Format: 1.8 Date: Sun, 09 Jun 2019 22:47:27 +0100 Source: openssh Binary: openssh-client openssh-client-udeb openssh-server openssh-server-udeb openssh-sftp-server openssh-tests ssh-askpass-gnome Architecture: s390x s390x_translations Version: 1:8.0p1-1 Distribution: eoan-proposed Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Colin Watson Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot openssh-tests - OpenSSH regression tests ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad Closes: 189920 374980 532754 927792 Launchpad-Bugs-Fixed: 1445625 1661745 1665695 1798049 Changes: openssh (1:8.0p1-1) experimental; urgency=medium . * New upstream release (https://www.openssh.com/txt/release-8.0, closes: #927792): - ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens (LP: #1665695). - ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519. - ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level (LP: #1445625). - ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config. - sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you. - ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number. - scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines. - ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent. - ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification. - sftp-server(8): Add a "lsetstat@openssh.com" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. - sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks. - sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. - sshd(8): Add a ssh_config "Match final" predicate. Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. - sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands. - ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert. - sshd(8): Fix authentication failures when sshd_config contains "AuthenticationMethods any" inside a Match block that overrides a more restrictive default. - sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled. - sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd's attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path. - ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use. - sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited. - ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives - connection attempts after the first were ignoring the requested timeout (LP: #1798049). - ssh-keyscan(1): Return a non-zero exit status if no keys were found (closes: #374980, LP: #1661745). - scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences. - sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. - ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. - ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. - ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts. - ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys, not private. - ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n. - Various: fix a number of memory leaks. - scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits. - sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn't be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for these buggy clients. - ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. - ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK. - sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. - ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output. - ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection. - sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 signature types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against *AcceptedKeyTypes. - ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use. - sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the user environment if it's enabled (closes: #189920, #532754). * Mostly resynced GSSAPI key exchange patch with Fedora. Major changes: - Support selection of GSSAPI key exchange algorithms. - Support GSSAPI key exchange methods with DH and SHA2. - Support GSSAPI key exchange using ECDH and SHA2. - Make sure the Kerberos tickets are cleaned up with the user context. - Enable gssapi-keyex authentication without gssapi-with-mic. - Allow querying for GSSAPI key exchange algorithms from ssh (-Q