyond optionally writing it to disk. - Add support for FIDO2 resident keys. - sshd(8): Add an Include sshd_config keyword that allows including additional configuration files via glob(3) patterns (closes: #631189). - ssh(1)/sshd(8): Make the LE (low effort) DSCP code point available via the IPQoS directive. - ssh(1): When AddKeysToAgent=yes is set and the key contains no comment, add the key to the agent with the key's path as the comment. - ssh-keygen(1), ssh-agent(1): Expose PKCS#11 key labels and X.509 subjects as key comments, rather than simply listing the PKCS#11 provider library path. - ssh-keygen(1): Allow PEM export of DSA and ECDSA keys. - sshd(8): When clients get denied by MaxStartups, send a notification prior to the SSH2 protocol banner according to RFC4253 section 4.2 (closes: #275458). - ssh(1), ssh-agent(1): When invoking the $SSH_ASKPASS prompt program, pass a hint to the program to describe the type of desired prompt. The possible values are "confirm" (indicating that a yes/no confirmation dialog with no text entry should be shown), "none" (to indicate an informational message only), or blank for the original ssh-askpass behaviour of requesting a password/phrase. - ssh(1): Allow forwarding a different agent socket to the path specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. - ssh-keygen(1): Add a new signature operations "find-principals" to look up the principal associated with a signature from an allowed-signers file. - sshd(8): Expose the number of currently-authenticating connections along with the MaxStartups limit in the process title visible to "ps". - sshd(8): Make ClientAliveCountMax=0 have sensible semantics: it will now disable connection killing entirely rather than the current behaviour of instantly killing the connection after the first liveness test regardless of success. - sshd(8): Clarify order of AllowUsers / DenyUsers vs AllowGroups / DenyGroups in the sshd(8) manual page. - sshd(8): Better describe HashKnownHosts in the manual page. - sshd(8): Clarify that that permitopen=/PermitOpen do no name or address translation in the manual page. - sshd(8): Allow the UpdateHostKeys feature to function when multiple known_hosts files are in use. When updating host keys, ssh will now search subsequent known_hosts files, but will add updated host keys to the first specified file only. - All: Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. - sftp(1): Fix a race condition in the SIGCHILD handler that could turn in to a kill(-1). - sshd(8): Fix a case where valid (but extremely large) SSH channel IDs were being incorrectly rejected. - ssh(1): When checking host key fingerprints as answers to new hostkey prompts, ignore whitespace surrounding the fingerprint itself. - All: Wait for file descriptors to be readable or writeable during non-blocking connect, not just readable. Prevents a timeout when the server doesn't immediately send a banner (e.g. multiplexers like sslh). - sshd_config(5): Document the sntrup4591761x25519-sha512@tinyssh.org key exchange algorithm. * Add more historical md5sums of /etc/ssh/sshd_config between 1:7.4p1-1 and 1:7.8p1-1 inclusive (closes: #951220). * ssh(1): Explain that -Y is equivalent to -X in the default configuration (closes: #951640). * Include /etc/ssh/ssh_config.d/*.conf from /etc/ssh/ssh_config and /etc/ssh/sshd_config.d/*.conf from /etc/ssh/sshd_config (closes: #845315). Checksums-Sha1: d8e11f5014eb282b89891c2f326d1dfded506360 3694560 openssh-client-dbgsym_8.2p1-1_s390x.ddeb 98245565c4e09f8ecb92121544c9f43af3a58c05 286432 openssh-client-udeb_8.2p1-1_s390x.udeb f14f92cdab5b4b19a39ffc5d62e22ccee439cd83 609928 openssh-client_8.2p1-1_s390x.deb f4a1307e90396ea021874b5603752eb587072159 1086380 openssh-server-dbgsym_8.2p1-1_s390x.ddeb 75ea0a8742b4ded81ffd1a50e8d6374cc043f554 305040 openssh-server-udeb_8.2p1-1_s390x.udeb 411110f61389380fa21031e4540f26968898dcf2 351632 openssh-server_8.2p1-1_s390x.deb fd8db4665f85cb7e5711bbfcb53097637221213a 162808 openssh-sftp-server-dbgsym_8.2p1-1_s390x.ddeb 