I've just updated the Cygwin version of OpenSSH to 5.6p1-1.
This is a new major upstream release. The Cygwin release is created
from the vanilla sources.
The official release message of 5.6p1:
OpenSSH 5.6 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html
Changes since OpenSSH 5.5
=
Features:
* Added a ControlPersist option to ssh_config(5) that automatically
starts a background ssh(1) multiplex master when connecting. This
connection can stay alive indefinitely, or can be set to
automatically close after a user-specified duration of inactivity.
* Hostbased authentication may now use certificate host keys. CA keys
must be specified in a known_hosts file using the @cert-authority
marker as described in sshd(8).
* ssh-keygen(1) now supports signing certificate using a CA key that
has been stored in a PKCS#11 token.
* ssh(1) will now log the hostname and address that we connected to at
LogLevel=verbose after authentication is successful to mitigate
phishing attacks by servers with trusted keys that accept
authentication silently and automatically before presenting fake
password/passphrase prompts.
Note that, for such an attack to be successful, the user must have
disabled StrictHostKeyChecking (enabled by default) or an attacker
must have access to a trusted host key for the destination server.
* Expand %h to the hostname in ssh_config Hostname options. While this
sounds useless, it is actually handy for working with unqualified
hostnames:
Host *.*
Hostname %h
Host *
Hostname %h.example.org
* Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8
keys in addition to RFC4716 (SSH.COM) encodings via a new -m option
(bz#1749)
* sshd(8) will now queue debug messages for bad ownership or
permissions on the user's keyfiles encountered during authentication
and will send them after authentication has successfully completed.
These messages may be viewed in ssh(1) at LogLevel=debug or higher.
* ssh(1) connection multiplexing now supports remote forwarding with
dynamic port allocation and can report the allocated port back to
the user:
LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
* sshd(8) now supports indirection in matching of principal names
listed in certificates. By default, if a certificate has an
embedded principals list then the username on the server must match
one of the names in the list for it to be accepted for
authentication.
sshd(8) now has a new AuthorizedPrincipalsFile option to specify a
file containing a list of names that may be accepted in place of the
username when authorizing a certificate trusted via the
sshd_config(5) TrustedCAKeys option. Similarly, authentication
using a CA trusted in ~/.ssh/authorized_keys now accepts a
principals=name1[,name2,...] to specify a list of permitted names.
If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply. These options
are useful for role accounts, disjoint account namespaces and
u...@realm-style naming policies in certificates.
* Additional sshd_config(5) options are now valid inside Match blocks:
AuthorizedKeysFile
AuthorizedPrincipalsFile
HostbasedUsesNameFromPacketOnly
PermitTunnel
* Revised the format of certificate keys. The new format, identified as
ssh-{dss,rsa}-cert-...@openssh.com includes the following changes:
- Adding a serial number field. This may be specified by the CA at
the time of certificate signing.
- Moving the nonce field to the beginning of the certificate where
it can better protect against chosen-prefix attacks on the
signature hash (currently infeasible against the SHA1 hash used)
- Renaming the constraints field to critical options
- Addng a new non-critical extensions field. The permit-*
options are now extensions, rather than critical options to
permit non-OpenSSH implementation of this key format to degrade
gracefully when encountering keys with options they do not
recognize.
The older format is still supported for authentication and may still
be used when signing certificates (use ssh-keygen -t v00 ...).
The v00 format, introduced in OpenSSH 5.4, will be supported for at
least one year from this