openssh 1:8.0p1-1 source package in Ubuntu

Changelog

openssh (1:8.0p1-1) experimental; urgency=medium

  * New upstream release (https://www.openssh.com/txt/release-8.0, closes:
    #927792):
    - ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
      PKCS#11 tokens (LP: #1665695).
    - ssh(1), sshd(8): Add experimental quantum-computing resistant key
      exchange method, based on a combination of Streamlined NTRU Prime
      4591^761 and X25519.
    - ssh-keygen(1): Increase the default RSA key size to 3072 bits,
      following NIST Special Publication 800-57's guidance for a 128-bit
      equivalent symmetric security level (LP: #1445625).
    - ssh(1): Allow "PKCS11Provider=none" to override later instances of the
      PKCS11Provider directive in ssh_config.
    - sshd(8): Add a log message for situations where a connection is
      dropped for attempting to run a command but a sshd_config
      ForceCommand=internal-sftp restriction is in effect.
    - ssh(1): When prompting whether to record a new host key, accept the
      key fingerprint as a synonym for "yes".  This allows the user to paste
      a fingerprint obtained out of band at the prompt and have the client
      do the comparison for you.
    - ssh-keygen(1): When signing multiple certificates on a single
      command-line invocation, allow automatically incrementing the
      certificate serial number.
    - scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp
      and sftp command-lines.
    - ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
      command-line flags to increase the verbosity of output; pass verbose
      flags though to subprocesses, such as ssh-pkcs11-helper started from
      ssh-agent.
    - ssh-add(1): Add a "-T" option to allowing testing whether keys in an
      agent are usable by performing a signature and a verification.
    - sftp-server(8): Add a "<email address hidden>" protocol extension that
      replicates the functionality of the existing SSH2_FXP_SETSTAT
      operation but does not follow symlinks.
    - sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they
      do not follow symlinks.
    - sshd(8): Expose $SSH_CONNECTION in the PAM environment.  This makes
      the connection 4-tuple available to PAM modules that wish to use it in
      decision-making.
    - sshd(8): Add a ssh_config "Match final" predicate.  Matches in same
      pass as "Match canonical" but doesn't require hostname
      canonicalisation be enabled.
    - sftp(1): Support a prefix of '@' to suppress echo of sftp batch
      commands.
    - ssh-keygen(1): When printing certificate contents using "ssh-keygen
      -Lf /path/certificate", include the algorithm that the CA used to sign
      the cert.
    - sshd(8): Fix authentication failures when sshd_config contains
      "AuthenticationMethods any" inside a Match block that overrides a more
      restrictive default.
    - sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is
      enabled.
    - sshd(8): Fix two race conditions related to SIGHUP daemon restart.
      Remnant file descriptors in recently-forked child processes could
      block the parent sshd's attempt to listen(2) to the configured
      addresses.  Also, the restarting parent sshd could exit before any
      child processes that were awaiting their re-execution state had
      completed reading it, leaving them in a fallback path.
    - ssh(1): Fix stdout potentially being redirected to /dev/null when
      ProxyCommand=- was in use.
    - sshd(8): Avoid sending SIGPIPE to child processes if they attempt to
      write to stderr after their parent processes have exited.
    - ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and
      ConnectionAttempts directives - connection attempts after the first
      were ignoring the requested timeout (LP: #1798049).
    - ssh-keyscan(1): Return a non-zero exit status if no keys were found
      (closes: #374980, LP: #1661745).
    - scp(1): Sanitize scp filenames to allow UTF-8 characters without
      terminal control sequences.
    - sshd(8): Fix confusion between ClientAliveInterval and time-based
      RekeyLimit that could cause connections to be incorrectly closed.
    - ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at
      initial token login.  The attempt to read the PIN could be skipped in
      some cases, particularly on devices with integrated PIN readers.  This
      would lead to an inability to retrieve keys from these tokens.
    - ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the
      CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the
      C_SignInit operation.
    - ssh(1): Improve documentation for ProxyJump/-J, clarifying that local
      configuration does not apply to jump hosts.
    - ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys,
      not private.
    - ssh(1), sshd(8): be more strict in processing protocol banners,
      allowing \r characters only immediately before \n.
    - Various: fix a number of memory leaks.
    - scp(1), sftp(1): fix calculation of initial bandwidth limits.  Account
      for bytes written before the timer starts and adjust the schedule on
      which recalculations are performed.  Avoids an initial burst of
      traffic and yields more accurate bandwidth limits.
    - sshd(8): Only consider the ext-info-c extension during the initial key
      eschange.  It shouldn't be sent in subsequent ones, but if it is
      present we should ignore it.  This prevents sshd from sending a
      SSH_MSG_EXT_INFO for REKEX for these buggy clients.
    - ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in
      authorized_keys) and -R (remove host from authorized_keys) options may
      accept either a bare hostname or a [hostname]:port combo.
    - ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK.
    - sshd(8): Silence error messages when sshd fails to load some of the
      default host keys.  Failure to load an explicitly-configured hostkey
      is still an error, and failure to load any host key is still fatal.
    - ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
      started with ControlPersist; prevents random ProxyCommand output from
      interfering with session output.
    - ssh(1): The ssh client was keeping a redundant ssh-agent socket
      (leftover from authentication) around for the life of the connection.
    - sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
      PubkeyAcceptedKeyTypes options.  If only RSA-SHA2 signature types were
      specified, then authentication would always fail for RSA keys as the
      monitor checks only the base key (not the signature algorithm) type
      against *AcceptedKeyTypes.
    - ssh(1): Request correct signature types from ssh-agent when
      certificate keys and RSA-SHA2 signatures are in use.
    - sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the
      user environment if it's enabled (closes: #189920, #532754).
  * Mostly resynced GSSAPI key exchange patch with Fedora.  Major changes:
    - Support selection of GSSAPI key exchange algorithms.
    - Support GSSAPI key exchange methods with DH and SHA2.
    - Support GSSAPI key exchange using ECDH and SHA2.
    - Make sure the Kerberos tickets are cleaned up with the user context.
    - Enable gssapi-keyex authentication without gssapi-with-mic.
    - Allow querying for GSSAPI key exchange algorithms from ssh (-Q
      kex-gss).
  * Apply upstream patch to fix the utimensat regression tests when not
    using the compatibility implementation.

