diff options
Diffstat (limited to 'lib/ssh/doc/src/notes.xml')
| -rw-r--r-- | lib/ssh/doc/src/notes.xml | 582 |
1 files changed, 576 insertions, 6 deletions
diff --git a/lib/ssh/doc/src/notes.xml b/lib/ssh/doc/src/notes.xml index fe523d3a45..7e7ed4ae37 100644 --- a/lib/ssh/doc/src/notes.xml +++ b/lib/ssh/doc/src/notes.xml @@ -30,6 +30,545 @@ <file>notes.xml</file> </header> +<section><title>Ssh 4.11.1</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + The idle_time timer was not cancelled when a channel was + opened within the timeout time on an empty connection + that have had channels previously.</p> + <p> + Own Id: OTP-17279</p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.11</title> + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + The long name field in SSH_FXP_NAME responses to display + file information in sftp version 3 now contains the + expanded format defined in the sftp draft. It is similar + to what is returned by "ls -l" on Unix systems.</p> + <p> + Own Id: OTP-17197 Aux Id: PR- 3049 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.10.8</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Don't timeout slow connection setups and tear-downs. A + rare crash risk for the controller is also removed.</p> + <p> + Own Id: OTP-17173 Aux Id: ERIERL-581 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.10.7</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + The SSH daemon erroneously replaced LF with CRLF also + when there was no pty requested from the server.</p> + <p> + Own Id: OTP-17108 Aux Id: ERL-1442 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.10.6</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Fixed problems in the ssh cli/shell handling. Most + important are:</p> + <p> + 1) the ssh:shell function did sometimes cause the input + to be echoed twice,</p> + <p> + 2) the ssh:shell function didn't transfer the LANG and + LC_ALL shell variables to the connected server which + sometimes made Unicode handling erroneous,</p> + <p> + 3) Unicode was not always transferred correctly to and + from the peer.</p> + <p> + Own Id: OTP-16799</p> + </item> + <item> + <p> + The SSH protocol message SSH_MSG_DISCONNECT was sometimes + sent instead of SSH_MSG_CHANNEL_FAILURE</p> + <p> + Own Id: OTP-16900</p> + </item> + <item> + <p> + The ssh_cli module now always sends the exit-status to + connected clients so they can use that to check for + successful command execution.</p> + <p> + Own Id: OTP-16908 Aux Id: PR-2753 </p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + A new option <seeerl + marker="ssh:ssh#option-pk_check_user"><c>pk_check_user</c></seeerl> + enables checking of the client's user name in the server + when doing public key authentication.</p> + <p> + Own Id: OTP-16889</p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.10.5</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + An ssh-client can take an accepted socket from a + listening socket and do an ssh:connect/2 on it.</p> + <p> + Multiple clients on sockets accepted from the same + listening socket had stopped working. This is corrected + now.</p> + <p> + Own Id: OTP-17021 Aux Id: ERIERL-567 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.10.4</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + The inet option raw was not passed on from the ssh option + list to inet.</p> + <p> + Own Id: OTP-17016 Aux Id: ERIERL-562 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.10.3</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + A supervisor sub-tree could be left if the connection + handler process is brutally killed. This will make the + max_sessions checking option to count the existing + sessions erroneously and could finally block further + sessions.</p> + <p> + Own Id: OTP-17006 Aux Id: ERIERL-556 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.10.2</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Fix decoder bug.</p> + <p> + Own Id: OTP-16904</p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.10.1</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Fixed a bug when a message to ssh-agent was divided into + separate packets.</p> + <p> + Own Id: OTP-16761 Aux Id: PR-2679 </p> + </item> + <item> + <p> + Fix a bug that could crash the cli server if a too large + cli-window was requested from the client.</p> + <p> + Own Id: OTP-16791 Aux Id: ERIERL-520 </p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Increased test coverage.</p> + <p> + Own Id: OTP-14106</p> + </item> + <item> + <p> + A chapter about <seeguide + marker="ssh:hardening">hardening the OTP SSH</seeguide> + is added to the User's Guide.