Bug#374980: ssh-keyscan does not exit in case of failure

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#374980: ssh-keyscan does not exit in case of failure

martin f krafft
Package: openssh-client
Version: 1:4.3p2-2
Severity: minor

$ ssh-keyscan -t rsa does.not.exist.org
$ echo $?
0

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-2-xen-amd64-k8
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages openssh-client depends on:
ii  adduser             3.87                 Add and remove users and groups
ii  debconf [debconf-2. 1.5.2                Debian configuration management sy
ii  dpkg                1.13.22              package maintenance system for Deb
ii  libc6               2.3.6-15             GNU C Library: Shared libraries
ii  libcomerr2          1.39-1               common error description library
ii  libedit2            2.9.cvs.20050518-2.2 BSD editline and history libraries
ii  libkrb53            1.4.3-7              MIT Kerberos runtime libraries
ii  libncurses5         5.5-2                Shared libraries for terminal hand
ii  libselinux1         1.30-1               SELinux shared libraries
ii  libssl0.9.8         0.9.8b-2             SSL shared libraries
ii  zlib1g              1:1.2.3-12           compression library - runtime

openssh-client recommends no packages.

-- no debconf information

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#374980: ssh-keyscan does not exit in case of failure

martin f krafft
also sprach martin f krafft <[hidden email]> [2006.06.22.1447 +0200]:
> $ ssh-keyscan -t rsa does.not.exist.org
> $ echo $?
> 0

Of course, the domain name must resolve. Sorry.

So the problem happens when the host is down or sshd not running.

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#374980: marked as done (ssh-keyscan does not exit in case of failure)

Debian Bug Tracking System
In reply to this post by martin f krafft
Your message dated Sun, 09 Jun 2019 22:18:39 +0000
with message-id <[hidden email]>
and subject line Bug#374980: fixed in openssh 1:8.0p1-1
has caused the Debian Bug report #374980,
regarding ssh-keyscan does not exit in case of failure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
374980: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=374980
Debian Bug Tracking System
Contact [hidden email] with problems

Package: openssh-client
Version: 1:4.3p2-2
Severity: minor

$ ssh-keyscan -t rsa does.not.exist.org
$ echo $?
0

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-2-xen-amd64-k8
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages openssh-client depends on:
ii  adduser             3.87                 Add and remove users and groups
ii  debconf [debconf-2. 1.5.2                Debian configuration management sy
ii  dpkg                1.13.22              package maintenance system for Deb
ii  libc6               2.3.6-15             GNU C Library: Shared libraries
ii  libcomerr2          1.39-1               common error description library
ii  libedit2            2.9.cvs.20050518-2.2 BSD editline and history libraries
ii  libkrb53            1.4.3-7              MIT Kerberos runtime libraries
ii  libncurses5         5.5-2                Shared libraries for terminal hand
ii  libselinux1         1.30-1               SELinux shared libraries
ii  libssl0.9.8         0.9.8b-2             SSL shared libraries
ii  zlib1g              1:1.2.3-12           compression library - runtime

openssh-client recommends no packages.