 -- Colin Watson <email address hidden>  Sun, 09 Jun 2019 22:47:27 +0100

Upload details

Uploaded by:
Debian OpenSSH Maintainers on 2019-06-10
Uploaded to:
Experimental
Original maintainer:
Debian OpenSSH Maintainers
Architectures:
any all
Section:
net
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Downloads

File Size SHA-256 Checksum
openssh_8.0p1-1.dsc 3.2 KiB d9eead44a036a84871d74a26e9f138fb60f33b74f5ba6e5e5253220ed5037e81
openssh_8.0p1.orig.tar.gz 1.5 MiB bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68
openssh_8.0p1.orig.tar.gz.asc 683 bytes 1904abaa20c24f0c8fed8d7708ec13f4ddca0b8f0f3a191b183b93f142111538
openssh_8.0p1-1.debian.tar.xz 166.5 KiB 82ae8aa9a3391c8fd6a40a3d1baee666e1e1b994af2b817a481e3cb821e72629

No changes file available.

Binary packages built by this source

openssh-client: secure shell (SSH) client, for secure access to remote machines

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the ssh, scp and sftp clients, the ssh-agent
 and ssh-add programs to make public key authentication more convenient,
 and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.
 .
 In some countries it may be illegal to use any encryption at all
 without a special permit.
 .
 ssh replaces the insecure rsh, rcp and rlogin programs, which are
 obsolete for most purposes.

openssh-client-dbgsym: debug symbols for openssh-client
openssh-client-udeb: secure shell client for the Debian installer

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 This package provides the ssh client for use in debian-installer.

openssh-server: secure shell (SSH) server, for secure access from remote machines

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the sshd server.
 .
 In some countries it may be illegal to use any encryption at all
 without a special permit.
 .
 sshd replaces the insecure rshd program, which is obsolete for most
 purposes.

openssh-server-dbgsym: debug symbols for openssh-server
openssh-server-udeb: secure shell server for the Debian installer

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 This package provides the sshd server for use in debian-installer.
 Since it is expected to be used in specialized situations (e.g. S/390
 installs with no console), it does not provide any configuration.

openssh-sftp-server: secure shell (SSH) sftp server module, for SFTP access from remote machines

 This is the portable version of OpenSSH, a free implementation of
 the Secure Shell protocol as specified by the IETF secsh working
 group.
 .
 Ssh (Secure Shell) is a program for logging into a remote machine
 and for executing commands on a remote machine.
 It provides secure encrypted communications between two untrusted
 hosts over an insecure network. X11 connections and arbitrary TCP/IP
 ports can also be forwarded over the secure channel.
 It can be used to provide applications with a secure communication
 channel.
 .
 This package provides the SFTP server module for the SSH server. It
 is needed if you want to access your SSH server with SFTP. The SFTP
 server module also works with other SSH daemons like dropbear.
 .
 OpenSSH's sftp and sftp-server implement revision 3 of the SSH filexfer
 protocol described in:
 .
  http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
 .
 Newer versions of the draft will not be supported, though some features
 are individually implemented as extensions.

openssh-sftp-server-dbgsym: debug symbols for openssh-sftp-server
openssh-tests: OpenSSH regression tests

 This package provides OpenSSH's regression test suite. It is mainly
 intended for use with the autopkgtest system, though can also be run
 directly using /usr/lib/openssh/regress/run-tests.

openssh-tests-dbgsym: debug symbols for openssh-tests
ssh: secure shell client and server (metapackage)

 This metapackage is a convenient way to install both the OpenSSH client
 and the OpenSSH server. It provides nothing in and of itself, so you
 may remove it if nothing depends on it.

ssh-askpass-gnome: interactive X program to prompt users for a passphrase for ssh-add

 This has been split out of the main openssh-client package so that
 openssh-client does not need to depend on GTK+.
 .
 You probably want the ssh-askpass package instead, but this is
 provided to add to your choice and/or confusion.

ssh-askpass-gnome-dbgsym: debug symbols for ssh-askpass-gnome