[HEADS UP] openssh-7.1 is heading to Fedora 23

Jakub Jelen jjelen at redhat.com
Sat Aug 22 21:14:22 UTC 2015 

Openssh-7.0 is dead. Live long openssh-7.1 [1]

TL;DR version: Last release went out too fast and upstream missed a bug 
in PermitRootLogin=prohibit-password so another release rolled out. 
Basically nothing more than bugfixes are there, so just don't be 
surprised that Fedora 23 will probably come with 7.1 version instead of 
announced 7.0.

New bodhi update can be found here [2].

[1] http://www.openssh.com/txt/release-7.1
[2] https://bodhi.fedoraproject.org/updates/openssh-7.1p1-1.fc23

On 08/13/2015 06:41 PM, Jakub Jelen wrote:
> Hi folks,
> this is announcement, that the-new-hotness version of openssh is baked 
> and ready to reach Fedora 23. As some of you noticed, upstream is 
> pushing few important changes in this version:
>
> 1) Disable SSHv1 in compile time. Yes. It is time to say hello to this 
> protocol and move on. I heard your voices, that some people needs to 
> use the clients to connect to old hardware so after discussion we came 
> with solution, that we will ship these clients with enabled SSHv1 in 
> sub-package called openssh-clients-ssh1, which contains only two 
> binaries, ssh1, ssh-keygen1 and scp1, just for the people in need. 
> With default tools you should not be able to connect to SSHv1 only 
> servers.
>
> 2) PermitRootLogin=prohibit-password is upstream default. I am not 
> going to revert this change as I did in openssh-6.9, which landed in 
> Fedora 22, after all the discussion about this topic and with bz89216. 
> I changed only default value in sshd_config. This means two things: 1) 
> You are still able to log in as root with clean Fedora 23 install. 2) 
> If you will do update from previous versions and you have modified 
> this file, you need to take care about this on your own!
>
> 3) Disabling at run-time key exchange algorithm 
> diffie-hellman-group1-sha1 and key/cert algorithms ssh-dss, 
> ssh-dss-cert-* . This can be also problem when connecting to older 
> systems/with older keys, but upstream prepared new feature that will 
> help with this issue and special page [1] describing how to simply 
> enable these algorithms if you really need to for specific connection 
> or host.
>
> 4) And of course there are packaged some security fixes that were 
> found since last release. You can find description in release notes 
> and in CVE-2015-5600.
>
> You can find whole release notes on upstream website [2] and update 
> for Fedora 23 is in bodhi [3].
>
> I hope everything will work for you with the new version and if not, 
> feel free to fill a bug or discuss issues in this thread.
>
> [1] http://www.openssh.com/legacy.html
> [2] http://www.openssh.com/txt/release-7.0
> [3] https://admin.fedoraproject.org/updates/openssh-7.0p1-1.fc23
>
> Best regards,
>

-- 
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat

More information about the devel mailing list