Mercurial > dropbear
comparison CHANGES @ 1938:77bc00dcc19f default tip main master
Bump version to 2022.82
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Fri, 01 Apr 2022 14:43:27 +0800 |
| parents | b366dfaeae68 |
| children |
comparison
equal
deleted
inserted
replaced
| 1937:334b742fdeb8 | 1938:77bc00dcc19f |
|---|---|
| 1 Future Release | 1 2022.82 - 1 April 2022 |
| 2 | |
| 2 Features and Changes: | 3 Features and Changes: |
| 3 | 4 Note >> for compatibility/configuration changes |
| 4 - Implement OpenSSH format private key handling for dropbearconvert. | 5 |
| 5 Keys can be read in OpenSSH format or the old PEM format, they will be | 6 - Implemented OpenSSH format private key handling for dropbearconvert. |
| 6 written in OpenSSH format. (DSS has not been implemented). | 7 Keys can be read in OpenSSH format or the old PEM format. |
| 7 ED25519 support is now correct. | 8 >> Keys are now written in OpenSSH format rather than PEM. |
| 9 ED25519 support is now correct. DSS keys are still PEM format. | |
| 8 | 10 |
| 9 - Use SHA256 for key fingerprints | 11 - Use SHA256 for key fingerprints |
| 10 | 12 |
| 11 - Reworked -v verbose printing, specifying multiple times will increase | 13 - >> Reworked -v verbose printing, specifying multiple times will increase |
| 12 verbosity. -vvvv is equivalent to the old DEBUG_TRACE -v level, it | 14 verbosity. -vvvv is equivalent to the old DEBUG_TRACE -v level, it |
| 13 can be configured at compile time in localoptions.h (see default_options.h) | 15 can be configured at compile time in localoptions.h (see default_options.h) |
| 14 Lower -v options can be used to check connection progress or algorithm | 16 Lower -v options can be used to check connection progress or algorithm |
| 15 negotiation. | 17 negotiation. |
| 16 Thanks to Hans Harder for the implementation | 18 Thanks to Hans Harder for the implementation |
| 17 | 19 |
| 18 > > localoptions.h DEBUG_TRACE should be set to 4 for the same result as the | 20 localoptions.h DEBUG_TRACE should be set to 4 for the same result as the |
| 19 previous DEBUG_TRACE 1. | 21 previous DEBUG_TRACE 1. |
| 20 | 22 |
| 21 - Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in | 23 - Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in |
| 22 authorized_keys. no-touch-required option isn't allowed yet. | 24 authorized_keys. no-touch-required option isn't allowed yet. |
| 23 Thanks to Egor Duda for the implementation | 25 Thanks to Egor Duda for the implementation |
| 24 | 26 |
| 25 - autoconf output (configure script etc) is now committed to version control. | 27 - autoconf output (configure script etc) is now committed to version control. |
| 26 It isn't necessary to run "autoconf" any more on a checkout. | 28 >> It isn't necessary to run "autoconf" any more on a checkout. |
| 27 | 29 |
| 28 - sha1 will be omitted from the build if KEX/signing/MAC algorithms don't | 30 - sha1 will be omitted from the build if KEX/signing/MAC algorithms don't |
| 29 require it. Instead sha256 is used for random number generation. | 31 require it. Instead sha256 is used for random number generation. |
| 30 See sysoptions.h to see which algorithms require which hashes. | 32 See sysoptions.h to see which algorithms require which hashes. |
| 31 | 33 |
| 32 - Set SSH_PUBKEYINFO environment variable based on the authorized_keys | 34 - Set SSH_PUBKEYINFO environment variable based on the authorized_keys |
| 33 entry used for auth. The first word of the comment after the key is used | 35 entry used for auth. The first word of the comment after the key is used |
| 34 (must only have characters a-z A-Z 0-9 .,_-+@) | 36 (must only have characters a-z A-Z 0-9 .,_-+@) |
| 35 Patch from Hans Harder, modified by Matt Johnston | 37 Patch from Hans Harder, modified by Matt Johnston |
| 36 | 38 |
| 39 - Let dbclient multihop mode be used with '-J'. | |
| 40 Patch from Hans Harder | |
| 41 | |
| 37 - Allow home-directory relative paths ~/path for various settings | 42 - Allow home-directory relative paths ~/path for various settings |
| 38 and command line options. | 43 and command line options. |
| 39 *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH MOTD_FILENAME | 44 *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH MOTD_FILENAME |
| 40 Thanks to Begley Brothers Inc | 45 Thanks to Begley Brothers Inc |
| 41 | 46 |
| 42 > > The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs | 47 >> The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs |
| 43 a tilde prefix. | 48 a tilde prefix. |
| 44 | 49 |
| 45 - LANG environment variable is carried over from the Dropbear server process | 50 - LANG environment variable is carried over from the Dropbear server process |
