Mercurial > dropbear
comparison CHANGES @ 1931:b366dfaeae68
Write CHANGES since last release
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Wed, 30 Mar 2022 23:18:00 +0800 |
| parents | 284c3837891c |
| children | 77bc00dcc19f |
comparison
equal
deleted
inserted
replaced
| 1930:299f4f19ba19 | 1931:b366dfaeae68 |
|---|---|
| 1 - The following config paths are now relative to a home directory if | 1 Future Release |
| 2 starting with "~". Thanks to Begley Brothers Inc | 2 Features and Changes: |
| 3 *_PRIV_FILENAME | 3 |
| 4 DROPBEAR_PIDFILE | 4 - Implement OpenSSH format private key handling for dropbearconvert. |
| 5 SFTPSERVER_PATH | 5 Keys can be read in OpenSSH format or the old PEM format, they will be |
| 6 MOTD_FILENAME | 6 written in OpenSSH format. (DSS has not been implemented). |
| 7 ED25519 support is now correct. | |
| 8 | |
| 9 - Use SHA256 for key fingerprints | |
| 10 | |
| 11 - Reworked -v verbose printing, specifying multiple times will increase | |
| 12 verbosity. -vvvv is equivalent to the old DEBUG_TRACE -v level, it | |
| 13 can be configured at compile time in localoptions.h (see default_options.h) | |
| 14 Lower -v options can be used to check connection progress or algorithm | |
| 15 negotiation. | |
| 16 Thanks to Hans Harder for the implementation | |
| 17 | |
| 18 > > localoptions.h DEBUG_TRACE should be set to 4 for the same result as the | |
| 19 previous DEBUG_TRACE 1. | |
| 20 | |
| 21 - Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in | |
| 22 authorized_keys. no-touch-required option isn't allowed yet. | |
| 23 Thanks to Egor Duda for the implementation | |
| 24 | |
| 25 - autoconf output (configure script etc) is now committed to version control. | |
| 26 It isn't necessary to run "autoconf" any more on a checkout. | |
| 27 | |
| 28 - sha1 will be omitted from the build if KEX/signing/MAC algorithms don't | |
| 29 require it. Instead sha256 is used for random number generation. | |
| 30 See sysoptions.h to see which algorithms require which hashes. | |
| 31 | |
| 32 - Set SSH_PUBKEYINFO environment variable based on the authorized_keys | |
| 33 entry used for auth. The first word of the comment after the key is used | |
| 34 (must only have characters a-z A-Z 0-9 .,_-+@) | |
| 35 Patch from Hans Harder, modified by Matt Johnston | |
| 36 | |
| 37 - Allow home-directory relative paths ~/path for various settings | |
| 38 and command line options. | |
| 39 *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH MOTD_FILENAME | |
| 40 Thanks to Begley Brothers Inc | |
| 41 | |
| 42 > > The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs | |
| 43 a tilde prefix. | |
| 44 | |
| 45 - LANG environment variable is carried over from the Dropbear server process | |
| 46 From Maxim Kochetkov | |
| 47 | |
| 48 - Add /usr/sbin and /sbin to $PATH when logging in as root. | |
| 49 Patch from Raphaƫl Hertzog | |
| 50 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403 | |
| 51 | |
| 52 - Added client option "-o DisableTrivialAuth". This can be used to prevent | |
| 53 the server immediately allowing successful authentication (before any auth | |
| 54 request) which could cause UI confusion and security issues with agent | |
| 55 forwarding - it isn't clear which host is prompting to use a key. | |
| 56 Thanks to Manfred Kaiser from Austrian MilCERT | |
| 57 | |
| 58 - Add -q client option to hide remote banner, from Hans Harder | |
| 59 | |
| 60 - Add -e option to pass all server environment variables to child processes. | |
| 61 This should be used with caution. | |
| 62 Patch from Roland Vollgraf (github #118) | |
| 63 | |
| 64 - Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to | |
| 65 AF21 "interactive". Previously TOS classes were used, they are not used by | |
| 66 modern traffic classifiers. Non-tty traffic is left at default priority. | |
| 67 | |
| 68 - Disable dh-group1 key exchange by default. It has been disabled server | |
| 69 side by default since 2018. | |
| 70 | |
| 71 - Removed Twofish cipher | |
| 72 | |
| 73 Fixes: | |
| 74 | |
| 75 - Fix flushing channel data when pty was allocated (github #85) | |
| 76 Data wasn't completely transmitted at channel close. | |
| 77 Reported and initial patch thanks to Yousong Zhou | |
| 78 | |
| 79 - Dropbear now re-executes itself rather than just forking for each connection | |
| 80 (only on Linux). This allows ASLR to randomise address space for each | |
| 81 connection as a security mitigation. It should not have any visible impact | |
| 82 - if there are any performance impacts in the wild please report it. | |
| 83 | |
| 84 - Check authorized_keys permissions as the user, fixes NFS squash root. | |
| 85 Patch from Chris Dragan (github #107) | |
| 86 | |
| 87 - A missing home directory is now non-fatal, starting in / instead | |
| 88 | |
| 89 - Improve error logging so that they are logged on the server rather than being | |
| 90 sent to the client over the connection | |
| 91 | |
| 92 - Max window size is increased to 10MB, more graceful fallback if it's invalid. | |
| 93 | |
| 94 - Fix correctness of Dropbear's handling of global requests. | |
| 95 Patch from Dirkjan Bussink | |
| 96 | |
| 97 - Fix some small bugs found by fuzzers, null pointer dereference crash and leaks | |
| 98 (post authentication) | |
| 99 | |
| 100 - $HOME variable is used before /etc/passwd when expanding paths such as | |
| 101 ~/.ssh/id_dropbear (for the client). Patch from Matt Robinson | |
| 102 | |
| 103 - C89 build fixes from Guillaume Picquet | |
| 104 | |
| 105 Infrastructure: | |
| 106 | |
| 107 - Improvements to fuzzers. Added post-auth fuzzer, and a mutator that can | |
| 108 handle the structure of SSH packet streams. Added cifuzz to run on commits | |
| 109 and pull requests. | |
| 110 | |
| 111 - Dropbear source tarballs generated by release.sh are now reproducible from a | |
| 112 Git or Mercurial checkout, they will be identical on any system. Tested | |
| 113 on ubuntu and macos. | |
| 114 | |
| 115 - Added some integration testing using pytest. Currently this has tests | |
| 116 for various channel handling edge cases, ASLR fork randomisation, | |
| 117 dropbearconvert, and SSH_PUBKEYINFO | |
| 118 | |
| 119 - Set up github actions. This runs the pytest suite and other checks. | |
| 120 - build matrix includes c89, dropbearmulti, bundled libtom, macos, DEBUG_TRACE | |
| 121 - test for configure script regeneration | |
| 122 - build a tarball for external reproducibility | |
| 7 | 123 |
| 8 2020.81 - 29 October 2020 | 124 2020.81 - 29 October 2020 |
| 9 | 125 |
| 10 - Fix regression in 2020.79 which prevented connecting with some SSH | 126 - Fix regression in 2020.79 which prevented connecting with some SSH |
| 11 implementations. Increase MAX_PROPOSED_ALGO to 50, and print a log | 127 implementations. Increase MAX_PROPOSED_ALGO to 50, and print a log |