7c91bb9646204890093ab6b7940eaaa79ba89e1c 48568 openssh-sftp-server_8.2p1-1_s390x.deb 01c48ad4a9da1ec4d56d3fbfcd35b917eb69e31b 301044 openssh-sk-helper-dbgsym_8.2p1-1_s390x.ddeb 0d0add2e1ac4bba82c532b30f8345ecbd6c2d626 105800 openssh-sk-helper_8.2p1-1_s390x.deb 90da7c30e9bee275fbe51bbada8e24a12b66919b 2401664 openssh-tests-dbgsym_8.2p1-1_s390x.ddeb 8ce9b38f64ab2c8deff13eb1410f1303c4f746c5 633824 openssh-tests_8.2p1-1_s390x.deb ca3c779a84c6c86cdf872eb272fedd401e9bd2a1 18529 openssh_8.2p1-1_s390x.buildinfo 52ec0ed88d7f2b65d1f4189998be47e8764621e1 8546 openssh_8.2p1-1_s390x_translations.tar.gz 2cbefc82aec5d45548ba6fe60f9c34f56a4127c4 12868 ssh-askpass-gnome-dbgsym_8.2p1-1_s390x.ddeb 5ed630f14283fb746d63e99606b18ebb5389e14a 17368 ssh-askpass-gnome_8.2p1-1_s390x.deb Checksums-Sha256: e89c23096f22bd988a0a56699bc8a5df5369e94bdf70384f4cc2efd88095225a 3694560 openssh-client-dbgsym_8.2p1-1_s390x.ddeb 1ed90c2c530be430a3ace879bff896a5ca4592e6517e54f4434fcd611d7b3b4a 286432 openssh-client-udeb_8.2p1-1_s390x.udeb d06e8a3f68b99ac92758510059e556f7c2a43ea3a08221fdd512d7754ed239ef 609928 openssh-client_8.2p1-1_s390x.deb 5f530d338c4c93c2c6adad1a4431a71d815c32059990c7cbded37abb635f2506 1086380 openssh-server-dbgsym_8.2p1-1_s390x.ddeb bffc31c618284da8d5dca29b0eaf6e42240dad411a0968ad1d0ebf9d44d5b4c4 305040 openssh-server-udeb_8.2p1-1_s390x.udeb 3a0c862c11c696234b6566896376bf0e84587bcc8dc99abc74b8e4e01dc65733 351632 openssh-server_8.2p1-1_s390x.deb dd6629dabff83ba43d38d24e5c8c53e3b408f2b658970b058630cc9dbd8b4ee2 162808 openssh-sftp-server-dbgsym_8.2p1-1_s390x.ddeb 2c31404436886e93c9280f0e09a765d25af5d04c25ec3b2008192c15aa22b5a6 48568 openssh-sftp-server_8.2p1-1_s390x.deb 2a50ede35e0efbc2f094e1af9cb0cfa11e7077eb46c5e38e62cbe56c86ae0fe5 301044 openssh-sk-helper-dbgsym_8.2p1-1_s390x.ddeb 32bc3c1fb9e81ecccb1c368be91499b80beec61b7f0058ec683adda0efd901ed 105800 openssh-sk-helper_8.2p1-1_s390x.deb 605c863604c825e49eab06f1eadf4c53957188c7ff0688b9b1496f33f6c1ed61 2401664 openssh-tests-dbgsym_8.2p1-1_s390x.ddeb 27ff1f590ad44522a31c9b2b57f454be2d72467c29d3fd4c5ad290566ec09d6e 633824 openssh-tests_8.2p1-1_s390x.deb 531544bf266e864aa821b58c9afabfef26460af251b632dd5dd40b132b637156 18529 openssh_8.2p1-1_s390x.buildinfo edb0b32a36d49fae4b02cd477d3a6062ce2b70bacb05b2c81a8a134fa30b5f98 8546 openssh_8.2p1-1_s390x_translations.tar.gz 32dd43e4125d8b8fbdee7e46b3881a038056cd804fa68d6385ee154e758194d1 12868 ssh-askpass-gnome-dbgsym_8.2p1-1_s390x.ddeb 21acb37727f02a0bd70396d1771af611b3b9dc611ecb005e6a3d8f494cc5c44b 17368 ssh-askpass-gnome_8.2p1-1_s390x.deb Files: f919f343c198639b9e29fac75874b913 3694560 debug optional openssh-client-dbgsym_8.2p1-1_s390x.ddeb 0f2f617d9f439e8235e69dc6564af90b 286432 debian-installer optional openssh-client-udeb_8.2p1-1_s390x.udeb ca6ebd05f6c0cd79c352c2c39c7b9e6b 609928 net standard openssh-client_8.2p1-1_s390x.deb 7a963bf92608dd5aaa347cc0bffc4ce4 1086380 debug optional openssh-server-dbgsym_8.2p1-1_s390x.ddeb c34a0db8491b17a1e2a913d90447e495 305040 debian-installer optional openssh-server-udeb_8.2p1-1_s390x.udeb df03fb0d5bf391ba3d5ae181878efda5 351632 net optional openssh-server_8.2p1-1_s390x.deb 7f9715ca7583c351af7332ebbcf8493a 162808 debug optional openssh-sftp-server-dbgsym_8.2p1-1_s390x.ddeb e0dffc81cac5e3dfd81ab45fb34f3996 48568 net optional openssh-sftp-server_8.2p1-1_s390x.deb 49959dad212205ae6c187fcff5ded4b0 301044 debug optional openssh-sk-helper-dbgsym_8.2p1-1_s390x.ddeb f45f9150e64742b9eb2d061b42d74d20 105800 net optional openssh-sk-helper_8.2p1-1_s390x.deb 7646b8b0b4515a442cda42a5429d577e 2401664 debug optional openssh-tests-dbgsym_8.2p1-1_s390x.ddeb f341935c4458e04e9574a4c25d815164 633824 net optional openssh-tests_8.2p1-1_s390x.deb 01b9eed83a88a22a775b5bc55be87bc2 18529 net standard openssh_8.2p1-1_s390x.buildinfo 3831d09526033899c2078f77dfcd94cc 8546 raw-translations - openssh_8.2p1-1_s390x_translations.tar.gz 1d66406e1fff8eeb80a8799f1483fdff 12868 debug optional ssh-askpass-gnome-dbgsym_8.2p1-1_s390x.ddeb 7cab24642c089dcd0d07f3174ec2d048 17368 gnome optional ssh-askpass-gnome_8.2p1-1_s390x.deb