-- no debconf information

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system

Source: openssh
Source-Version: 1:8.0p1-1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [hidden email],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <[hidden email]> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [hidden email])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 09 Jun 2019 22:47:27 +0100
Source: openssh
Architecture: source
Version: 1:8.0p1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <[hidden email]>
Changed-By: Colin Watson <[hidden email]>
Closes: 189920 374980 532754 927792
Changes:
 openssh (1:8.0p1-1) experimental; urgency=medium
 .
   * New upstream release (https://www.openssh.com/txt/release-8.0, closes:
     #927792):
     - ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
       PKCS#11 tokens (LP: #1665695).
     - ssh(1), sshd(8): Add experimental quantum-computing resistant key
       exchange method, based on a combination of Streamlined NTRU Prime
       4591^761 and X25519.
     - ssh-keygen(1): Increase the default RSA key size to 3072 bits,
       following NIST Special Publication 800-57's guidance for a 128-bit
       equivalent symmetric security level (LP: #1445625).
     - ssh(1): Allow "PKCS11Provider=none" to override later instances of the
       PKCS11Provider directive in ssh_config.
     - sshd(8): Add a log message for situations where a connection is
       dropped for attempting to run a command but a sshd_config
       ForceCommand=internal-sftp restriction is in effect.
     - ssh(1): When prompting whether to record a new host key, accept the
       key fingerprint as a synonym for "yes".  This allows the user to paste
       a fingerprint obtained out of band at the prompt and have the client
       do the comparison for you.
     - ssh-keygen(1): When signing multiple certificates on a single
       command-line invocation, allow automatically incrementing the
       certificate serial number.
     - scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp
       and sftp command-lines.
     - ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
       command-line flags to increase the verbosity of output; pass verbose
       flags though to subprocesses, such as ssh-pkcs11-helper started from
       ssh-agent.
     - ssh-add(1): Add a "-T" option to allowing testing whether keys in an
       agent are usable by performing a signature and a verification.
     - sftp-server(8): Add a "[hidden email]" protocol extension that
       replicates the functionality of the existing SSH2_FXP_SETSTAT
       operation but does not follow symlinks.
     - sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they
       do not follow symlinks.
     - sshd(8): Expose $SSH_CONNECTION in the PAM environment.  This makes
       the connection 4-tuple available to PAM modules that wish to use it in
       decision-making.
     - sshd(8): Add a ssh_config "Match final" predicate.  Matches in same
       pass as "Match canonical" but doesn't require hostname
       canonicalisation be enabled.
     - sftp(1): Support a prefix of '@' to suppress echo of sftp batch
       commands.
     - ssh-keygen(1): When printing certificate contents using "ssh-keygen
       -Lf /path/certificate", include the algorithm that the CA used to sign
       the cert.
     - sshd(8): Fix authentication failures when sshd_config contains
       "AuthenticationMethods any" inside a Match block that overrides a more
       restrictive default.
     - sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is
       enabled.
     - sshd(8): Fix two race conditions related to SIGHUP daemon restart.
       Remnant file descriptors in recently-forked child processes could
       block the parent sshd's attempt to listen(2) to the configured
       addresses.  Also, the restarting parent sshd could exit before any
       child processes that were awaiting their re-execution state had
       completed reading it, leaving them in a fallback path.
     - ssh(1): Fix stdout potentially being redirected to /dev/null when
       ProxyCommand=- was in use.
     - sshd(8): Avoid sending SIGPIPE to child processes if they attempt to
       write to stderr after their parent processes have exited.
     - ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and
       ConnectionAttempts directives - connection attempts after the first
       were ignoring the requested timeout (LP: #1798049).
     - ssh-keyscan(1): Return a non-zero exit status if no keys were found
       (closes: #374980, LP: #1661745).
     - scp(1): Sanitize scp filenames to allow UTF-8 characters without
       terminal control sequences.
     - sshd(8): Fix confusion between ClientAliveInterval and time-based
       RekeyLimit that could cause connections to be incorrectly closed.
     - ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at
       initial token login.  The attempt to read the PIN could be skipped in
       some cases, particularly on devices with integrated PIN readers.  This
