[ssh_x509] IP quality of service defaults Re: PKIX-SSH release 11.4

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Sep 2 16:02:15 EEST 2018


Hello,

Recently users that secure shell connection to some commercial virtual 
machines drops. It was confirmed that issue is due to VM NAT implementation.

Work-around solution is client to use previous defaults:

     IPQoS lowdelay throughput


Regards
Roumen Petrov


ssh_x509 at roumenpetrov.info wrote:
> Hello all,
>
> First major release 11.4 after push of source code into public 
> repository is ready for download./The complete list of changes could 
> be viewed here:
> https://gitlab.com/secsh/pkixssh/commits/master .
>
> Release includes following important evolution:
> * IPQoS defaults
>     Change defaults IPQoS in client and daemon to DSCP(differentiated 
> services code point):
>     - AF21: for interactive and
>     - CS1: for bulk traffic
>
> * ssh-askpass alternatives
> Update information for ssh-askpass alternatives. Also added shell 
> script that wraps KDialog.
>
> * limit agent connections
> Authentication agent postpone accepting new connections when maximum 
> number of file descriptor is exceeded.
>
> * algorithms for keyscan
> Command keyscan uses -t argument as algorithm filter (pattern-list).
>
> * SendEnv arguments
> Use pattern-list for client option SendEnv. Note option allows negated 
> match.
>
> * new option SetEnv
> New client and daemon option SetEnv. Processing of user environment 
> settings in daemon is updated do not allow user to override server 
> settings.
>
> * PermitUserEnvironment arguments
> Daemon option PermitUserEnvironment accepts in addition a pattern-list 
> of "white-listed" environment variable names.
>
> * new option PermitListen
> New daemon option PermitListen that controls client requests for 
> remote forwarding (ssh -R).
>
> * expansion of user id
> User id is available as a %-expansion everywhere that the user name is 
> available currently (%i for client and %U for daemon).
>
> * keysign use
> Hostbased authentication always uses ssh-keysign. This avoids one of 
> reasons for "setuid" root client.
>
> * no "setuid" client
> Removed support for running client "setuid". Also deprecate client 
> option UsePrivilegedPort.
>
> * without "S/Key"
> Removed support for "S/Key" authentication
>
> * private key formats
> "ssh-keygen" command option -m PEM with -p flag could be used to 
> convert private keys in widely used and more portable PEM format. Not 
> applicable for ed25519 keys yet. Those keys still use proprietary format.
>
>
> Regards,
> Roumen Petrov
>
>
> _______________________________________________
> ssh_x509 mailing list
> ssh_x509 at roumenpetrov.info
> http://roumenpetrov.info/mailman/listinfo/ssh_x509_roumenpetrov.info




More information about the ssh_x509 mailing list