kex-gss). * Apply upstream patch to fix the utimensat regression tests when not using the compatibility implementation. Checksums-Sha1: 96404d3ca2225d712c09d3f83e074df687fae75e 3398972 openssh-client-dbgsym_8.0p1-1_s390x.ddeb 2e705c7e4f8df997f9beec764e129b402a91f805 274564 openssh-client-udeb_8.0p1-1_s390x.udeb 0042e938ae37f6d04a198a98885f23e1fd0af886 568908 openssh-client_8.0p1-1_s390x.deb c7e79fbe311b65976617fcb57501f21f82c4003b 1030060 openssh-server-dbgsym_8.0p1-1_s390x.ddeb c152cb503ce2b8e494f72f183d606d7ac6f650de 281644 openssh-server-udeb_8.0p1-1_s390x.udeb b2dfcb69d86b6e9633e9d9c340b007bd928acf03 337140 openssh-server_8.0p1-1_s390x.deb 258b2e35c689f37aceecdfbf59277229845fcc4f 147100 openssh-sftp-server-dbgsym_8.0p1-1_s390x.ddeb 5da2498d1d92cbc8aa2938bb96385451244168b0 44528 openssh-sftp-server_8.0p1-1_s390x.deb fd64e9157763a7467e579ede08d92c7983974406 2160892 openssh-tests-dbgsym_8.0p1-1_s390x.ddeb d076f94e5234c87719db490c2823bf340800a9aa 584816 openssh-tests_8.0p1-1_s390x.deb 6030348b6afae71010c2f082572c9781ad3579e7 17407 openssh_8.0p1-1_s390x.buildinfo 0d61b7bd6b878684790825729ebddaa0f76ea1fb 8467 openssh_8.0p1-1_s390x_translations.tar.gz f0d78bddce2726af96f1291084e9b29d08542e7f 12472 ssh-askpass-gnome-dbgsym_8.0p1-1_s390x.ddeb 4e33101fbadb597a1f267c313e96856b7a84ad33 17160 ssh-askpass-gnome_8.0p1-1_s390x.deb Checksums-Sha256: 3a414aeff3ab64b2cad8be7938d4223ba933c70db2735fd644411ac5103604b6 3398972 openssh-client-dbgsym_8.0p1-1_s390x.ddeb 6c188590b25f26a2da3b8b962e5b039e21f1dd82308ab1163b1bd6b6ad218616 274564 openssh-client-udeb_8.0p1-1_s390x.udeb d22b922e6feb40ee3161eb1d4705e3f0919c74722f085a8f47b3476b1f447904 568908 openssh-client_8.0p1-1_s390x.deb 156ee2220423f2c15a7eb3318cfec10383d9811f75b8a049af713098a0969efe 1030060 openssh-server-dbgsym_8.0p1-1_s390x.ddeb 9b29582ecb0557b144b321e27bfb76616a831496323a017e11881582e9277ec2 281644 openssh-server-udeb_8.0p1-1_s390x.udeb 43dadf8b0f856c36ccc32ad2774b5fe2a024c26caf82b3cd4821c0e07d6dd71e 337140 openssh-server_8.0p1-1_s390x.deb a2930f3c2461c3de239b4a8abbea22ce027b0bf4ebe591b826ae7cf19ca85a3b 147100 openssh-sftp-server-dbgsym_8.0p1-1_s390x.ddeb 13140db2729e11f9f412a7955a9a0872c92f4ae11a980205b285312891576f13 44528 openssh-sftp-server_8.0p1-1_s390x.deb 89653263565d814382033c3d38918e8ff7411c1727503748cb789345192f1326 2160892 openssh-tests-dbgsym_8.0p1-1_s390x.ddeb 9a254adb09ece2b3894587adb4a51ba2e15d8b6f22302e5fb6baee0c6ad9ee56 584816 openssh-tests_8.0p1-1_s390x.deb 7f7c80f5742e104543e8487ce73c07616f85d1aff0eb843f7674a2c231779062 17407 openssh_8.0p1-1_s390x.buildinfo b0dc21979c5c5544c85260e709e4ab75fd571778ae4d307e0e30935392bdf17a 8467 openssh_8.0p1-1_s390x_translations.tar.gz a7686269b4db88c2f0333b2e10b384d3c7f4ed55099d93fcc693f9922091dd0c 12472 ssh-askpass-gnome-dbgsym_8.0p1-1_s390x.ddeb 89bd7e51ae40bba2ccdf44d16d729c14dd58933ac616c208ec139c1befa57930 17160 ssh-askpass-gnome_8.0p1-1_s390x.deb Files: 2afd1bf3ebc17c2c3c5589622be3672e 3398972 debug optional openssh-client-dbgsym_8.0p1-1_s390x.ddeb 0f4932a25e4b7a61437e40fe9769d750 274564 debian-installer optional openssh-client-udeb_8.0p1-1_s390x.udeb 0be5ba31b868e461c9030399bc83ec79 568908 net standard openssh-client_8.0p1-1_s390x.deb 42c5d0f8e310fd11d1991187bdb6b6b7 1030060 debug optional openssh-server-dbgsym_8.0p1-1_s390x.ddeb 3941a8335d0e33a8000dbfea35373ef3 281644 debian-installer optional openssh-server-udeb_8.0p1-1_s390x.udeb dcc3f9576463b9e23f6af0e72cb444e2 337140 net optional openssh-server_8.0p1-1_s390x.deb 384ef801d4d7a6e4daa77bcd1289c15d 147100 debug optional openssh-sftp-server-dbgsym_8.0p1-1_s390x.ddeb 1a0ad0f18471724f726450730cd2900c 44528 net optional openssh-sftp-server_8.0p1-1_s390x.deb 908839a155b111ef72ac69ccd9553554 2160892 debug optional openssh-tests-dbgsym_8.0p1-1_s390x.ddeb 3d56e5abf4bf6513cc0674fdadc27141 584816 net optional openssh-tests_8.0p1-1_s390x.deb de3c301ffe78a734f25d77e4494da8e5 17407 net standard openssh_8.0p1-1_s390x.buildinfo 1d5bc2ef61a9f8bd2aeb2238c63d40ac 8467 raw-translations - openssh_8.0p1-1_s390x_translations.tar.gz eed2289983ddf956a7c0a3d9f320891b 12472 debug optional ssh-askpass-gnome-dbgsym_8.0p1-1_s390x.ddeb 90c190f9fa4c633d85527bf5ab8a948b 17160 gnome optional ssh-askpass-gnome_8.0p1-1_s390x.deb