Recent Releases
9.924 Nov 2024 20:25
minor feature:
This release contains a number of new features and.
New features.
Ssh(1), sshd(8): add support for a new hybrid post-quantum key.
Exchange based on the FIPS 203 Module-Lattice Key Enapsulation
Mechanism (ML-KEM) combined with X25519 ECDH as described by
Https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This algorithm "mlkem768x25519-sha256" is available by default.
Ssh(1): the ssh_config "Include" directive can now expand.
Environment as well as the same set of -tokens "Match Exec"
Supports.
Sshd(8): add a sshd_config "RefuseConnection" option that, if set.
Will terminate the connection at the first authentication request.
Sshd(8): add a "refuseconnection" penalty class to sshd_config
PerSourcePenalties that is applied when a connection is dropped by.
The new RefuseConnection keyword.
Sshd(8): add a "Match invalid-user" predicate to sshd_config Match.
Options that matches when the target username is not valid on the
Server.
Ssh(1), sshd(8): update the Streamlined NTRUPrime code to a.
Substantially faster implementation.
Ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key.
Exchange algorithm now has an IANA-assigned name in addition to
The "@openssh.com" vendor extension name. This algorithm is now
Also available under this name "sntrup761x25519-sha512"
Ssh(1), sshd(8), ssh-agent(1): prevent private keys from being.
Included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8).
That prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.
All: convert key handling to use the libcrypto EVP_PKEY API, with.
The exception of DSA.
Sshd(8): add a random amount of jitter (up to 4 seconds) to the.
Grace login time to make its expiry unpredictable.
Sshd(8): relax absolute path requirement back to what it was prior
to OpenSSH 9.8, which incorrectly required that sshd was started.
With an absolute path in inetd mode. bz3717
Sshd(8): regression introduced i
9.803 Jul 2024 05:05
minor feature:
This release contains mostly.
New features.
Sshd(8): as described above, sshd(8) will now penalise client.
Addresses that, for various reasons, do not successfully complete
Authentication. This feature is controlled by a new sshd_config(5)
PerSourcePenalties option and is on by default.
Sshd(8) will now identify situations where the session did not.
Authenticate as expected. These conditions include when the client
Repeatedly attempted authentication unsucessfully (possibly
Indicating an attack against one or more accounts, e.g. password
Guessing), or when client behaviour caused sshd to crash (possibly
Indicating attempts to exploit in sshd).
When such a condition is observed, sshd will record a penalty of.
Some duration (e.g. 30 seconds) against the client's address. If
This time is above a minimum configurable threshold, then all
Connections from the client address will be refused (along with any
Others in the same PerSourceNetBlockSize CIDR range) until the
Penalty expire.
Repeated offenses by the same client address will accrue greater.
Penalties, up to a configurable maximum. Address ranges may be
Fully exempted from penalties, e.g. to guarantee access from a set
of trusted management addresses, using the new sshd_config(5)
PerSourcePenaltyExemptList option.
We hope these options will make it significantly more difficult for.
Attackers to find accounts with weak/guessable passwords or exploit
in sshd(8) itself. This option is enabled by default.
Ssh(8): allow the HostkeyAlgorithms directive to disable the.
Implicit fallback from certificate host key to plain host keys.
Misc: a number of inaccuracies in the PROTOCOL.*.
Documentation files. GHPR430 GHPR487
All: switch to strtonum(3) for more robust integer parsing in most.
Places.
Ssh(1), sshd(8): correctly restore sigprocmask around ppoll().
Ssh-keysign(8): stricter validation of messaging socket fd GHPR492.
Sftp(1): flush stdout after writing "sftp " prompt when not using.
Editline. GHPR480
Sftp-server(8): hom
9.712 Mar 2024 23:05
minor feature:
This release contains mostly.
New features.
Ssh(1), sshd(8): add a "global" ChannelTimeout type that watches.
All open channels and will all open channels if there is no
Traffic on any of them for the specified interval. This is in
Addition to the existing per-channel timeouts added recently.
This supports situations like having both session and x11.
Forwarding channels open where one may be idle for an extended
Period but the other is actively used. The global timeout could
Both channels when both have been idle for too long.
All: make DSA key support compile-time optional, defaulting to on.
Sshd(8): don't append an unnecessary space to the end of subsystem.
Arguments (bz3667)
Ssh(1): the multiplexing "channel proxy" mode, broken when.
Keystroke timing obfuscation was added. (GHPR#463)
Ssh(1), sshd(8): spurious configuration parsing errors when.
Options that accept array arguments are overridden (bz3657).
Ssh-agent(1): potential spin in signal handler (bz3670).
Many to manual pages and other documentation, including
GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
Greatly improve interop testing against PuTTY.
Portability.
Improve the error message when the autoconf OpenSSL header check.
Fails
Improve detection of broken toolchain -fzero-call-used-regs support.
bz3645).
Regress/misc/fuzz-harness fuzzers and make them compile without.
Warnings when using clang16
Checksums:
SHA1 (openssh-9.7.tar.gz) = 163272058edc20a8fde81661734a6684c9b4db11.
SHA256 (openssh-9.7.tar.gz) = gXDWrF4wN2UWyPjyjvVhpjjKd7D2qI6LyZiIYhbJQVg=.
SHA1 (openssh-9.7p1.tar.gz) = ce8985ea0ea2f16a5917fd982ade0972848373cc.
SHA256 (openssh-9.7p1.tar.gz) = SQQm92bYKidj/KzY2D6j1weYdQx70q/y5X3FZg93P/0=.
Please note that the SHA256 signatures are base64 encoded and not.
Hexadecimal (which is the default for most checksum tools). The PGP
Key used to sign the releases is available from the mirror sites:
Https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Reporting :
Please read https://www.openssh.com/repo
9.619 Dec 2023 08:05
minor feature:
This release contains a number of security, some small features
And.
Security.
This release contains for a newly-discovered weakness in the.
SSH transport protocol, a logic error relating to constrained PKCS#11
Keys in ssh-agent(1) and countermeasures for programs that invoke
Ssh(1) with user or hostnames containing invalid characters.
Ssh(1), sshd(8): implement protocol extensions to thwart the
so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a.
Limited break of the integrity of the early encrypted SSH transport
Protocol by sending extra messages prior to the commencement of
Encryption, and deleting an equal number of consecutive messages
Immediately after encryption starts. A peer SSH client/server
Would not be able to detect that messages were deleted.
While cryptographically novel, the security impact of this attack
is fortunately very limited as it only allows deletion of.