</p> + <p> + Own Id: OTP-16411</p> + </item> + <item> + <p> + The internal Diffie-Hellman high level API for key + generation was slow in old and by OpenSSL now unsupported + cryptolib versions (1.0.1 and earlier).</p> + <p> + If such a cryptolib is used anyhow, the low-level API is + used internally in the crypto application.</p> + <p> + Own Id: OTP-16774</p> + </item> + <item> + <p> + A new timeout is defined for daemons: <seetype + marker="ssh:ssh#hello_timeout_daemon_option">hello_timeout</seetype>.</p> + <p> + The timeout is supposed to be used as a simple <seeguide + marker="ssh:hardening#resilience-to-dos-attacks">DoS + attack protection</seeguide>. It closes an incoming + TCP-connection if no valid first SSH message is received + from the client within the timeout limit after the TCP + initial connection setup.</p> + <p> + The initial value is 30s by compatibility reasons, but + could be lowered if needed, for example in the code or in + a <seeguide marker="ssh:configurations">config + file</seeguide>.</p> + <p> + Own Id: OTP-16803</p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.10</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Fix error in ssh_sftpd typespec.</p> + <p> + Own Id: OTP-16363</p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + The plug-in file ssh_file.erl, that is responsible for + default file handling, is re-factored, optimized and + re-written.</p> + <p> + Own Id: OTP-11688 Aux Id: OTP-12699 </p> + </item> + <item> + <p> + OpenSSH 6.5 introduced a new file representation of keys + called <url + href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.key?annotate=1.1">openssh-key-v1</url>.</p> + <p> + OTP/SSH had an experimental implementation of this + format. That implementation is now improved and supported + with the exception of handling encrypted keys.</p> + <p> + Own Id: OTP-15434</p> + </item> + <item> + <p> + TCP/IP port forwarding, a.k.a tunneling a.k.a + tcp-forward/direct-tcp is implemented. In the OpenSSH + client, this corresponds to the options -L and -R.</p> + <p> + The client or server listens to a specified socket, and + when something connects to it with TCP/IP, that + connection is forwarded in an encrypted tunnel to the + peer. The peer then connects to a predefined IP/port pair + and then acts as a proxy.</p> + <p> + See the manual, <seemfa + marker="ssh:ssh#tcpip_tunnel_to_server/6"><c>ssh:tcpip_tunnel_to_server/6</c></seemfa> + and <seemfa + marker="ssh:ssh#tcpip_tunnel_from_server/6"><c>ssh:tcpip_tunnel_from_server/6</c></seemfa>.</p> + <p> + The functionality is disabled per default but can be + enabled when starting a daemon.</p> + <p> + Own Id: OTP-15998 Aux Id: PR-2376, PR-2368 </p> + </item> + <item> + <p> + The client-side of the supervisor tree (under sshc_sup) + was previously not complete; the channel handling + processes were handled with links but had no supervisors.</p> + <p> + This is now corrected with a client-side supervisor tree + under <c>sshc_sup</c>, similar to the server-side + supervisor tree under <c>sshd_sup</c>.</p> + <p> + Own Id: OTP-16026 Aux Id: PR-2368, (OTP-15998) </p> + </item> + <item> + <p> + The extension <url + href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD">posix-rename@openssh.com</url> + is added to the <seemfa + marker="ssh:ssh_sftp#rename/3">ssh/sftp rename</seemfa> + operation.</p> + <p> + Own Id: OTP-16289 Aux Id: PR-2448 </p> + </item> + <item> + <p> + Calls of deprecated functions in the <seeguide + marker="crypto:new_api#the-old-api">Old Crypto + API</seeguide> are replaced by calls of their <seeguide + marker="crypto:new_api#the-new-api">substitutions</seeguide>.</p> + <p> + Own Id: OTP-16346</p> + </item> + <item> + <p> + The default known_hosts file handling is improved to + include ports.</p> + <p> + The handling of the contents in that file is updated to + support the <url + href="https://man.openbsd.org/sshd#SSH_KNOWN_HOSTS_FILE_FORMAT">full + syntax</url>, with exception of 1) the wildcard '?', 2) + wildcards in canonical names and 3) the option + '@cert-authority'</p> + <p> + Own Id: OTP-16506</p> + </item> + <item> + <p> + The MAC (Message Authorization Code) algorithms</p> + <list> <item>hmac-sha1-etm@openssh.com</item> + <item>hmac-sha2-256-etm@openssh.com</item> + <item>hmac-sha2-512-etm@openssh.com</item> </list> <p>are + implemented.</p> + <p> + Own Id: OTP-16508</p> + </item> + <item> + <p> + The key-exchange algorithms + <c>'diffie-hellman-group14-sha1'</c> and + <c>'diffie-hellman-group-exchange-sha1'</c> are disabled + per default. The reason is that SHA1 now is considered + insecure.</p> + <p> + They can be enabled if needed, see <seeapp + marker="ssh:SSH_app#algorithms">SSH (App)</seeapp>.