From f4a0ae1736216feac5ae053610644bba2e12ed34 Mon Sep 17 00:00:00 2001 From: Erlang/OTP Date: Tue, 15 Dec 2015 09:45:27 +0100 Subject: Update release notes --- lib/ssh/doc/src/notes.xml | 185 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) (limited to 'lib/ssh/doc/src') diff --git a/lib/ssh/doc/src/notes.xml b/lib/ssh/doc/src/notes.xml index 010b1b15c7..8fb689fdd5 100644 --- a/lib/ssh/doc/src/notes.xml +++ b/lib/ssh/doc/src/notes.xml @@ -30,6 +30,191 @@ notes.xml +
Ssh 4.2 + +
Fixed Bugs and Malfunctions + + +

+ Better error handling in ssh_file. There was some rare + errors when a NFS-mounted file was opened by ssh_file and + then remotely deleted during reading. That caused an + endless loop.

+

+ That bug is now fixed.

+

+ Own Id: OTP-12699 Aux Id: OTP-11688

+
+ +

+ Fixed a bug in the compression algorithm + zlib@openssh.com.

+

+ Own Id: OTP-12759

+
+ +

+ It is now possible to start more than one daemon with a + file descriptor given in option fd. Each daemon must of + course have a unique file descriptor.

+

+ Own Id: OTP-12966 Aux Id: seq12945

+
+ +

+ Fixed a bug that caused the option dh_gex_limit to + be ignored.

+

+ Own Id: OTP-13029

+
+ +

+ A problem is fixed with the ssh:connect option + pref_public_key_algs specifying user keys.

+

+ Own Id: OTP-13158

+
+
+
+ + +
Improvements and New Features + + +

+ Document updates in the ssh reference manual: app doc + file and ssh_connection.

+

+ Own Id: OTP-12003

+
+ +

+ The authorization phase is made stateful to prevent ssh + acting on messages sent in wrong order.

+

+ Own Id: OTP-12787

+
+ +

+ Testcases for bad message lengths and for bad subfield + lengths added.

+

+ Own Id: OTP-12792 Aux Id: Codenomicon #5214, 6166

+
+ +

+ The 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384' and + 'ecdsa-sha2-nistp521' signature algorithms for ssh are + implemented. See RFC 5656.

+

+ Own Id: OTP-12936

+
+ +

+ The crypto algorithms 'aes192-ctr' and 'aes256-ctr' are + implemented. See RFC 4344.

+

+ Own Id: OTP-12939

+
+ +

+ The ciphers and macs AEAD_AES_128_GCM and + AEAD_AES_256_GCM are implemented but not enabled per + default. See the SSH App Reference Manual and RFC5647 for + details.

+

+ The ciphers aes128-gcm@openssh.com and + aes256-gcm@openssh.com are also implemented and available + in the default configuration.

+

+ Own Id: OTP-13018

+
+ +

+ The ssh:daemon option dh_gex_groups is extended to read a + user provided ssh moduli file with generator-modulus + pairs. The file is in openssh format.

+

+ Own Id: OTP-13052 Aux Id: OTP-13054

+
+ +

+ There is now a file (public_key/priv/moduli) which lists + size-generator-modulus triples. The purpose is to give + servers the possibility to select the crypto primes + randomly among a list of pregenerated triples. This + reduces the risk for some attacks on diffie-hellman + negotiation.

+

+ See the reference manual for public_key:dh_gex_group/4 + where the handling of this is described.

+

+ The ssh server (ssh:daemon) uses this.

+

+ Own Id: OTP-13054 Aux Id: OTP-13052

+
+ +

+ The ssh:daemon option pwdfun now also takes a fun/4. This + enables the user to 1) check userid-password in another + way than the builtin algorithm, 2) implement rate + limiting per user or source IP or IP+Port, and 3) + implement blocking of missbehaving peers.

+

+ The old fun/2 still works as previously.

+

+ Own Id: OTP-13055 Aux Id: OTP-13053

+
+ +

+ There is now a new option to make the server limit the + size range of moduli available for the diffie-hellman + group exchange negotiation. See option + {dh_gex_limits,{Min,Max}} in ssh:daemon/3.

+

+ Own Id: OTP-13066

+
+ +

+ Ecdh key exchange now validates compressed and + uncompressed keys as defined in rfc5656

+

+ Own Id: OTP-13067

+
+ +

+ Search order for the .ssh directory are changed so + $HOME is tried before + init:get_argument(home).

+

+ Own Id: OTP-13109

+
+ +

+ The sftp receive window handling is optimized so it will + not update the remote end too often. This makes "sftp + mget" considerable faster.

+

+ Own Id: OTP-13130

+
+ +

+ The option key_cb is extended to take an optional + list that is passed to the callback module as an option. + With this it is possible to have different keys depending + on which host that is connected. Another possibility is + to write a callback module that fetches keys etc from a + database.

+

+ Thanks to Vipin Nair.

+

+ Own Id: OTP-13156

+
+
+
+ +
+
Ssh 4.1.3
Known Bugs and Problems -- cgit v1.2.3