OpenSSH version 6.1(link is external) is primarily a bugfix release.
Features:
- sshd(8): This release turns on pre-auth sandboxing sshd by default for new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
- ssh-keygen(1): Add options to specify starting line number and number of lines to process when screening moduli candidates, allowing processing of different parts of a candidate moduli file in parallel
- sshd(8): The Match directive now supports matching on the local (listen) address and port upon which the incoming connection was received via LocalAddress and LocalPort clauses.
- sshd(8): Extend sshd_config Match directive to allow setting AcceptEnv and {Allow,Deny}{Users,Groups}
- Add support for RFC6594 SSHFP DNS records for ECDSA key types. bz#1978
- ssh-keygen(1): Allow conversion of RSA1 keys to public PEM and PKCS8
- sshd(8): Allow the sshd_config PermitOpen directive to accept "none" as an argument to refuse all port-forwarding requests.
- sshd(8): Support "none" as an argument for AuthorizedPrincipalsFile
- ssh-keyscan(1): Look for ECDSA keys by default. bz#1971
- sshd(8): Add "VersionAddendum" to sshd_config to allow server operators to append some arbitrary text to the server SSH protocol banner.
Bugfixes:
- ssh(1)/sshd(8): Don't spin in accept() in situations of file descriptor exhaustion. Instead back off for a while.
- ssh(1)/sshd(8): Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs as they were removed from the specification. bz#2023,
- sshd(8): Handle long comments in config files better. bz#2025
- ssh(1): Delay setting tty_flag so RequestTTY options are correctly picked up. bz#1995
- sshd(8): Fix handling of /etc/nologin incorrectly being applied to root on platforms that use login_cap.
Portable OpenSSH:
- sshd(8): Allow sshd pre-auth sandboxing to fall-back to the rlimit sandbox from the Linux SECCOMP filter sandbox when the latter is not available in the kernel.
- ssh(1): Fix NULL dereference when built with LDNS and using DNSSEC to retrieve a CNAME SSHFP record.
- Fix cross-compilation problems related to pkg-config. bz#1996
Existing customers can download the latest version from their customer page at www.itefix.net