       would lead to an inability to retrieve keys from these tokens.
     - ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the
       CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the
       C_SignInit operation.
     - ssh(1): Improve documentation for ProxyJump/-J, clarifying that local
       configuration does not apply to jump hosts.
     - ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys,
       not private.
     - ssh(1), sshd(8): be more strict in processing protocol banners,
       allowing \r characters only immediately before \n.
     - Various: fix a number of memory leaks.
     - scp(1), sftp(1): fix calculation of initial bandwidth limits.  Account
       for bytes written before the timer starts and adjust the schedule on
       which recalculations are performed.  Avoids an initial burst of
       traffic and yields more accurate bandwidth limits.
     - sshd(8): Only consider the ext-info-c extension during the initial key
       eschange.  It shouldn't be sent in subsequent ones, but if it is
       present we should ignore it.  This prevents sshd from sending a
       SSH_MSG_EXT_INFO for REKEX for these buggy clients.
     - ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in
       authorized_keys) and -R (remove host from authorized_keys) options may
       accept either a bare hostname or a [hostname]:port combo.
     - ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK.
     - sshd(8): Silence error messages when sshd fails to load some of the
       default host keys.  Failure to load an explicitly-configured hostkey
       is still an error, and failure to load any host key is still fatal.
     - ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
       started with ControlPersist; prevents random ProxyCommand output from
       interfering with session output.
     - ssh(1): The ssh client was keeping a redundant ssh-agent socket
       (leftover from authentication) around for the life of the connection.
     - sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
       PubkeyAcceptedKeyTypes options.  If only RSA-SHA2 signature types were
       specified, then authentication would always fail for RSA keys as the
       monitor checks only the base key (not the signature algorithm) type
       against *AcceptedKeyTypes.
     - ssh(1): Request correct signature types from ssh-agent when
       certificate keys and RSA-SHA2 signatures are in use.
     - sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the
       user environment if it's enabled (closes: #189920, #532754).
   * Mostly resynced GSSAPI key exchange patch with Fedora.  Major changes:
     - Support selection of GSSAPI key exchange algorithms.
     - Support GSSAPI key exchange methods with DH and SHA2.
     - Support GSSAPI key exchange using ECDH and SHA2.
     - Make sure the Kerberos tickets are cleaned up with the user context.
     - Enable gssapi-keyex authentication without gssapi-with-mic.
     - Allow querying for GSSAPI key exchange algorithms from ssh (-Q
       kex-gss).
   * Apply upstream patch to fix the utimensat regression tests when not
     using the compatibility implementation.
Checksums-Sha1:
 e4f6cdda020708a616b1f965e4960a19217ef6c3 3276 openssh_8.0p1-1.dsc
 756dbb99193f9541c9206a667eaa27b0fa184a4f 1597697 openssh_8.0p1.orig.tar.gz
 a287987d9d505aaa8a89e693920f14b9b9e27a5f 683 openssh_8.0p1.orig.tar.gz.asc
 607d4734333121122f7a84c29e53dca22d1f4e8b 170472 openssh_8.0p1-1.debian.tar.xz
Checksums-Sha256:
 d9eead44a036a84871d74a26e9f138fb60f33b74f5ba6e5e5253220ed5037e81 3276 openssh_8.0p1-1.dsc
 bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68 1597697 openssh_8.0p1.orig.tar.gz
 1904abaa20c24f0c8fed8d7708ec13f4ddca0b8f0f3a191b183b93f142111538 683 openssh_8.0p1.orig.tar.gz.asc
 82ae8aa9a3391c8fd6a40a3d1baee666e1e1b994af2b817a481e3cb821e72629 170472 openssh_8.0p1-1.debian.tar.xz
Files:
 fe63553cea273fc42d92e346532f103b 3276 net standard openssh_8.0p1-1.dsc
 bf050f002fe510e1daecd39044e1122d 1597697 net standard openssh_8.0p1.orig.tar.gz
 d6ed552f65c74470fe03e2e25d63c363 683 net standard openssh_8.0p1.orig.tar.gz.asc
 de17df8879d77cf0720314d72232e7a7 170472 net standard openssh_8.0p1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlz9gRgACgkQOTWH2X2G
UAs6TA/+JS2+rckjBmwXDSqNnfU8Z8gpvdEuxRQwpVZJNq7ove1W8GIClPuDfq41
9x0Yux7RgCCcjzX7Qarj5P1nJ0AV62Ie8LwtxGW0gjnQ6bIeYKxDjwSsdWsX9Ju4
cocsdO+k6ZBIqHq7xufozo75ab0RD4yZaH1XtLe2gRjHgLDxqesy2TpVRmxOYFmC
Akr7ziTRrjQGqo7fqeJymMEy8VUTbJJKoZFIdah/UlLQk+vDdRHxaOsOtZU8Abtm
kg+rsH5EIEBgBlNXhPHh6TvLxclBZBzVi/Vk724r2I0luyoXWhR0vJlMAuJCTw8F
RqVPLuh/gnM6Y9Q1/Z5k6dbvC89toGVW/Ku3FO9opWwJ9VsXlrC7FH6YojR12zUS
ofEFgIFuxTxoWjhS7ZRV6O4NvnWOLhDaVYjTtIX5LKXHyUB55hWANx615IIixjwz
0/YKeL8h24JUo6IejthVKtp9kOOKVCPgfNw0ENhZ5pqHLgJ/mxn7LymqrRiJWY0n
QeTGENf5XIjgY7TrbiRolfM7yyo0TyJ8+SOhpUm+TlnPCb28/8QD9gOq4wL7qyhj
6yuGXff8ZhKsfN6LwIxiA416vFOML7jQQK0ad9l6wklT18fmY2rn4g42/Ap9eQE9
HMDw6NKifCl4h3M6e3VxREleotDlqXRd6ooXR0xv1ZXx2oXOgts=
=a6JZ
-----END PGP SIGNATURE-----

