Ask / Submit
48

[Not a question] OpenSSH 6.8 is released!!! Jolla, please!!!!

asked 2015-03-18 21:36:36 +0300

Kollin gravatar image

updated 2015-03-19 00:26:11 +0300

Announce: OpenSSH 6.8 released

Jolla still ships openssh-5.6p1(Release Date: 2010-08-23) - THIS IS ANCIENT!

Can we get something recent please?!?!? This is considered a core package. Bash and tar are also Mesozoic offsprings...

And yes! I know that Niel is providing recent openssh via openrepos(Thank you Niel!)

> Changes since OpenSSH 6.7

This is a major release, containing a number of new features as well as a large internal re-factoring.

Potentially-incompatible changes

  • sshd(8): UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses.

New Features

  • Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout.

  • Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64.

    Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different.

  • ssh(1), sshd(8): Experimental host key rotation support. Add a protocol extension for a server to inform a client of all its available host keys after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys.

    The client side of this is controlled by a UpdateHostkeys config option (default off).

  • ssh(1): Add a ssh_config HostbasedKeyType option to control which host public key types are tried during host-based authentication.

  • ssh(1), sshd(8): fix connection-killing host key mismatch errors when sshd offers multiple ECDSA keys of different lengths.

  • ssh(1): when host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. fixes bz#2074 and avoiding needless DNS lookups in some cases.

  • ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer require OpenSSH to be compiled with OpenSSL support.

  • ssh(1), ssh-keysign(8): Make ed25519 keys work for host based authentication.

  • sshd(8): SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA decryption.

  • sshd(8): Remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ public keys.

  • sshd(8): add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all.

  • sshd(8): Don't count partial authentication success as a failure against MaxAuthTries.

  • ssh(1): Add RevokedHostKeys option for the client to allow text-file or KRL-based revocation of host keys.

  • ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA.

  • ssh(1): Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass.

  • ssh(1): Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T".

  • ssh(1): Allow Match criteria to be negated. E.g. "Match !host".

  • The regression test suite has been extended to cover more OpenSSH features. The unit tests have been expanded and now cover key exchange.

Bugfixes

  • ssh-keyscan(1): ssh-keyscan has been made much more robust again servers that hang or violate the SSH protocol.

  • ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were being lost as comment fields.

  • ssh(1): Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2286

  • ssh(1): Tweak config re-parsing with host canonicalisation - make the second pass through the config files always run when host name canonicalisation is enabled (and not whenever the host name changes) bz#2267

  • ssh(1): Fix passing of wildcard forward bind addresses when connection multiplexing is in use; bz#2324;

  • ssh-keygen(1): Fix broken private key conversion from non-OpenSSH formats; bz#2345.

  • ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use.

  • Various fixes to manual pages: bz#2288, bz#2316, bz#2273

Portable OpenSSH

  • Support --without-openssl at configure time

    Disables and removes dependency on OpenSSL. Many features, including SSH protocol 1 are not supported and the set of crypto options is greatly restricted. This will only work on systems with native arc4random or /dev/urandom.

    Considered highly experimental for now.

  • Support --without-ssh1 option at configure time

    Allows disabling support for SSH protocol 1.

  • sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296

  • Allow custom service name for sshd on Cygwin. Permits the us

edit retag flag offensive close delete

Comments

1

If it's so urgent for you, why do you not compile it self?

heubergen ( 2015-03-18 22:09:15 +0300 )edit
4

What are the things you can do with 6.8 that you can't do with 5.6p1?

ln ( 2015-03-18 22:25:17 +0300 )edit
8

Theres some big security issues with unpatched openssh version like the default installed. Because that he want a update urgently.

heubergen ( 2015-03-18 22:28:34 +0300 )edit
5

Even if Jolla cannot commit yet to upgrade OpenSSH to newer/newest version, if would be nice to know why such an old version is supplied with the system, e.g. if there is some compatibility issue with something else.

simosagi ( 2015-03-19 14:13:41 +0300 )edit
2

What are the things you can do with 6.8 that you can't do with 5.6p1? I'd like to mention that generating/connecting with ed25519 curves is not possible at the moment, so for many people the only way to establish an ssh connection to their machines is by decreasing security which is not always an option.

0ida ( 2015-04-19 04:06:49 +0300 )edit

4 Answers

Sort by » oldest newest most voted
14

answered 2015-03-18 22:42:09 +0300

Nieldk gravatar image

updated 2015-03-18 22:50:42 +0300

Updated my build

https://build.merproject.org/package/show/home:nielnielsen/openssh

Edit: uploaded to openrepos now

edit flag offensive delete publish link more

Comments

1

Thank you Niel! :*

Kollin ( 2015-03-18 22:51:42 +0300 )edit

thanks :o)

Shoppinguin ( 2015-09-14 06:48:57 +0300 )edit
9

answered 2015-09-14 03:00:20 +0300

WhyNotHugo gravatar image

This is now a huge problem.

The latest OpenSSH no longer suppots DSA, so my DSA key no longer works on my clients, and since Sailfish doesn't support ed25519, I can't use any of both of my keys to log into my device. I'm locked out. :(

edit flag offensive delete publish link more

Comments

3

May be it's better to post a new question with this problem, marked as [BUG]. It'll get a lot more attention. Your problem is serious one!

Kollin ( 2015-09-14 08:19:54 +0300 )edit
5

answered 2015-03-18 22:54:28 +0300

heubergen gravatar image

Update in OpenRepos is out => https://openrepos.net/content/nieldk/openssh-0

edit flag offensive delete publish link more
1

answered 2015-03-18 21:54:44 +0300

objectifnul gravatar image

Command ssh -V starting... OpenSSH_6.7p1, OpenSSL 1.0.2 22 Jan 2015 Program returned exit code 0

edit flag offensive delete publish link more

Comments

1

mine is 5.6 as topic states

virgi26 ( 2015-03-18 22:00:03 +0300 )edit
9

Yeah, from OpenRepos, but it would be better if these update binaries are provided as default by Jolla.

Fuzzillogic ( 2015-03-18 22:00:06 +0300 )edit
Login/Signup to Answer

Question tools

Follow
9 followers

Stats

Asked: 2015-03-18 21:36:36 +0300

Seen: 1,377 times

Last updated: Sep 14 '15