Consecutive messages, and deleting most messages at this stage of
The protocol prevents user user authentication from proceeding and
Results in a stuck connection.
The most serious identified impact is that it lets a MITM to.
Delete the SSH2_MSG_EXT_INFO message sent before authentication
Starts, allowing the attacker to disable a subset of the keystroke
Timing obfuscation features introduced in OpenSSH 9.5. There is no
Other discernable impact to session secrecy or session integrity.
OpenSSH 9.6 addresses this protocol weakness through a new "strict
KEX" protocol extension that will be automatically enabled when.
Both the client and server support it. This extension makes
Two changes to the SSH transport protocol to improve the integrity
of the initial key exchange.
Firstly, it requires endpoints to terminate the connection if any.
Unnecessary or unexpected message is received during key exchange
including messages that were previously legal but not strictly.
Required like SSH2_MSG_DE). This removes most malleab
9.505 Oct 2023 07:45
minor feature:
This release a number of and adds some small features.
Potentially incompatible changes.
Ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys.
Are very convenient due to their small size. Ed25519 keys are
Specified in RFC 8709 and OpenSSH has supported them since version 6.5
January 2014).
Sshd(8): the Subsystem directive now accurately preserves quoting of.
Subsystem commands and arguments. This may change behaviour for exotic
Configurations, but the most common subsystem configuration
sftp-server) is unlikely to be affected.
New features.
Ssh(1): add keystroke timing obfuscation to the client. This attempts
to hide inter-keystroke timings by sending interactive traffic at.
Intervals (default: every 20ms) when there is only a small
Amount of data being sent. It also sends fake "chaff" keystrokes for
a random interval after the last real keystroke. These are.
Controlled by a new ssh_config ObscureKeystrokeTiming keyword.
Ssh(1), sshd(8): Introduce a transport-level ping facility. This adds
a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to.
Implement a ping capability. These messages use numbers in the "local
Extensions" number space and are advertised using a "ping@openssh.com"
Ext-info message with a string version number of "0".
Sshd(8): allow override of Sybsystem directives in sshd Match blocks.
Scp(1): scp in SFTP mode recursive upload and download of.
Directories that contain symlinks to other directories. In scp mode,
The links would be followed, but in SFTP mode they were not. bz3611
Ssh-keygen(1): handle cr+lf (instead of just cr) line endings in.
Sshsig signature files.
Ssh(1): interactive mode for ControlPersist sessions if they.
Originally requested a tty.
Sshd(8): make PerSourceMaxStartups first-match-wins.
Sshd(8): limit artificial login delay to a reasonable maximum (5s).
And don't delay at all for the "none" authentication mechanism.cw
Bz3602
Sshd(8): Log errors in kex_exchange_identification() with level.
Verbose instea
9.411 Aug 2023 03:25
minor feature:
This release a number of and adds some small features.
Potentially incompatible changes.
This release removes support for older versions of libcrypto.
OpenSSH now requires LibreSSL = 3.1.0 or OpenSSL = 1.1.1.
Note that these versions are already deprecated by their upstream.
Vendors.
Ssh-agent(1): PKCS#11 modules must now be specified by their full.
Paths. Previously dlopen(3) could search for them in system
Library directories.
New features.
Ssh(1): allow forwarding Unix Domain sockets via ssh -W.
Ssh(1): add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding.
Match tag" predicate that may be used to select blocks of.
Configuration similar to the pf.conf(5) keywords of the same
Name.
Ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to.
Vary the effective client configuration based on network location.
Ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL.
Extensions. This defines wire formats for optional KRL extensions
And implements parsing of the new submessages. No actual extensions
Are supported at this point.
Sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now.
Accept two additional -expansion sequences: D which expands to
The routing domain of the connected session and C which expands
to the addresses and port numbers for the source and destination
of the connection.
Ssh-keygen(1): increase the default work factor (rounds) for the.
Bcrypt KDF used to derive symmetric encryption keys for passphrase
Protected key files by 50 .
Ssh-agent(1): improve isolation between loaded PKCS#11 modules
by running separate ssh-pkcs11-helpers for each loaded provider.
Ssh(1): make -f (fork after authentication) work correctly with.
Multiplexed connections, including ControlPersist. bz3589 bz3589
Ssh(1): make ConnectTimeout apply to multiplexing sockets and not.
Just to network connections.
Ssh-agent(1), ssh(1): impr
9.316 Mar 2023 03:25
minor feature:
This release a number of security.
Security.
This release contains for a security problem and a memory.
Safety problem. The memory safety problem is not believed to be
Exploitable, but we report most network-reachable memory faults as
Security.
Ssh-add(1): when adding smartcard keys to ssh-agent(1) with the.
Per-hop desination constraints (ssh-add -h...) added in OpenSSH
8.9, a logic error prevented the constraints from being.
Communicated to the agent. This resulted in the keys being added
Without constraints. The common cases of non-smartcard keys and
Keys without destination constraints are unaffected. This problem
Was reported by Luci Stanescu.
Ssh(1): Portable OpenSSH provides an implementation of the.
Getrrsetbyname(3) function if the standard library does not
Provide it, for use by the VerifyHostKeyDNS feature. A
Specifically crafted DNS response could cause this function to
Perform an out-of-bounds read of adjacent stack data, but this
Condition does not appear to be exploitable beyond denial-of-
Service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's.
Standard library lacks this function and portable OpenSSH was not
Compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
Only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
Problem was found by the Coverity static analyzer.
New features.
Ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1 sha256 when.
Outputting SSHFP fingerprints to allow algorithm selection. bz3493
Sshd(8): add a `sshd -G` option that parses and prints the.
Effective configuration without attempting to load private keys
And perform other checks. This allows usage of the option before
Keys have been generated and for configuration evaluation and
Verification by unprivileged users.
Scp(1), sftp(1): progressmeter corruption on wide displays;.
Bz3534
Ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
of private keys as some systems are starting to disable RSA/SHA
9.203 Feb 2023 07:05
minor feature:
This release a number of security.
Security.
This release contains for two security problems and a memory.
Safety problem. The memory safety problem is not believed to be
Exploitable, but we report most network-reachable memory faults as
Security.
Sshd(8): a pre-authentication double-free memory fault.
Introduced in OpenSSH 9.1. This is not believed to be exploitable,
And it occurs in the unprivileged pre-auth process that is
Subject to chroot(2) and is further sandboxed on most major
Platforms.
Ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option.
Would ignore its first argument unless it was one of the special
Keywords "any" or "none", causing the permission list to fail open
if only one permission was specified. bz3515.
Ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs.
