: Log in!

メインメニュー
Google


ウェブ 検索
サイト内検索
トップ  >  Linux10歩  >  2010-08-24 opensshのupdate
20100824 openssh-5.6p1にupdateしました


Changes since OpenSSH 5.5

Features:

* Added a ControlPersist option to ssh_config(5) that automatically
  starts a background ssh(1) multiplex master when connecting. This
  connection can stay alive indefinitely, or can be set to
  automatically close after a user-specified duration of inactivity.

* Hostbased authentication may now use certificate host keys. CA keys
  must be specified in a known_hosts file using the @cert-authority
  marker as described in sshd(8).

* ssh-keygen(1) now supports signing certificate using a CA key that
  has been stored in a PKCS#11 token.

* ssh(1) will now log the hostname and address that we connected to at
  LogLevel=verbose after authentication is successful to mitigate
  "phishing" attacks by servers with trusted keys that accept
  authentication silently and automatically before presenting fake
  password/passphrase prompts.

  Note that, for such an attack to be successful, the user must have
  disabled StrictHostKeyChecking (enabled by default) or an attacker
  must have access to a trusted host key for the destination server.

* Expand %h to the hostname in ssh_config Hostname options. While this
  sounds useless, it is actually handy for working with unqualified
  hostnames:
     
    Host *.*
       Hostname %h
    Host *
       Hostname %h.example.org
     
* Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8
  keys in addition to RFC4716 (SSH.COM) encodings via a new -m option 
  (bz#1749)

* sshd(8) will now queue debug messages for bad ownership or
  permissions on the user's keyfiles encountered during authentication
  and will send them after authentication has successfully completed.
  These messages may be viewed in ssh(1) at LogLevel=debug or higher.

* ssh(1) connection multiplexing now supports remote forwarding with
  dynamic port allocation and can report the allocated port back to
  the user:

    LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`

* sshd(8) now supports indirection in matching of principal names
  listed in certificates. By default, if a certificate has an
  embedded principals list then the username on the server must match
  one of the names in the list for it to be accepted for
  authentication.

  sshd(8) now has a new AuthorizedPrincipalsFile option to specify a
  file containing a list of names that may be accepted in place of the
  username when authorizing a certificate trusted via the
  sshd_config(5) TrustedCAKeys option. Similarly, authentication
  using a CA trusted in ~/.ssh/authorized_keys now accepts a
  principals="name1[,name2,...]" to specify a list of permitted names.
     
  If either option is absent, the current behaviour of requiring the
  username to appear in principals continues to apply. These options
  are useful for role accounts, disjoint account namespaces and
  "user@realm"-style naming policies in certificates.
 
* Additional sshd_config(5) options are now valid inside Match blocks:

    AuthorizedKeysFile
    AuthorizedPrincipalsFile
    HostbasedUsesNameFromPacketOnly
    PermitTunnel

* Revised the format of certificate keys. The new format, identified as
  ssh-{dss,rsa}-cert-v01@openssh.com includes the following changes:
     
    - Adding a serial number field. This may be specified by the CA at
      the time of certificate signing.

    - Moving the nonce field to the beginning of the certificate where
      it can better protect against chosen-prefix attacks on the
      signature hash (currently infeasible against the SHA1 hash used)
     
    - Renaming the "constraints" field to "critical options"
     
    - Addng a new non-critical "extensions" field. The "permit-*"
      options are now extensions, rather than critical options to
      permit non-OpenSSH implementation of this key format to degrade
      gracefully when encountering keys with options they do not
      recognize.
     
  The older format is still supported for authentication and may still
  be used when signing certificates (use "ssh-keygen -t v00 ...").
  The v00 format, introduced in OpenSSH 5.4, will be supported for at
  least one year from this release, after which it will be deprecated
  and removed.
投票数:41 平均点:4.39
前
2010-08-22 phpmyadminのupdate
カテゴリートップ
Linux10歩
次
2010-08-26 xen,dovecotのupdate