OpenSSH 9.4 is now released

News 2023-08-11 17:06:25 views: null

OpenSSH is a 100% complete implementation of SSH protocol 2.0 and includes sftp client and server support.

OpenSSH 9.4 has been released, and this version fixes many bugs and adds some small features.

Potentially incompatible changes

  • This release removes support for older versions of libcrypto. OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1. Note that these versions are deprecated by their upstream vendors.

  • ssh-agent(1): PKCS#11 modules must now be specified with full paths. Previously dlopen(3) could search for them in the system library directories.

new function

  • ssh(1): Allow forwarding Domain sockets via ssh -W.
  • ssh(1): Add support for configuration tags to ssh(1). This adds the ssh_config(5) "Tag" directive and corresponding "Match tag" predicate, which can be used to select block configuration similar to the pf.conf(5) keyword of the same name.

  • ssh(1): Add "match localnetwork" verb. This matches the addresses of available network interfaces and changes the effective client configuration based on network location.

  • ssh(1), sshd(8), ssh-keygen(1): Infrastructure support for KRL extensions. This defines the wire format for optional KRL extensions and enables parsing of new submessages. The actual extension is not yet supported.

  • sshd(8) : AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional % expansion sequences: %D expands to the routing domain of the connection session, and %C expands to the address and port number of the connection's source and destination.

  • ssh-keygen(1) : Increase by 50% the default work factor (number of rounds) of the bcrypt KDF used to generate symmetric encryption keys for password-protected key files.

Bug fixes

  • ssh-agent(1): Improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider.

  • ssh(1): make -f (fork after authentication) works correctly on multiplexed connections including ControlPersist.

  • ssh(1): Make ConnectTimeout apply to multiplexed sockets, not just network connections. Applies to network connections only.

  • ssh-agent(1) , ssh(1): Improved defense against loading invalid PKCS#11 modules by checking that requested modules contain required symbols before loading them.

  • sshd(8): Fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears before AuthorizedPrincipalsCommand in sshd_config. Since OpenSSH 8.7, the AuthorizedPrincipalsCommand directive is incorrectly ignored in this case.

  • ALL: Fix some memory leaks and unreachable/harmless integer overflows.

  • ssh-agent(1), ssh(1): Do not truncate strings logged from PKCS#11 modules

  • sshd(8), ssh(1): Better validation of CASignatureAlgorithms in ssh_config and sshd_config. Previously, this directive accepted certificate algorithm names, but since OpenSSH does not support CA chains, these names cannot be used in practice.

  • ssh(1) : ssh -Q CASignatureAlgorithmsSignature algorithms that make only lists valid for CA signatures. algorithm. The previous behavior was to list all signature algorithms, including certificate algorithms.

  • ssh-keyscan(1): Gracefully handle systems with rlimits or maximum open files greater than INT_MAX

  • ssh-keygen(1): Fix not showing "no comment" when running ssh-keygen -l on multiple keys, where one key has a comment and the others after that do not.

  • scp(1), sftp(1): server that adjusts ftruncate() logic to handle reordering requests. Previously, if the server reordered requests, the resulting file would be incorrectly truncated.

  • ssh(1): Don't mistakenly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump is explicitly set to "none".

  • scp(1): When copying local->remote, check for the existence of the source file before opening an SFTP connection to the server.

portability

  • ALL: Numerous build fixes for different platform and configuration combinations.

  • sshd(8): Provides a replacement for the deprecated SELinux matchpathcon() function.

  • ALL: Relax libcrypto version check for OpenSSL >=3. After OpenSSL 3.0, the guarantee of ABI compatibility is broader (only the major of the library must match, not major and minor as in earlier versions). 

  • Fix build issues with sk-dummy.so FIDO provider module used in some tests.

For details, please check the update announcement: https://www.openssh.com/releasenotes.html

Guess you like

Origin www.oschina.net/news/253293/openssh-9-4-released
Recommended
Ranking
Big Data Development-Flume-Access Hive Data Warehouse Construction Process
Week Twelve blog jobs
Jmeter plug-in PerfMon Metrics Collector installation and use and error resolution
fastjson vulnerability research deserialization (at)
Summary of errors encountered by IDEA using Tomcat
SAP ABAP Excel import data download template example
[SpringBoot] System Description
GPU memory hierarchy (gpu memory hierarchy)
Common Commands in Linux
Flowable process history display modification based on jeecg-boot
Daily
More
2024-08-28(0)
2024-08-27(0)
2024-08-26(0)
2024-08-25(0)
2024-08-24(0)
2024-08-23(0)
2024-08-22(0)
2024-08-21(0)
2024-08-20(0)
2024-08-19(0)

Code World

© 2018 codetd.com