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#374980: marked as done (ssh-keyscan does not exit in case of failure)

Debian Bug Tracking System
In reply to this post by martin f krafft
Your message dated Mon, 08 Jul 2019 16:49:16 +0000
with message-id <[hidden email]>
and subject line Bug#374980: fixed in openssh 1:8.0p1-3
has caused the Debian Bug report #374980,
regarding ssh-keyscan does not exit in case of failure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
374980: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=374980
Debian Bug Tracking System
Contact [hidden email] with problems

Package: openssh-client
Version: 1:4.3p2-2
Severity: minor

$ ssh-keyscan -t rsa does.not.exist.org
$ echo $?
0

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-2-xen-amd64-k8
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages openssh-client depends on:
ii  adduser             3.87                 Add and remove users and groups
ii  debconf [debconf-2. 1.5.2                Debian configuration management sy
ii  dpkg                1.13.22              package maintenance system for Deb
ii  libc6               2.3.6-15             GNU C Library: Shared libraries
ii  libcomerr2          1.39-1               common error description library
ii  libedit2            2.9.cvs.20050518-2.2 BSD editline and history libraries
ii  libkrb53            1.4.3-7              MIT Kerberos runtime libraries
ii  libncurses5         5.5-2                Shared libraries for terminal hand
ii  libselinux1         1.30-1               SELinux shared libraries
ii  libssl0.9.8         0.9.8b-2             SSL shared libraries
ii  zlib1g              1:1.2.3-12           compression library - runtime

openssh-client recommends no packages.

-- no debconf information

--
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[hidden email]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system