Options were enabled, and the system/libc resolver did not check
That names in DNS responses were valid, then use of these options
Could allow an attacker with control of DNS to include invalid
Characters (possibly including wildcards) in names added to
Known_hosts files when they were updated. These names would still
Have to match the CanonicalizePermittedCNAMEs allow-list, so
Practical exploitation appears unlikely.
Potentially-incompatible changes.
Ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that.
Controls whether the client-side C escape sequence that provides a
Command-line is available. Among other things, the C command-line
Could be used to add additional port-forwards at runtime.
This option defaults to "no", disabling the C command-line that.
Was previously enabled by default. Turning off the command-line
Allows platforms that support sandboxing of the ssh(1) client
currently only OpenBSD) to use a stricter default sandbox policy.
New features.
Sshd(8): add support for channel inactivity timeouts via a new.
Sshd_config(5) ChannelTimeout directive. This allows channels that
Have not seen traffic in a configurable interval to be
Automati
9.105 Oct 2022 13:45
minor feature:
This release is focused on ing.
Security.
This release contains for three minor memory safety problems.
None are believed to be exploitable, but we report most memory safety
Problems as potential security vulnerabilities out of caution.
Ssh-keyscan(1): a one-byte overflow in SSH- banner processing.
Reported by Qualys.
Ssh-keygen(1): double free() in error path of file hashing step in.
Signing/verify code; GHPR333
Ssh-keysign(8): double-free in error path introduced in openssh-8.9.
Potentially-incompatible changes.
The portable OpenSSH project now signs commits and release tags.
Using git's recent SSH signature support. The list of developer
Signing keys is included in the repository as.git_allowed_signers
And is cross-signed using the PGP key that is still used to sign
Release artifacts:
Https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config.
Are now first-match-wins to match other directives. Previously
if an environment variable was multiply specified the last set.
Value would have been used. bz3438
Ssh-keygen(8): ssh-keygen -A (generate all default host key types).
Will no longer generate DSA keys, as these are insecure and have
Not been used by default for some years.
New features.
Ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
RSA key length. Keys below this length will be ignored for user.
Authentication and for host authentication in sshd(8).
Ssh(1) will terminate a connection if the server offers an RSA key.
That falls below this limit, as the SSH protocol does not include
The ability to retry a failed key exchange.
Sftp-server(8): add a "users-groups-by-id@openssh.com" extension.
Request that allows the client to obtain user/group names that
Correspond to a set of uids/gids.
Sftp(1): use "users-groups-by-id@openssh.com" sftp-server.
Extension (when available) to fill in user/group names for
Directory listings.
Sftp-server(8): support the "home-directory" extension reque
9.008 Apr 2022 10:25
minor feature:
This release is focused on ing.
Potentially-incompatible changes.
This release switches scp(1) from using the legacy scp/rcp protocol.
to using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
scp host:") through the remote shell. This has the side effect of.
Requiring double quoting of shell meta-characters in file names
Included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using.
The SFTP protocol no longer requires this finicky and brittle quoting,
And attempts to use it may cause transfers to fail. We consider the
Removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce -compatibility for
Legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote.
Paths relative to other user's home directories, for example -
scp host: user/file /tmp". The SFTP protocol has no native way to.
Expand a user path. However, sftp-server(8) in OpenSSH 8.7 and later
Support a protocol extension "expand-path@openssh.com" to support
This.
In case of incompatibility, the scp(1) client may be instructed to use.
The legacy scp/rcp using the -O flag.
New features.
Ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key.
Exchange method by default.
The NTRU algorithm is believed to resist attacks enabled by future.
Quantum computers and is paired with the X25519 ECDH key exchange
the previous default) as a backstop against any weaknesses in
NTRU Prime that may be discovered in the future. The combination.
Ensures that the hybrid exchange offers at least as good security
as the status quo.
We are making this change now (i.e. ahead of cryptographically-.
Relevant quantum computers) to prevent "capture now, decrypt
Later" attacks where an adversary who can record and store SSH
Session cipherte
8.924 Feb 2022 07:25
minor feature:
This release includes a number of new features.
New features.
Ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for.
Restricting forwarding and use of keys added to ssh-agent(1)
A detailed description of the feature is available at.
Https://www.openssh.com/agent-restrict.html and the protocol
Extensions are documented in the PROTOCOL and PROTOCOL.agent
Files in the source release.
Ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the.
Default KEXAlgorithms list (after the ECDH methods but before the
Prime-group DH ones). The next release of OpenSSH is likely to
Make this key exchange the default method.
Ssh-keygen(1): when downloading resident keys from a FIDO token.
Pass back the user ID that was used when the key was created and
Append it to the filename the key is written to (if it is not the
Default). Avoids keys being clobbered if the user created multiple
Resident keys with the same application string but different user
IDs.
Ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys
on tokens that provide user verification (UV) on the device itself.
Including biometric keys, avoiding unnecessary PIN prompts.
Ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to.
Perform matching of principals names against an allowed signers
File. To be used towards a TOFU model for SSH signatures in git.
Ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added
to ssh-agent(1). SSH_ASKPASS will be used to request the PIN at.
Authentication time.
Ssh-keygen(1): allow selection of hash at sshsig signing time.
either sha512 (default) or sha256).
Ssh(1), sshd(8): read network data directly to the packet input.
Buffer instead indirectly via a small stack buffer. Provides a
Modest performance improvement.
Ssh(1), sshd(8): read data directly to the channel input buffer.
Providing a similar modest performance improvement.
Ssh(1): extend the PubkeyAuthentication configuration d
8.827 Sep 2021 10:25
minor feature:
This release is motivated primarily by the above deprecation and
Security.
New features.
Ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs.
Directive to accept a "none" argument to specify the default
Behaviour.
Scp(1): when using the SFTP protocol, continue transferring files.
After a transfer error occurs, better matching original scp/rcp
Behaviour.
Ssh(1): a number of memory leaks in multiplexing.
Ssh-keygen(1): avoid crash when using the -Y find-principals.
Command.
A number of documentation and manual improvements, including
bz#3340, PR#139, PR#215, PR#241, PR#257.
Portability.
Ssh-agent(1): on FreeBSD, use procctl to disable ptrace(2).
Ssh(1)/sshd(8): some to the pselect(2) replacement.
Compatibility code. bz#3345
Checksums:
SHA1 (openssh-8.8.tar.gz) = 732947082a8998047e839cc0b4c066bf0a7e1a5b.
SHA256 (openssh-8.8.tar.gz) = AngyrPSQH255hnzU1l7y+LlVAUNcGWtuYQIFEl22nRo=.
