1 files changed, 304 insertions, 1 deletions
diff --git a/lib/ssh/doc/src/notes.xml b/lib/ssh/doc/src/notes.xml
index f5a67bc00e..f6b6f53d33 100644
--- a/lib/ssh/doc/src/notes.xml
+++ b/lib/ssh/doc/src/notes.xml
@@ -4,7 +4,7 @@
 <chapter>
   <header>
     <copyright>
-      <year>2004</year><year>2016</year>
+      <year>2004</year><year>2017</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -30,6 +30,309 @@
     <file>notes.xml</file>
   </header>
 
+<section><title>Ssh 4.5</title>
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    The internal handling of SSH options is re-written.</p>
+          <p>
+	    Previously there were no checks if a client option was
+	    given to a daemon or vice versa. This is corrected now.
+	    If your code has e.g. a client-only option in a call to
+	    start a daemon, the call will fail.</p>
+          <p>
+	    *** POTENTIAL INCOMPATIBILITY ***</p>
+          <p>
+	    Own Id: OTP-12872</p>
+        </item>
+        <item>
+          <p>
+	    Modernization of key exchange algorithms. See
+	    draft-ietf-curdle-ssh-kex-sha2 for a discussion.</p>
+          <p>
+	    Removed an outdated weak algorithm and added stronger
+	    replacements to keep interoperability with other modern
+	    ssh clients and servers. The default ordering of the
+	    algorithms is also adjusted.</p>
+          <p>
+	    Retired: The nowadays unsecure key-exchange
+	    <c>diffie-hellman-group1-sha1</c> is not enabled by
+	    default, but can be enabled with the option
+	    <c>preferred-algorithms</c>.</p>
+          <p>
+	    Added: The new stronger key-exchange
+	    <c>diffie-hellman-group16-sha512</c>,
+	    <c>diffie-hellman-group18-sha512</c> and
+	    <c>diffie-hellman-group14-sha256</c> are added and
+	    enabled by default.</p>
+          <p>
+	    The questionable [RFC 6194] sha1-based algorithms
+	    <c>diffie-hellman-group-exchange-sha1</c> and
+	    <c>diffie-hellman-group14-sha1</c> are however still kept
+	    enabled by default for compatibility with ancient clients
+	    and servers that lack modern key-exchange alternatives.
+	    When the draft-ietf-curdle-ssh-kex-sha2 becomes an rfc,
+	    those sha1-based algorithms and
+	    <c>diffie-hellman-group1-sha1</c> will be deprecated by
+	    IETF. They might then be removed from the default list in
+	    Erlang/OTP.</p>
+          <p>
+	    *** POTENTIAL INCOMPATIBILITY ***</p>
+          <p>
+	    Own Id: OTP-14110</p>
+        </item>
+        <item>
+          <p>
+	    Modernized internal representation of sftp by use of
+	    maps.</p>
+          <p>
+	    Own Id: OTP-14117</p>
+        </item>
+        <item>
+          <p>
+	    The Extension Negotiation Mechanism and the extension
+	    <c>server-sig-algs</c> in
+	    draft-ietf-curdle-ssh-ext-info-05 are implemented.</p>
+          <p>
+	    The related draft-ietf-curdle-rsa-sha2-05 is implemented
+	    and introduces the signature algorithms
+	    <c>rsa-sha2-256</c> and <c>rsa-sha2-512</c>.</p>
+          <p>
+	    Own Id: OTP-14193</p>
+        </item>
+        <item>
+          <p>
+	    The functions <c>ssh:connect</c>, <c>ssh:shell</c> and
+	    <c>ssh:start_channel</c> now accept an IP-tuple as Host
+	    destination argument.</p>
+          <p>
+	    Own Id: OTP-14243</p>
+        </item>
+        <item>
+          <p>
+	    The function <c>ssh:daemon_info/1</c> now returns Host
+	    and Profile as well as the Port info in the property
+	    list.</p>
+          <p>
+	    Own Id: OTP-14259</p>
+        </item>
+        <item>
+          <p>
+	    Removed the option <c>public_key_alg</c> which was
+	    deprecated in 18.2. Use <c>pref_public_key_algs</c>
+	    instead.</p>
+          <p>
+	    *** POTENTIAL INCOMPATIBILITY ***</p>
+          <p>
+	    Own Id: OTP-14263</p>
+        </item>
+        <item>
+          <p>
+	    The SSH application is refactored regarding daemon
+	    starting. The resolution of contradicting <c>Host</c>
+	    argument and <c>ip</c> option were not described. There
+	    were also strange corner cases when the <c>'any'</c>
+	    value was used in <c>Host</c> argument or <c>ip</c>
+	    option. This is (hopefully) resolved now, but it may
+	    cause incompatibilities for code using both <c>Host</c>
+	    and the <c>ip</c> option. The value 'loopback' has been
+	    added for a correct way of naming those addresses.</p>
+          <p>
+	    *** POTENTIAL INCOMPATIBILITY ***</p>
+          <p>
+	    Own Id: OTP-14264</p>
+        </item>
+        <item>
+          <p>
+	    The supervisor code is refactored. The naming of
+	    listening IP-Port-Profile triples are slightly changed to
+	    improve consistency in strange corner cases as resolved
+	    by OTP-14264</p>
+          <p>
+	    Own Id: OTP-14267 Aux Id: OTP-14266 </p>