Source: openssh
Source-Version: 1:8.0p1-3

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [hidden email],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <[hidden email]> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [hidden email])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 08 Jul 2019 17:19:37 +0100
Source: openssh
Architecture: source
Version: 1:8.0p1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <[hidden email]>
Changed-By: Colin Watson <[hidden email]>
Closes: 189920 374980 532754 927792
Changes:
 openssh (1:8.0p1-3) unstable; urgency=medium
 .
   * Upload to unstable.
 .
 openssh (1:8.0p1-2) experimental; urgency=medium
 .
   * Fix interop tests for recent regress changes.
 .
 openssh (1:8.0p1-1) experimental; urgency=medium
 .
   * New upstream release (https://www.openssh.com/txt/release-8.0, closes:
     #927792):
     - ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
       PKCS#11 tokens (LP: #1665695).
     - ssh(1), sshd(8): Add experimental quantum-computing resistant key
       exchange method, based on a combination of Streamlined NTRU Prime
       4591^761 and X25519.
     - ssh-keygen(1): Increase the default RSA key size to 3072 bits,
       following NIST Special Publication 800-57's guidance for a 128-bit
       equivalent symmetric security level (LP: #1445625).
     - ssh(1): Allow "PKCS11Provider=none" to override later instances of the
       PKCS11Provider directive in ssh_config.
     - sshd(8): Add a log message for situations where a connection is
       dropped for attempting to run a command but a sshd_config
       ForceCommand=internal-sftp restriction is in effect.
     - ssh(1): When prompting whether to record a new host key, accept the
       key fingerprint as a synonym for "yes".  This allows the user to paste
       a fingerprint obtained out of band at the prompt and have the client
       do the comparison for you.
     - ssh-keygen(1): When signing multiple certificates on a single
       command-line invocation, allow automatically incrementing the
       certificate serial number.
     - scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp
       and sftp command-lines.
     - ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
       command-line flags to increase the verbosity of output; pass verbose
       flags though to subprocesses, such as ssh-pkcs11-helper started from
       ssh-agent.
     - ssh-add(1): Add a "-T" option to allowing testing whether keys in an
       agent are usable by performing a signature and a verification.
     - sftp-server(8): Add a "[hidden email]" protocol extension that
       replicates the functionality of the existing SSH2_FXP_SETSTAT
       operation but does not follow symlinks.
     - sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they
       do not follow symlinks.
     - sshd(8): Expose $SSH_CONNECTION in the PAM environment.  This makes
       the connection 4-tuple available to PAM modules that wish to use it in
       decision-making.
     - sshd(8): Add a ssh_config "Match final" predicate.  Matches in same
       pass as "Match canonical" but doesn't require hostname
       canonicalisation be enabled.
     - sftp(1): Support a prefix of '@' to suppress echo of sftp batch
       commands.
     - ssh-keygen(1): When printing certificate contents using "ssh-keygen
       -Lf /path/certificate", include the algorithm that the CA used to sign
       the cert.
     - sshd(8): Fix authentication failures when sshd_config contains
       "AuthenticationMethods any" inside a Match block that overrides a more
       restrictive default.
     - sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is
       enabled.
     - sshd(8): Fix two race conditions related to SIGHUP daemon restart.
       Remnant file descriptors in recently-forked child processes could
       block the parent sshd's attempt to listen(2) to the configured
       addresses.  Also, the restarting parent sshd could exit before any
       child processes that were awaiting their re-execution state had
       completed reading it, leaving them in a fallback path.
     - ssh(1): Fix stdout potentially being redirected to /dev/null when
       ProxyCommand=- was in use.
     - sshd(8): Avoid sending SIGPIPE to child processes if they attempt to
       write to stderr after their parent processes have exited.
     - ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and
       ConnectionAttempts directives - connection attempts after the first
       were ignoring the requested timeout (LP: #1798049).
     - ssh-keyscan(1): Return a non-zero exit status if no keys were found
       (closes: #374980, LP: #1661745).
     - scp(1): Sanitize scp filenames to allow UTF-8 characters without
       terminal control sequences.
     - sshd(8): Fix confusion between ClientAliveInterval and time-based