SHA1 (openssh-8.8p1.tar.gz) = 1eb964897a4372f6fb96c7effeb509ec71c379c9.
SHA256 (openssh-8.8p1.tar.gz) = RZCJDqm7ms5Pca4zF4WjpYIyMkNRYZYO1fyGWI8zH+k=.
Please note that the SHA256 signatures are base64 encoded and not.
Hexadecimal (which is the default for most checksum tools). The PGP
Key used to sign the releases is available from the mirror sites:
Https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Please note that the OpenPGP key used to sign releases has been.
Rotated for this release. The new key has been signed by the previous
Key to provide continuity.
Reporting :
Please read https://www.openssh.com/report.html
Security should be reported directly to openssh@openssh.com.
8.721 Aug 2021 15:45
minor feature:
This release contains a mix of new features and -.
New features.
Scp(1): experimental support for transfers using the SFTP protocol
as a replacement for the venerable SCP/RCP protocol that it has.
Traditionally used. SFTP offers more predictable filename handling
And does not require expansion of glob(3) patterns via the shell
on the remote side.
SFTP support may be enabled via a temporary scp -s flag. It is.
Intended for SFTP to become the default transfer mode in the
Near future, at which time the -s flag will be removed. The -O
Flag exists to force use of the original SCP/RCP protocol for
Cases where SFTP may be unavailable or incompatible.
Sftp-server(8): add a protocol extension to support expansion of.
and user/ prepaths. This was added to support these.
Paths when used by scp(1) while in SFTP mode.
Ssh(1): add a ForkAfterAuthentication ssh_config(5) counterpart to.
The ssh(1) -f flag. GHPR#231
Ssh(1): add a StdinNull directive to ssh_config(5) that allows the.
Config file to do the same thing as -n does on the ssh(1) command-
Line. GHPR#231
Ssh(1): add a SessionType directive to ssh_config, allowing the.
Configuration file to offer equivalent control to the -N (no
Session) and -s (subsystem) command-line flags. GHPR#231
Ssh-keygen(1): allowed signers files used by ssh-keygen(1).
Signatures now support listing key validity intervals alongside
They key, and ssh-keygen(1) can optionally check during signature
Verification whether a specified time falls inside this interval.
This feature is intended for use by git to support signing and.
Verifying objects using ssh keys.
Ssh-keygen(8): support printing of the full public key in a sshsig.
Signature via a -Oprint-pubkey flag.
Ssh(1)/sshd(8): start time-based re-keying exactly on schedule in.
The client and server mainloops. Previously the re-key timeout
Could expire but re-keying would not start until a packet was sent
or received, causing a spin in select() if the connection was.
Quiescent.
Ssh-keygen(1): avoid Y
8.619 Apr 2021 10:45
minor feature:
This release contains mostly.
New features.
Sftp-server(8): add a new limits@openssh.com protocol extension.
That allows a client to discover various server limits, including
Maximum packet size and maximum read/write length.
Sftp(1): use the new limits@openssh.com extension (when available)
to select better transfer lengths in the client.
Sshd(8): Add ModuliFile keyword to sshd_config to specify the.
Location of the "moduli" file containing the groups for DH-GEX.
Unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to.
Enable printing of the elapsed time in seconds of each test.
Ssh_config(5), sshd_config(5): sync CASignatureAlgorithms lists in.
Manual pages with the current default. GHPR#174
Ssh(1): ensure that pkcs11_del_provider() is called before exit.
GHPR#234.
Ssh(1), sshd(8): problems in string- argv conversion. Multiple.
Backslashes were not being dequoted correctly and quoted space in
The middle of a string was being incorrectly split. GHPR#223
Ssh(1): return non-zero exit status when killed by signal; bz#3281.
Sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum.
Packet size. Also handle zero-length reads that are not explicitly
Banned by the spec.
Portability.
Sshd(8): don't mistakenly exit on transient read errors on the.
Network socket (e.g. EINTR, EAGAIN); bz3297
Create a dedicated contrib/gnome-ssk-askpass3.c source instead of.
Building it from the same file as used for GNOME2. Use the GNOME3
Gdk_seat_grab() to manage keyboard/mouse/server grabs for better
Compatibility with Wayland.
Portability build errors bz3293 bz3292 bz3291 bz3278.
Sshd(8): soft-disallow the fstatat64 syscall in the Linux.
Seccomp-bpf sandbox. bz3276
Unit tests: enable autoopt and misc unit tests that were.
Previously skipped
Checksums:
SHA1 (openssh-8.6.tar.gz) = a3e93347eed6296faaaceb221e8786391530fccb.
SHA256 (openssh-8.6.tar.gz) = ihmgdEgKfCBRpC0qzdQRwYownrpBf+rsihvk4Rmim8M=.
SHA1 (openssh-8.6p1.tar.gz) = 8f9f0c94317baeb97747d6258f3997b4542762c0.
SHA2
8.503 Mar 2021 12:25
minor feature:
New features
Ssh(1): this release enables UpdateHostkeys by default subject to.
Some conservative preconditions:
The key was matched in the UserKnownHostsFile (and not in the
GlobalKnownHostsFile).
The same key does not exist under another name.
A certificate host key is not in use.
Known_hosts contains no matching wildcard hostname pattern.
VerifyHostKeyDNS is not enabled.
The default UserKnownHostsFile is in use.
We expect some of these conditions will be modified or relaxed in.
Future.
Ssh(1), sshd(8): add a new LogVerbose configuration directive for.
That allows forcing maximum delogging by file/function/line
Pattern-lists.
Ssh(1): when prompting the user to accept a new hostkey, display.
Any other host names/addresses already associated with the key.
Ssh(1): allow UserKnownHostsFile=none to indicate that no.
Known_hosts file should be used to identify host keys.
Ssh(1): add a ssh_config KnownHostsCommand option that allows the.
Client to obtain known_hosts data from a command in addition to
The usual files.
Ssh(1): add a ssh_config PermitRemoteOpen option that allows the.
Client to restrict the destination when RemoteForward is used
With SOCKS.
Ssh(1): for FIDO keys, if a signature operation fails with a.
incorrect PIN" reason and no PIN was initially requested from the.
User, then request a PIN and retry the operation. This supports
Some biometric devices that fall back to requiring PIN when reading
of the biometric failed, and devices that require PINs for all.
Hosted credentials.
Sshd(8): implement client address-based rate-limiting via new.
Sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize
Directives that provide more fine-grained control on a per-origin
Address basis than the global MaxStartups limit.
