Mercurial > dropbear
comparison CHANGES @ 1931:b366dfaeae68
Write CHANGES since last release
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Wed, 30 Mar 2022 23:18:00 +0800 |
parents | 284c3837891c |
children | 77bc00dcc19f |
comparison
equal
deleted
inserted
replaced
1930:299f4f19ba19 | 1931:b366dfaeae68 |
---|---|
1 - The following config paths are now relative to a home directory if | 1 Future Release |
2 starting with "~". Thanks to Begley Brothers Inc | 2 Features and Changes: |
3 *_PRIV_FILENAME | 3 |
4 DROPBEAR_PIDFILE | 4 - Implement OpenSSH format private key handling for dropbearconvert. |
5 SFTPSERVER_PATH | 5 Keys can be read in OpenSSH format or the old PEM format, they will be |
6 MOTD_FILENAME | 6 written in OpenSSH format. (DSS has not been implemented). |
7 ED25519 support is now correct. | |
8 | |
9 - Use SHA256 for key fingerprints | |
10 | |
11 - Reworked -v verbose printing, specifying multiple times will increase | |
12 verbosity. -vvvv is equivalent to the old DEBUG_TRACE -v level, it | |
13 can be configured at compile time in localoptions.h (see default_options.h) | |
14 Lower -v options can be used to check connection progress or algorithm | |
15 negotiation. | |
16 Thanks to Hans Harder for the implementation | |
17 | |
18 > > localoptions.h DEBUG_TRACE should be set to 4 for the same result as the | |
19 previous DEBUG_TRACE 1. | |
20 | |
21 - Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in | |
22 authorized_keys. no-touch-required option isn't allowed yet. | |
23 Thanks to Egor Duda for the implementation | |
24 | |
25 - autoconf output (configure script etc) is now committed to version control. | |
26 It isn't necessary to run "autoconf" any more on a checkout. | |
27 | |
28 - sha1 will be omitted from the build if KEX/signing/MAC algorithms don't | |
29 require it. Instead sha256 is used for random number generation. | |
30 See sysoptions.h to see which algorithms require which hashes. | |
31 | |
32 - Set SSH_PUBKEYINFO environment variable based on the authorized_keys | |
33 entry used for auth. The first word of the comment after the key is used | |
34 (must only have characters a-z A-Z 0-9 .,_-+@) | |
35 Patch from Hans Harder, modified by Matt Johnston | |
36 | |
37 - Allow home-directory relative paths ~/path for various settings | |
38 and command line options. | |
39 *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH MOTD_FILENAME | |
40 Thanks to Begley Brothers Inc | |
41 | |
42 > > The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs | |
43 a tilde prefix. | |
44 | |
45 - LANG environment variable is carried over from the Dropbear server process | |
46 From Maxim Kochetkov | |
47 | |
48 - Add /usr/sbin and /sbin to $PATH when logging in as root. | |
49 Patch from Raphaƫl Hertzog | |
50 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403 | |
51 | |
52 - Added client option "-o DisableTrivialAuth". This can be used to prevent | |
53 the server immediately allowing successful authentication (before any auth | |
54 request) which could cause UI confusion and security issues with agent | |
55 forwarding - it isn't clear which host is prompting to use a key. | |
56 Thanks to Manfred Kaiser from Austrian MilCERT | |
57 | |
58 - Add -q client option to hide remote banner, from Hans Harder | |
59 | |
60 - Add -e option to pass all server environment variables to child processes. | |
61 This should be used with caution. | |
62 Patch from Roland Vollgraf (github #118) | |
63 | |
64 - Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to | |
65 AF21 "interactive". Previously TOS classes were used, they are not used by | |
66 modern traffic classifiers. Non-tty traffic is left at default priority. | |
67 | |
68 - Disable dh-group1 key exchange by default. It has been disabled server | |
69 side by default since 2018. | |
70 | |
71 - Removed Twofish cipher | |
72 | |
73 Fixes: | |
74 | |
75 - Fix flushing channel data when pty was allocated (github #85) | |
76 Data wasn't completely transmitted at channel close. | |
77 Reported and initial patch thanks to Yousong Zhou | |
78 | |
79 - Dropbear now re-executes itself rather than just forking for each connection | |
80 (only on Linux). This allows ASLR to randomise address space for each | |
81 connection as a security mitigation. It should not have any visible impact | |
82 - if there are any performance impacts in the wild please report it. | |
83 | |
84 - Check authorized_keys permissions as the user, fixes NFS squash root. | |
85 Patch from Chris Dragan (github #107) | |
86 | |
87 - A missing home directory is now non-fatal, starting in / instead | |
88 | |
89 - Improve error logging so that they are logged on the server rather than being | |
90 sent to the client over the connection | |
91 | |
92 - Max window size is increased to 10MB, more graceful fallback if it's invalid. | |
93 | |
94 - Fix correctness of Dropbear's handling of global requests. | |
95 Patch from Dirkjan Bussink | |
96 | |
97 - Fix some small bugs found by fuzzers, null pointer dereference crash and leaks | |
98 (post authentication) | |
99 | |
100 - $HOME variable is used before /etc/passwd when expanding paths such as | |
101 ~/.ssh/id_dropbear (for the client). Patch from Matt Robinson | |
102 | |
103 - C89 build fixes from Guillaume Picquet | |
104 | |
105 Infrastructure: | |
106 | |
107 - Improvements to fuzzers. Added post-auth fuzzer, and a mutator that can | |
108 handle the structure of SSH packet streams. Added cifuzz to run on commits | |
109 and pull requests. | |
110 | |
111 - Dropbear source tarballs generated by release.sh are now reproducible from a | |
112 Git or Mercurial checkout, they will be identical on any system. Tested | |
113 on ubuntu and macos. | |
114 | |
115 - Added some integration testing using pytest. Currently this has tests | |
116 for various channel handling edge cases, ASLR fork randomisation, | |
117 dropbearconvert, and SSH_PUBKEYINFO | |
118 | |
119 - Set up github actions. This runs the pytest suite and other checks. | |
120 - build matrix includes c89, dropbearmulti, bundled libtom, macos, DEBUG_TRACE | |
121 - test for configure script regeneration | |
122 - build a tarball for external reproducibility | |
7 | 123 |
8 2020.81 - 29 October 2020 | 124 2020.81 - 29 October 2020 |
9 | 125 |
10 - Fix regression in 2020.79 which prevented connecting with some SSH | 126 - Fix regression in 2020.79 which prevented connecting with some SSH |
11 implementations. Increase MAX_PROPOSED_ALGO to 50, and print a log | 127 implementations. Increase MAX_PROPOSED_ALGO to 50, and print a log |