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-16509</p> + </item> + <item> + <p> + The public key algorithm <c>'ssh-dss'</c> is disabled per + default. The reason is that it is now considered as + insecure.</p> + <p> + It can be enabled if needed, see <seeapp + marker="ssh:SSH_app#algorithms">SSH (App)</seeapp>.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-16510</p> + </item> + <item> + <p> + The public key <c>'ssh-rsa'</c> is now considered as + insecure because of its usage of SHA1.</p> + <p> + It is therefore deprecated and will no longer be enabled + per default in OTP-24.0.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-16511</p> + </item> + <item> + <p> + An option <seetype + marker="ssh:ssh_file#optimize_key_lookup">optimize + (optimize_key_lookup)</seetype> is introduced for the + file interface ssh_file.erl</p> + <p> + The option enables the user to select between the default + handling which is fast but memory consuming vs memory + efficient but not as fast. The effect might be observable + only for large files.</p> + <p> + See the manual for <seemfa + marker="ssh:ssh_file#is_host_key/5">ssh_file:is_host_key/5</seemfa> + and <seemfa + marker="ssh:ssh_file#is_auth_key/3">ssh_file:is_auth_key/3</seemfa>.</p> + <p> + Own Id: OTP-16512</p> + </item> + <item> + <p> + The ssh agent is now implemented in the ssh_agent key + callback module. </p> + <p> + Enable with the the option <c> {key_cb, {ssh_agent, + []}}</c> in for example ssh:connect/3.</p> + <p> + See the <seeerl marker="ssh:ssh_agent">ssh_agent + manual</seeerl> for details.</p> + <p> + Own Id: OTP-16513</p> + </item> + <item> + <p> + Algorithm configuration could now be done in a .config + file.</p> + <p> + This is useful for example to enable an algorithm that is + disabled by default. It could now be enabled in an + .config-file without changing the code,</p> + <p> + See the SSH User's Guide chapter <seeguide + marker="ssh:configurations">"Configuration in + SSH"</seeguide>.</p> + <p> + Own Id: OTP-16540</p> + </item> + <item> + <p> + Documented which gen_tcp socket options can't be used in + calls to ssh:connect and ssh:daemon.</p> + <p> + Own Id: OTP-16589</p> + </item> + <item> + <p> + Added <seetype + marker="ssh:ssh#kb_int_fun_4">kb_int_fun_4()</seetype> to + the <seetype + marker="ssh:ssh#authentication_daemon_options">authentication_daemon_options()</seetype> + to enable generating dynamic keyboard-interactive prompts + from the user's state returned from the authentication + fun <seetype + marker="ssh:ssh#pwdfun_4">pwdfun_4()</seetype>.</p> + <p> + Own Id: OTP-16622 Aux Id: PR-2604 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.9.1.2</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Fix decoder bug.</p> + <p> + Own Id: OTP-16904</p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.9.1.1</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Fix a bug that could crash the cli server if a too large + cli-window was requested from the client.</p> + <p> + Own Id: OTP-16791 Aux Id: ERIERL-520 </p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + A new timeout is defined for daemons: + <c>hello_timeout</c>.</p> + <p> + It closes an incoming TCP-connection if no valid 1st + message is received from the client within the timeout + limit.</p> + <p> + Own Id: OTP-16803</p> + </item> + </list> + </section> + +</section> + <section><title>Ssh 4.9.1</title> <section><title>Fixed Bugs and Malfunctions</title> @@ -71,10 +610,10 @@ </item> <item> <p> - The new functions <seealso - marker="ssh:ssh#set_sock_opts-2">ssh:set_sock_opts/2</seealso> - and <seealso - marker="ssh:ssh#get_sock_opts-2">ssh:get_sock_opts/2</seealso> + The new functions <seemfa + marker="ssh:ssh#set_sock_opts/2">ssh:set_sock_opts/2</seemfa> + and <seemfa + marker="ssh:ssh#get_sock_opts/2">ssh:get_sock_opts/2</seemfa> sets and reads option values for the underlying TCP stream.</p> <p> @@ -191,9 +730,9 @@ </item> <item> <p> - The documentation of <seealso + The documentation of <seeguide marker="ssh:using_ssh#one-time-execution">One-Time - Execution</seealso> in the User's Guide is updated with + Execution</seeguide> in the User's Guide is updated with more examples.</p> <p> Own Id: OTP-16108 Aux Id: OTP-15417 </p> @@ -319,6 +858,37 @@ </section> +<section><title>Ssh 4.7.6.5</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Fix decoder bug.</p> + <p> + Own Id: OTP-16904</p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.7.6.4</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Potential hazard between re-keying decision and socket + close.</p> + <p> + Own Id: OTP-16462 Aux Id: ERIERL-464 </p> + </item> + </list> + </section> + +</section> + <section><title>Ssh 4.7.6.3</title> <section><title>Fixed Bugs and Malfunctions</title> |