Ssh(1): Prekeyboard interactive prompts with "(user@host)" to.
Make it easier to determine which connection they are associated
With in cases like scp -3, ProxyJump, etc. bz#3224
Sshd(8): sshd_config SetEnv directives located inside Match.
Blocks.
8.429 Sep 2020 03:05
minor feature:
New features
Ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for.
Each use. These keys may be generated using ssh-keygen using a new
verify-required" option. When a PIN-required key is used, the user.
Will be prompted for a PIN to complete the signature operation.
Sshd(8): authorized_keys now supports a new "verify-required".
Option to require FIDO signatures assert that the token verified
That the user was present before making the signature. The FIDO
Protocol supports multiple methods for user-verification, but
Currently OpenSSH only supports PIN verification.
Sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn.
Signatures. Webauthn is a standard for using FIDO keys in web
Browsers. These signatures are a slightly different format to plain
FIDO signatures and thus require explicit support.
Ssh(1): allow some keywords to expand shell-style ENV .
Environment variables. The supported keywords are CertificateFile,
ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
RemoteForward when used for Unix domain socket paths. bz#3140.
Ssh(1), ssh-agent(1): allow some additional control over the use of.
Ssh-askpass via a new SSH_ASKPASS_REQUIRE environment variable,
Including forcibly enabling and disabling its use. bz#69
Ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time.
Limit for keys in addition to its current flag options. Time-
Limited keys will automatically be removed from ssh-agent after
Their expiry time has passed.
Scp(1), sftp(1): allow the -A flag to explicitly enable agent.
Forwarding in scp and sftp. The default remains to not forward an
Agent, even when ssh_config enables it.
Ssh(1): add a ' k' TOKEN that expands to the effective HostKey of.
The destination. This allows, e.g. keeping host keys in individual
Files using "UserKnownHostsFile /.ssh/known_hosts.d/ k". bz#1654
Ssh(1): add -TOKEN, environment variable and tilde expansion to.
The UserKnownHostsFile directive, allowing the path to be
Complet
8.328 May 2020 21:45
minor feature:
The focus of this release is ing.
New Features.
Sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore.
Rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
to allow.shosts files but not.rhosts.
Sshd(8): allow the IgnoreRhosts directive to appear anywhere in a.
Sshd_config, not just before any Match blocks; bz3148
Ssh(1): add TOKEN percent expansion for the LocalFoward and
RemoteForward keywords when used for Unix domain socket forwarding.
bz#3014.
All: allow loading public keys from the unencrypted envelope of a.
Private key file if no corresponding public key file is present.
Ssh(1), sshd(8): prefer to use chacha20 from libcrypto where.
Possible instead of the (slower) portable C implementation included
in OpenSSH.
Ssh-keygen(1): add ability to dump the contents of a binary key.
Revocation list via "ssh-keygen -lQf /path" bz#3132
Ssh(1): IdentitiesOnly=yes to also apply to keys loaded from
a PKCS11Provider; bz#3141.
Ssh-keygen(1): avoid NULL dereference when trying to convert an.
Invalid RFC4716 private key.
Scp(1): when performing remote-to-remote copies using "scp -3".
Start the second ssh(1) channel with BatchMode=yes enabled to
Avoid confusing and non-deterministic ordering of prompts.
Ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token.
Perform hashing of the message to be signed in the middleware layer
Rather than in OpenSSH code. This permits the use of security key
Middlewares that perform the hashing implicitly, such as Windows
Hello.
Ssh(1): incorrect error message for "too many known hosts.
Files." bz#3149
Ssh(1): make failures when establishing "Tunnel" forwarding.
Terminate the connection when ExitOnForwardFailure is enabled;
bz#3116.
Ssh-keygen(1): printing of fingerprints on private keys and add
a regression test for same.
Sshd(8): document order of checking AuthorizedKeysFile (first) and
AuthorizedKeysCommand (subsequently, if the file doesn't match);
bz#3134.
Sshd(8): document that /etc/hosts.equiv and /etc/shosts
8.214 Feb 2020 13:05
minor feature:
This release contains some significant new features.
FIDO/U2F Support.
This release adds support for FIDO/U2F hardware authenticators to.
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
Authentication hardware that are widely used for website
Authentication. In OpenSSH FIDO devices are supported by new public
Key types "ecdsa-sk" and "ed25519-sk", along with corresponding
Certificate types.
Ssh-keygen(1) may be used to generate a FIDO token-backed key, after.
Which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
Used. FIDO tokens also generally require the user explicitly authorise
Operations by touching or tapping them.
Generating a FIDO key requires the token be attached, and will usually.
Require the user tap the token to confirm the operation:
ssh-keygen -t ecdsa-sk -f /.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub.
This will yield a public and private key-pair. The private key file.
Should be useless to an attacker who does not have access to the
Physical token. After generation, this key may be used like any other
Supported key in OpenSSH and may be listed in authorized_keys, added
to ssh-agent(1), etc. The only additional stipulation is that the FIDO
Token that the key belongs to must be attached when the key is used.
FIDO tokens are most commonly connected via USB but may be attached.
Via other means such as Bluetooth or NFC. In OpenSSH, communication
With the token is managed via a middleware library, specified by the
SecurityKeyProvider directive in ssh/sshd_config(5) or the
SSH_SK_PROVIDER environment variable fo
8.109 Oct 2019 15:45
minor feature:
This release is focused on -ing.
New Features.
Ssh(1): Allow n to be expanded in ProxyCommand strings.
Ssh(1), sshd(8): Allow prepending a list of algorithms to the.
Default set by starting the list with the ' ' character, E.g.
HostKeyAlgorithms ssh-ed25519".
Ssh-keygen(1): add an experimental lightweight signature and.
Verification ability. Signatures may be made using regular ssh keys
Held on disk or stored in a ssh-agent and verified against an
Authorized_keys-like list of allowed keys. Signatures embed a
Namespace that prevents confusion and attacks between different
Usage domains (e.g. files vs email).
Ssh-keygen(1): print key comment when extracting public key from a.
Private key. bz#3052
Ssh-keygen(1): accept the verbose flag when searching for host keys
in known hosts (i.e. "ssh-keygen -vF host") to print the matching.
Host's random-art signature too. bz#3003
All: support PKCS8 as an optional format for storage of private.
Keys to disk. The OpenSSH native key format remains the default,
But PKCS8 is a superior format to PEM if interoperability with
Non-OpenSSH software is required, as it may use a less insecure
Key derivation function than PEM's.
Ssh(1): if a PKCS#11 token returns no keys then try to login and.
