1.3.9 Release Notes ------------------------ This file contains a description of the major changes to ProFTPD for the 1.3.9 release cycle, from the 1.3.9rc1 release to the 1.3.9 maintenance releases. More information on these changes can be found in the NEWS and ChangeLog files. 1.3.9rc1 --------- + Clients are disconnected if there is an error adding them to the ScoreboardFile. Previously, such errors were logged, but the session allowed to continue. + Implemented the "chacha20-poly1305@openssh.com" SSH cipher algorithm. + Implemented support for OpenSSH FIDO security keys in mod_sftp. + The mod_auth_otp module now requires per-user entries in its tables by default. This is a change from previous versions, when such per-user entries were optional. + New Directives IfSessionOptions PerUnauthenticatedUser The mod_ifsession module only applies its user/group-specific configurations after the client has authenticated itself. Some sites, however, may wish for user-specific configurations to be applied based on the unauthenticated username supplied by the client, such as in cases where the conditional configuration in question will affect the authentication process. The new PerUnauthenticatedUser IfSessionOption can be used to achieve this; see doc/contrib/mod_ifsession.html#IfSessionOptions for more. ScoreboardOptions AllowMissingEntry Clients are now disconnected if they cannot be added to the ScoreboardFile. Some sites may require the previous behavior; use this new AllowMissingEntry ScoreboardOption to do so. See doc/modules/mod_core.html#ScoreboardOptions for more information. + Changed Directives AuthOTPOptions OptionalTableEntry Now that the mod_auth_otp module requires an entry for each user, sites may need to re-enable the previous opt-in behavior. Use the OptionalTableEntry AuthOTPOption for this. Read doc/contrib/mod_auth_otp.html#AuthOTPOptions for details. DelayOnEvent Connect The DelayOnEvent directive can now be used to inject randomized delays, "jitter", at the start of a session. This can be used to spread out the processing of a large number of connections that occur at the same time, such as on a schedule/cron. See doc/modules/mod_delay.html#DelayOnEvent for details. ExtendedLog SEC class SSH key exchange requests are now classified as "security" related messages, and thus are logged in ExtendedLog configurations that use the SEC logging class. LDAPDefaultGID, LDAPDefaultUID Auto Retrieving the UID, GID to use for users configured in ActiveDirectory domains, based on the default/expected attributes, is not always possible. In such cases, the new "Auto" value for the default UID, GID to use by mod_ldap allows for retrieving the actual UID, GID by system user lookup, which is handled for AD domains by the special `sssd` program, for example. LogFormat %{transfer-speed} The LogFormat directive now supports a variable, %{transfer-speed}, for logging the average data transfer speed. SFTPCiphers chacha20-poly1305@openssh.com The mod_sftp module now implements OpenSSH's "chacha20-poly1305@openssh.com" algorithm. SFTPExtensions userGroupNames The mod_sftp module supports the custom OpenSSH "users-groups-by-id@openssh.com" SFTP extension, used to retrieve the textual user/group names for given lists of UIDs, GIDs. SFTPOptions FIDOTouchRequired FIDOVerifyRequired OpenSSH FIDO security keys, such as Yubikeys, are now supported for SSH authentication by the mod_sftp module. These keys allow for policies such as proof of user presence, and/or proof of user verification. These new SFTPOptions can be used to configure your site policies for such keys; see doc/contrib/mod_sftp.html#SFTPOptions for more information. + Developer Notes Removed the unused `pr_ctrls_parse_msg` Controls API function.