       RekeyLimit that could cause connections to be incorrectly closed.
     - ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at
       initial token login.  The attempt to read the PIN could be skipped in
       some cases, particularly on devices with integrated PIN readers.  This
       would lead to an inability to retrieve keys from these tokens.
     - ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the
       CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the
       C_SignInit operation.
     - ssh(1): Improve documentation for ProxyJump/-J, clarifying that local
       configuration does not apply to jump hosts.
     - ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys,
       not private.
     - ssh(1), sshd(8): be more strict in processing protocol banners,
       allowing \r characters only immediately before \n.
     - Various: fix a number of memory leaks.
     - scp(1), sftp(1): fix calculation of initial bandwidth limits.  Account
       for bytes written before the timer starts and adjust the schedule on
       which recalculations are performed.  Avoids an initial burst of
       traffic and yields more accurate bandwidth limits.
     - sshd(8): Only consider the ext-info-c extension during the initial key
       eschange.  It shouldn't be sent in subsequent ones, but if it is
       present we should ignore it.  This prevents sshd from sending a
       SSH_MSG_EXT_INFO for REKEX for these buggy clients.
     - ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in
       authorized_keys) and -R (remove host from authorized_keys) options may
       accept either a bare hostname or a [hostname]:port combo.
     - ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK.
     - sshd(8): Silence error messages when sshd fails to load some of the
       default host keys.  Failure to load an explicitly-configured hostkey
       is still an error, and failure to load any host key is still fatal.
     - ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
       started with ControlPersist; prevents random ProxyCommand output from
       interfering with session output.
     - ssh(1): The ssh client was keeping a redundant ssh-agent socket
       (leftover from authentication) around for the life of the connection.
     - sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
       PubkeyAcceptedKeyTypes options.  If only RSA-SHA2 signature types were
       specified, then authentication would always fail for RSA keys as the
       monitor checks only the base key (not the signature algorithm) type
       against *AcceptedKeyTypes.
     - ssh(1): Request correct signature types from ssh-agent when
       certificate keys and RSA-SHA2 signatures are in use.
     - sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the
       user environment if it's enabled (closes: #189920, #532754).
   * Mostly resynced GSSAPI key exchange patch with Fedora.  Major changes:
     - Support selection of GSSAPI key exchange algorithms.
     - Support GSSAPI key exchange methods with DH and SHA2.
     - Support GSSAPI key exchange using ECDH and SHA2.
     - Make sure the Kerberos tickets are cleaned up with the user context.
     - Enable gssapi-keyex authentication without gssapi-with-mic.
     - Allow querying for GSSAPI key exchange algorithms from ssh (-Q
       kex-gss).
   * Apply upstream patch to fix the utimensat regression tests when not
     using the compatibility implementation.
Checksums-Sha1:
 14036aa8fc98107e51086b5f50a97c397b7e9e69 3276 openssh_8.0p1-3.dsc
 0fc865a1c75e164a362549a68e872faf58d0c1c2 171024 openssh_8.0p1-3.debian.tar.xz
Checksums-Sha256:
 77065cc948b4984a828a16173bfb8f085f6d7afaed936652a31257aa32bc4887 3276 openssh_8.0p1-3.dsc
 7e1f34adbc3d75847edc5f9ce11a7a9f8257c8926f00545cc188bd6433214fe5 171024 openssh_8.0p1-3.debian.tar.xz
Files:
 dc309d7f172333965b52cf10c94102f0 3276 net standard openssh_8.0p1-3.dsc
 52e90cfce82725c5e79bdea9513040ca 171024 net standard openssh_8.0p1-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl0jbuYACgkQOTWH2X2G
UAsj2RAAiMZqVOP7sfYCx8BFTCLAvsdlSrTPDwtGDyw7Qug68WS7ey+Uvby6gokA
vT04zmDTVFq4c2lEPZ0lmHxzcaGecX7aRoeyM2lECgzaNSvgUiW6OgZ20xkAK/Tj
bcvExBzIxdhVr1Y40iqiBxymm5xnCBCyUdN4LKIE81JR76XRGOSGAnpF6KYrydSC
gAIlAKf6ZTjNgpvcC4W0SMNYXHkq6jtqpgda1HCa7WCw27KOVTdziEDmS01YCfgf
oh5VtjNJ+AXK+qL6FMKBopZPO9PCca5HDuklpk9rwH82KcqmpjgrR8673nU+OLI4
oF4rAsWvSEco5AuwMLhF0m/hRHe5g6zcTtl/T4jCfvXWrpPyldzi5WNyZLf8dPHF
HpKh2+FaomQV/zyh5KjEMC5EpJJNpNlIWIXFNtjRAnP0vgHVQhQauR/skFy7cgNb
ivLJIIbyz1VgBA5bUTnzfFQlkcyaXfayxCTDVRbuceNp+ZP79y0Jzp84OFqtZWXy
a8DheWErQmWaIIqOgOH/8/v3KvKZ4a6W79x85lR4Cd65o5nZ1kG261DeM2XujGC2
RUeJryYTT8UTMjaMv4QvT+1YGbpbhBStUSENUsUE5UCxa58YsM7rD8K3kj6jPgDv
yMyOsN4UvSO5NVU8QgpJYViWJbNVT3/q8wysDSW5fT8rncR/Bug=
=fXTs
-----END PGP SIGNATURE-----

signature.asc (196 bytes) Download Attachment