Refetch them. Based on patch from Jakub Jelen; bz#2430
Ssh(1): produce a useful error message if the user's shell is set.
Incorrectly during "match exec" processing. bz#2791
Sftp(1): allow the maximum uint32 value for the argument passed
to -b which allows better error messages from later validation.
bz#3050.
Ssh(1): avoid pledge sandbox violations in some combinations of.
Remote forwarding, connection multiplexing and ControlMaster.
Ssh-keyscan(1): include SHA2-variant RSA key algorithms in KEX.
Proposal; allows ssh-keyscan to harvest keys from servers that
Disable old SHA1 ssh-rsa. bz#3029
Sftp(1): print explicit "not modified" message if a file was.
Requested for resumed download but was considered already complete.
bz#2978.
Sftp(1): a typo and m
8.018 Apr 2019 03:19
minor feature:
This release is focused on new features and internal refactoring.
New Features.
Ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
PKCS#11 tokens.
Ssh(1), sshd(8): Add experimental quantum-computing resistant.
Key exchange method, based on a combination of Streamlined NTRU
Prime 4591 761 and X25519.
Ssh-keygen(1): Increase the default RSA key size to 3072 bits.
Following NIST Special Publication 800-57's guidance for a
128-bit equivalent symmetric security level.
Ssh(1): Allow "PKCS11Provider=none" to override later instances of.
The PKCS11Provider directive in ssh_config; bz#2974
Sshd(8): Add a log message for situations where a connection is.
Dropped for attempting to run a command but a sshd_config
ForceCommand=internal-sftp restriction is in effect; bz#2960.
Ssh(1): When prompting whether to record a new host key, accept.
The key fingerprint as a synonym for "yes". This allows the user
to paste a fingerprint obtained out of band at the prompt and.
Have the client do the comparison for you.
Ssh-keygen(1): When signing multiple certificates on a single.
Command-line invocation, allow automatically incrementing the
Certificate serial number.
Scp(1), sftp(1): Accept -J option as an alias to ProxyJump on.
The scp and sftp command-lines.
Ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v".
Command-line flags to increase the verbosity of output; pass
Verbose flags though to subprocesses, such as ssh-pkcs11-helper
Started from ssh-agent.
Ssh-add(1): Add a "-T" option to allowing testing whether keys in
an agent are usable by performing a signature and a verification.
Sftp-server(8): Add a "lsetstat@openssh.com" protocol extension.
That replicates the functionality of the existing SSH2_FXP_SETSTAT
Operation but does not follow symlinks. bz#2067
Sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request.
They do not follow symlinks.
Sshd(8): Expose SSH_CONNECTION in the PAM environment. This makes.
The connection 4-tuple available to PAM modules
7.919 Oct 2018 13:05
minor feature:
This is primarily a release.
New Features.
Ssh(1), sshd(8): allow most port numbers to be specified using.
Service names from getservbyname(3) (typically /etc/services).
Ssh(1): allow the IdentityAgent configuration directive to accept.
Environment variable names. This supports the use of multiple
Agent sockets without needing to use paths.
Sshd(8): support signalling sessions via the SSH protocol.
A limited subset of signals is supported and only for login or.
Command sessions (i.e. not subsystems) that were not subject to
a forced command via authorized_keys or sshd_config. bz#1424.
Ssh(1): support "ssh -Q sig" to list supported signature options.
Also "ssh -Q help" to show the full set of supported queries.
Ssh(1), sshd(8): add a CASignatureAlgorithms option for the.
Client and server configs to allow control over which signature
Formats are allowed for CAs to sign certificates. For example,
This allows banning CAs that sign certificates using the RSA-SHA1
Signature algorithm.
Sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to.
Revoke keys specified by SHA256 hash.
Ssh-keygen(1): allow creation of key revocation lists directly.
From base64-encoded SHA256 fingerprints. This supports revoking
Keys using only the information contained in sshd(8)
Authentication log messages.
Ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when.
Attempting to load PEM private keys while using an incorrect
Passphrase. bz#2901
Sshd(8): when a channel message is received from a client.
The stderr file descriptor at the same time stdout is
This avoids stuck processes if they were waiting for.
Stderr to and were insensitive to stdin/out closing. bz#2863
Ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11.
Forwarding timeout and support X11 forwarding indefinitely.
Previously the behaviour of ForwardX11Timeout=0 was undefined.
Sshd(8): when compiled with GSSAPI support, cache supported method
OIDs regardless of whether GSSAPI authentication is enabled in t
7.824 Aug 2018 14:45
minor feature:
This is primarily a release.
New Features.
Ssh(1)/sshd(8): add new signature algorithms "rsa-sha2-256-cert-.
V01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to
Explicitly force use of RSA/SHA2 signatures in authentication.
Sshd(8): extend the PermitUserEnvironment option to accept a.
Whitelist of environment variable names in addition to global
yes" or "no" settings.
Sshd(8): add a PermitListen directive to sshd_config(5) and a.
Corresponding permitlisten= authorized_keys option that control
Which listen addresses and port numbers may be used by remote
Forwarding (ssh -R...).
Sshd(8): add some countermeasures against timing attacks used for.
Account validation/enumeration. sshd will enforce a minimum time
or each failed authentication attempt consisting of a global 5ms.
Minimum plus an additional per-user 0-4ms delay derived from a
Host secret.
Sshd(8): add a SetEnv directive to allow an administrator to.
Explicitly specify environment variables in sshd_config.
Variables set by SetEnv override the default and client-specified.
Environment.
Ssh(1): add a SetEnv directive to request that the server sets
an environment variable in the session. Similar to the existing
SendEnv option, these variables are set subject to server.
Configuration.
Ssh(1): allow "SendEnv -PATTERN" to clear environment variables.
Previously marked for sending to the server. bz#1285
Ssh(1)/sshd(8): make UID available as a -expansion everywhere.
That the username is available currently. bz#2870
Ssh(1): allow setting ProxyJump=none to disable ProxyJump.
Functionality. bz#2869
Sshd(8): avoid observable differences in request parsing that could
be used to determine whether a target user is valid.
All: substantial internal refactoring.
Ssh(1)/sshd(8): some memory leaks; bz#2366.
Ssh(1): a pwent clobber (introduced in openssh-7.7) that could.
Occur during key loading, manifesting as crash on some platforms.
Sshd_config(5): clarify documentation for AuthenticationMethods.
Option; bz#2663
Ssh(1
7.703 Apr 2018 20:45
minor feature:
This is primarily a release.
New Features.
All: Add experimental support for PQC XMSS keys (Extended Hash-
Based Signatures) based on the algorithm described in.