| 46 From Maxim Kochetkov | 51 From Maxim Kochetkov |
| 47 | 52 |
| 48 - Add /usr/sbin and /sbin to $PATH when logging in as root. | 53 - Add /usr/sbin and /sbin to $PATH when logging in as root. |
| 49 Patch from Raphaël Hertzog | 54 Patch from Raphaël Hertzog |
| 50 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403 | 55 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403 |
| 51 | 56 |
| 52 - Added client option "-o DisableTrivialAuth". This can be used to prevent | 57 - Added client option "-o DisableTrivialAuth". This can be used to prevent |
| 53 the server immediately allowing successful authentication (before any auth | 58 the server immediately accepting successful authentication (before any auth |
| 54 request) which could cause UI confusion and security issues with agent | 59 request) which could cause UI confusion and security issues with agent |
| 55 forwarding - it isn't clear which host is prompting to use a key. | 60 forwarding - it isn't clear which host is prompting to use a key. |
| 56 Thanks to Manfred Kaiser from Austrian MilCERT | 61 Thanks to Manfred Kaiser from Austrian MilCERT |
| 57 | 62 |
| 58 - Add -q client option to hide remote banner, from Hans Harder | 63 - Add -q client option to hide remote banner, from Hans Harder |
| 59 | 64 |
| 60 - Add -e option to pass all server environment variables to child processes. | 65 - Add -e option to pass all server environment variables to child processes. |
| 61 This should be used with caution. | 66 This should be used with caution. |
| 62 Patch from Roland Vollgraf (github #118) | 67 Patch from Roland Vollgraf (github #118) |
| 63 | 68 |
| 64 - Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to | 69 - >> Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to |
| 65 AF21 "interactive". Previously TOS classes were used, they are not used by | 70 AF21 "interactive". Previously TOS classes were used, they are not used by |
| 66 modern traffic classifiers. Non-tty traffic is left at default priority. | 71 modern traffic classifiers. Non-tty traffic is left at default priority. |
| 67 | 72 |
| 68 - Disable dh-group1 key exchange by default. It has been disabled server | 73 - >> Disable dh-group1 key exchange by default. It has been disabled server |
| 69 side by default since 2018. | 74 side by default since 2018. |
| 70 | 75 |
| 71 - Removed Twofish cipher | 76 - >> Removed Twofish cipher |
| 72 | 77 |
| 73 Fixes: | 78 Fixes: |
| 74 | 79 |
| 75 - Fix flushing channel data when pty was allocated (github #85) | 80 - Fix flushing channel data when pty was allocated (github #85) |
| 76 Data wasn't completely transmitted at channel close. | 81 Data wasn't completely transmitted at channel close. |
| 84 - Check authorized_keys permissions as the user, fixes NFS squash root. | 89 - Check authorized_keys permissions as the user, fixes NFS squash root. |
| 85 Patch from Chris Dragan (github #107) | 90 Patch from Chris Dragan (github #107) |
| 86 | 91 |
| 87 - A missing home directory is now non-fatal, starting in / instead | 92 - A missing home directory is now non-fatal, starting in / instead |
| 88 | 93 |
| 94 - Fixed IPv6 [address]:port parsing for dbclient -b | |
| 95 Reported by Fabio Molinari | |
| 96 | |
| 89 - Improve error logging so that they are logged on the server rather than being | 97 - Improve error logging so that they are logged on the server rather than being |
| 90 sent to the client over the connection | 98 sent to the client over the connection |
| 91 | 99 |
| 92 - Max window size is increased to 10MB, more graceful fallback if it's invalid. | 100 - Max window size is increased to 10MB, more graceful fallback if it's invalid. |
| 93 | 101 |
| 105 Infrastructure: | 113 Infrastructure: |
| 106 | 114 |
| 107 - Improvements to fuzzers. Added post-auth fuzzer, and a mutator that can | 115 - Improvements to fuzzers. Added post-auth fuzzer, and a mutator that can |
| 108 handle the structure of SSH packet streams. Added cifuzz to run on commits | 116 handle the structure of SSH packet streams. Added cifuzz to run on commits |
| 109 and pull requests. | 117 and pull requests. |
| 118 Thanks to OSS-Fuzz for the tools/clusters and reward funding. | |
| 110 | 119 |
| 111 - Dropbear source tarballs generated by release.sh are now reproducible from a | 120 - Dropbear source tarballs generated by release.sh are now reproducible from a |
| 112 Git or Mercurial checkout, they will be identical on any system. Tested | 121 Git or Mercurial checkout, they will be identical on any system. Tested |
| 113 on ubuntu and macos. | 122 on ubuntu and macos. |
| 114 | 123 |