+        </item>
+        <item>
+          <p>
+	    The <c>idle_time</c> option can now be used in daemons.</p>
+          <p>
+	    Own Id: OTP-14312</p>
+        </item>
+        <item>
+          <p>
+	    Added test cases for IETF-CURDLE Extension Negotiation
+	    (ext-info)</p>
+          <p>
+	    Own Id: OTP-14361</p>
+        </item>
+        <item>
+          <p>
+	    Testcases for IETF-CURDLE extension
+	    <c>server-sig-algs</c> including <c>rsa-sha2-*</c></p>
+          <p>
+	    Own Id: OTP-14362 Aux Id: OTP-14361 </p>
+        </item>
+        <item>
+          <p>
+	    The option <c>auth_methods</c> can now also be used in
+	    clients to select which authentication options that are
+	    used and in which order.</p>
+          <p>
+	    Own Id: OTP-14399</p>
+        </item>
+        <item>
+          <p>
+	    Checks that a ECDSA public key (<c>ecdsa-sha2-nistp*</c>)
+	    stored in a file has the correct size.</p>
+          <p>
+	    Own Id: OTP-14410</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>Ssh 4.4.2</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    ssh:daemon_info/1 crashed if the listening IP was not
+	    'any'</p>
+          <p>
+	    Own Id: OTP-14298 Aux Id: seq13294 </p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>Ssh 4.4.1</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Fix bug when opening connections. If the tcp setup
+	    failed, that would in some cases not result in an error
+	    return value.</p>
+          <p>
+	    Own Id: OTP-14108</p>
+        </item>
+        <item>
+          <p>
+	    Reduce information leakage in case of decryption errors.</p>
+          <p>
+	    Own Id: OTP-14109</p>
+        </item>
+        <item>
+          <p>
+	    The key exchange algorithm
+	    diffie-hellman-group-exchange-sha* has a server-option
+	    <c>{dh_gex_limits,{Min,Max}}</c>. There was a hostkey
+	    signature validation error on the client side if the
+	    option was used and the <c>Min</c> or the <c>Max</c>
+	    differed from the corresponding values obtained from the
+	    client.</p>
+          <p>
+	    This bug is now corrected.</p>
+          <p>
+	    Own Id: OTP-14166</p>
+        </item>
+        <item>
+          <p>
+	    The sftpd server now correctly uses <c>root_dir</c> and
+	    <c>cwd</c> when resolving file paths if both are
+	    provided. The <c>cwd</c> handling is also corrected.</p>
+          <p>
+	    Thanks to kape1395!</p>
+          <p>
+	    Own Id: OTP-14225 Aux Id: PR-1331, PR-1335 </p>
+        </item>
+        <item>
+          <p>
+	    Ssh_cli used a function that does not handle non-utf8
+	    unicode correctly.</p>
+          <p>
+	    Own Id: OTP-14230 Aux Id: ERL-364 </p>
+        </item>
+      </list>
+    </section>
+
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    The implementation of the key exchange algorithms
+	    diffie-hellman-group-exchange-sha* are optimized, up to a
+	    factor of 11 for the slowest ( = biggest and safest)
+	    group size.</p>
+          <p>
+	    Own Id: OTP-14169 Aux Id: seq-13261 </p>
+        </item>
+        <item>
+          <p>
+	    The ssh host key fingerprint generation now also takes a
+	    list of algorithms and returns a list of corresponding
+	    fingerprints. See
+	    <c>public_key:ssh_hostkey_fingerprint/2</c> and the
+	    option <c>silently_accept_hosts</c> in
+	    <c>ssh:connect</c>.</p>
+          <p>
+	    Own Id: OTP-14223</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>Ssh 4.4</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    A file read with an sftp client could loose data if the
+	    packet_size is set to larger than 64k. This is corrected
+	    now in such a way that the packet_size is silently
+	    lowered if there is a risk for data loss.</p>
+          <p>
+	    Own Id: OTP-13857 Aux Id: ERL-238, OTP-13858 </p>
+        </item>
+        <item>
+          <p>
+	    When user defined SSH shell REPL process exits with
+	    reason normal, the SSH channel callback module should
+	    report successful exit status to the SSH client. This
+	    provides simple way for SSH clients to check for
+	    successful completion of executed commands. (Thanks to
+	    isvilen)</p>
+          <p>
+	    Own Id: OTP-13905 Aux Id: PR-1173 </p>
+        </item>
+      </list>
+    </section>
+
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    Extended the option <c>silently_accept_hosts</c> for
+	    <c>ssh:connect</c> to make it possible for the client to
+	    check the SSH host key fingerprint string. Se the
+	    reference manual for SSH.</p>
+          <p>
+	    Own Id: OTP-13887 Aux Id: OTP-13888 </p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>Ssh 4.3.6</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>