Https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
The XMSS signature code is experimental and not compiled in by.
Default.
Sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword
to allow conditional configuration that depends on which routing.
Domain a connection was received on (currently supported on OpenBSD
And Linux).
Sshd_config(5): Add an optional rdomain qualifier to the
ListenAddress directive to allow listening on different routing.
Domains. This is supported only on OpenBSD and Linux at present.
Sshd_config(5): Add RDomain directive to allow the authenticated.
Session to be placed in an explicit routing domain. This is only
Supported on OpenBSD at present.
Sshd(8): Add "expiry-time" option for authorized_keys files to.
Allow for expiring keys.
Ssh(1): Add a BindInterface option to allow binding the outgoing.
Connection to an interface's address (basically a more usable
BindAddress).
Ssh(1): Expose device allocated for tun/tap forwarding via a new.
T expansion for LocalCommand. This allows LocalCommand to be used
to prepare the interface.
Sshd(8): Expose the device allocated for tun/tap forwarding via a.
New SSH_TUNNEL environment variable. This allows automatic setup of
The interface and surrounding network configuration automatically on
The server.
Ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
Ssh://user@host or sftp://user@host/path. Additional connection
Parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
Implemented since the ssh fingerprint format in the draft uses the
Deprecated MD5 hash with no way to specify the any other algorithm.
Ssh-keygen(1): Allow certificate validity intervals that specify.
Only a start or stop time (instead of both or neither).
Sftp(1): Allow "cd" and "lcd" commands with no explicit path.
Arg
7.605 Oct 2017 16:25
minor feature:
This is primarily a release. It also contains substantial
Internal refactoring.
Security.
Sftp-server(8): in read-only mode, sftp-server was incorrectly.
Permitting creation of zero-length files. Reported by Michal
Zalewski.
New Features.
Ssh(1): add RemoteCommand option to specify a command in the ssh.
Config file instead of giving it on the client's command line. This
Allows the configuration file to specify the command that will be
Executed on the remote host.
Sshd(8): add ExposeAuthInfo option that enables writing details of.
The authentication methods used (including public keys where
Applicable) to a file that is exposed via a SSH_USER_AUTH
Environment variable in the subsequent session.
Ssh(1): add support for reverse dynamic forwarding. In this mode.
Ssh will act as a SOCKS4/5 proxy and forward connections
to destinations requested by the remote SOCKS client. This mode
is requested using extended syntax for the -R and RemoteForward.
Options and, because it is implemented solely at the client,
Does not require the server be updated to be supported.
Sshd(8): allow LogLevel directive in sshd_config Match blocks;
bz#2717.
Ssh-keygen(1): allow inclusion of arbitrary string or flag.
Certificate extensions and critical options.
Ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as
a CA when signing certificates. bz#2377.
Ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit
ToS/DSCP value and just use the operating system default.
Ssh-add(1): added -q option to make ssh-add quiet on success.
Ssh(1): expand the StrictHostKeyChecking option with two new.
Settings. The first "accept-new" will automatically accept
Hitherto-unseen keys but will refuse connections for changed or
Invalid hostkeys. This is a safer subset of the current behaviour
of StrictHostKeyChecking=no. The second setting "off", is a synonym.
For the current behaviour of StrictHostKeyChecking=no: accept new
Host keys, and continue connection for hosts with incorrect
Hostkeys.
7.521 Mar 2017 22:25
minor feature:
This is a release.
Security.
Ssh(1), sshd(8): weakness in CBC padding oracle countermeasures.
That allowed a variant of the attack in OpenSSH 7.3 to proceed.
Note that the OpenSSH client disables CBC ciphers by default, sshd.
Offers them as lowest-preference options and will remove them by
Default entriely in the next release. Reported by Jean Paul
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
Royal Holloway, University of London.
Sftp-client(1): portable OpenSSH only On Cygwin, a client making
a recursive file transfer could be maniuplated by a hostile server to.
Perform a path-traversal attack. creating or modifying files outside
of the intended target directory. Reported by Jann Horn of Google
Project Zero.
New Features.
Ssh(1), sshd(8): Support "=-" syntax to easily remove methods from.
Algorithm lists, e.g. Ciphers=-*cbc. bz#2671
Sshd(1): NULL dereference crash when key exchange start.
Messages are sent out of sequence.
Ssh(1), sshd(8): Allow form-feed characters to appear in.
Configuration files.
Sshd(8): regression in OpenSSH 7.4 support for the.
Server-sig-algs extension, where SHA2 RSA signature methods were
Not being correctly advertised. bz#2680
Ssh(1), ssh-keygen(1): a number of case-sensitivity in.
Known_hosts processing. bz#2591 bz#2685
Ssh(1): Allow ssh to use certificates accompanied by a private key.
File but no corresponding plain *.pub public key. bz#2617
Ssh(1): When updating hostkeys using the UpdateHostKeys option.
Accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*.
Methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
Method. bz#2650
Ssh(1): Detect and report excessively long configuration file.
Lines. bz#2651
Merge a number of found by Coverity and reported via Redhat.
And FreeBSD. Includes for some memory and file descriptor
Leaks in error paths. bz#2687
Ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692.
Ssh(1), sshd
7.420 Dec 2016 10:05
minor feature:
This is primarily a release.
Security.
Ssh-agent(1): Will now refuse to load PKCS#11 modules from paths.
Outside a trusted whitelist (run-time configurable). Requests to
Load modules could be passed via agent forwarding and an attacker
Could attempt to load a hostile PKCS#11 module across the forwarded
Agent channel: PKCS#11 modules are shared libraries, so this would
Result in code execution on the system running the ssh-agent if the
Attacker has control of the forwarded agent-socket (on the host
Running the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the ssh.
Client). Reported by Jann Horn of Project Zero.
Sshd(8): When privilege separation is disabled, forwarded Unix-.
Domain sockets would be created by sshd(8) with the privileges of
root' instead of the authenticated user. This release refuses
Unix-domain socket forwarding when privilege separation is disabled.
Privilege separation has been enabled by default for 14 years).
Reported by Jann Horn of Project Zero.
Sshd(8): Avoid theoretical leak of host private key material to.
Privilege-separated child processes via realloc() when reading
Keys. No such leak was observed in practice for normal-sized keys,
Nor does a leak to the child processes directly expose key material
to unprivileged users. Reported by Jann Horn of Project Zero.
Sshd(8): The shared memory manager used by pre-authentication.
Compression support had a bounds checks that could be elided by
Some optimising compilers. Additionally, this memory manager was
Incorrectly accessible when pre-authentication compression was
Disabled. This could potentially allow attacks against the
Privileged monitor process from the sandboxed privilege-separation
Process (a compromise of the latter would be required first).
This release removes support for pre-authentication compression.
From sshd(8). Reported by Guido Vranken using the Stack unstable
Optimisation identification tool (http://css.csail.mi
7.309 Oct 2016 04:05
minor feature:
This is primarily a release.
Security.
Sshd(8): Mitigate a potential denial-of-service attack against.
The system's crypt(3) function via sshd(8). An attacker could
Send very long passwords that would cause excessive CPU use in
Crypt(3). sshd(8) now refuses to accept password authentication
Requests of length greater than 1024 characters. Independently
Reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.
Sshd(8): Mitigate timing differences in password authentication.
That could be used to discern valid from invalid account names
When long passwords were sent and particular password hashing
Algorithms are in use on the server. CVE-2016-6210, reported by
EddieEzra.Harari at verint.com.
Ssh(1), sshd(8): observable timing weakness in the CBC padding.
Oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers.
Are disabled by default and only included for legacy compatibility.
Ssh(1), sshd(8): Improve operation ordering of MAC verification for
Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
MAC before decrypting any ciphertext. This removes the possibility
of timing differences leaking facts about the plaintext, though no.
Such leakage has been observed. Reported by Jean Paul Degabriele,
Kenny Paterson, Torben Hansen and Martin Albrecht.
Sshd(8): (portable only) Ignore PAM environment vars when
UseLogin=yes. If PAM is configured to read user-specified.
Environment variables and UseLogin=yes in sshd_config, then a
Hostile local user may attack /bin/login via LD_PRELOAD or
Similar environment variables set via PAM. CVE-2015-8325,
Found by Shayan Sadigh.
New Features.
Ssh(1): Add a ProxyJump option and corresponding -J command-line.
Flag to allow simplified indirection through a one or more SSH
Bastions or "jump hosts".
Ssh(1): Add an IdentityAgent option to allow specifying specific.
Agent sockets instead of accepting one from the environment.
Ssh(1): Allow ExitOnForwar
7.229 Feb 2016 18:05
minor feature:
This is primarily a release.
Security.
Ssh(1), sshd(8): remove unfinished and unused roaming code (was.
Already forcibly disabled in OpenSSH 7.1p2).
Ssh(1): eliminate fallback from untrusted X11 forwarding to.
Trusted forwarding when the X server disables the SECURITY
Extension.
Ssh(1), sshd(8): increase the minimum modulus size supported for.
Diffie-hellman-group-exchange to 2048 bits.
Sshd(8): pre-auth sandboxing is now enabled by default (previous.
Releases enabled it for new installations via sshd_config).
New Features.
All: add support for RSA signatures using SHA-256/512 hash.
Algorithms based on draft-rsa-dsa-sha2-256-03.txt and
Draft-ssh-ext-info-04.txt.
Ssh(1): Add an AddKeysToAgent client option which can be set to.
yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When.
Enabled, a private key that is used during authentication will be
Added to ssh-agent if it is running (with confirmation enabled if
Set to 'confirm').
Sshd(8): add a new authorized_keys option "restrict" that includes.
All current and future key restrictions (no-*-forwarding, etc.).
Also add permissive versions of the existing restrictions, e.g.
no-pty" - "pty". This simplifies the task of setting up.
Restricted keys and ensures they are maximally-restricted,
Regardless of any permissions we might implement in the future.
Ssh(1): add ssh_config CertificateFile option to explicitly list.
Certificates. bz#2436
Ssh-keygen(1): allow ssh-keygen to change the key comment for all.
Supported formats.
Ssh-keygen(1): allow fingerprinting from standard input, e.g.
ssh-keygen -lf -".
Ssh-keygen(1): allow fingerprinting multiple public keys in a.
File, e.g. "ssh-keygen -lf /.ssh/authorized_keys" bz#1319
Sshd(8): support "none" as an argument for sshd_config
Foreground and ChrootDirectory. Useful inside Match blocks to.
Override a global default. bz#2486
Ssh-keygen(1): support multiple certificates (one per line) and.
Reading from standard input (using "-f -") for "ssh-keygen -L"
Ssh-keyscan(1):
7.122 Aug 2015 11:45
minor feature:
This is a release.
Security.
sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin=
prohibit-password/without-password that could, depending on
compile-time configuration, permit password authentication to
root while preventing other forms of authentication. This problem
was reported by Mantas Mikulenas.
ssh(1), sshd(8): add compatibility workarounds for FuTTY.
ssh(1), sshd(8): refine compatibility workarounds for WinSCP.
a number of memory faults (double-free, free of uninitialised
memory, etc) in ssh(1) and ssh-keygen(1). Reported by Mateusz
Kocielski.
Checksums:
SHA1 (openssh-7.1.tar.gz) = 06c1db39f33831fe004726e013b2cf84f1889042.
SHA256 (openssh-7.1.tar.gz) = H7U1se9EoBmhkKi2i7lqpMX9QHdDTsgpu7kd5VZUGSY=.
SHA1 (openssh-7.1p1.tar.gz) = ed22af19f962262c493fcc6ed8c8826b2761d9b6.
SHA256 (openssh-7.1p1.tar.gz) = /AptLR0GPVxm3/2VJJPQzaJWytIE9oHeD4TvhbKthCg=.
Please note that the SHA256 signatures are base64 encoded and not.
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available as RELEASE_KEY.asc from
the mirror sites.
Reporting :
Please read http://www.openssh.com/report.html
Security should be reported directly to openssh@openssh.com.
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt.
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.
7.013 Aug 2015 10:25
minor feature:
This focus of this release is primarily to deprecate weak, legacy
and/or unsafe cryptography.
Security.
sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
writable. Local attackers may be able to write arbitrary messages
to logged-in users, including terminal escape sequences.
Reported by Nikolay Edigaryev.
sshd(8): Portable OpenSSH only: Fixed a privilege separation
weakness related to PAM support. Attackers who could successfully
compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could
impersonate other users. Reported by Moritz Jodeit.
sshd(8): Portable OpenSSH only: Fixed a use-after-free bug
related to PAM support that was reachable by attackers who could
compromise the pre-authentication process for remote code
execution. Also reported by Moritz Jodeit.
sshd(8): fix circumvention of MaxAuthTries using keyboard-
interactive authentication. By specifying a long, repeating
keyboard-interactive "devices" string, an attacker could request
the same authentication method be tried thousands of times in
a single pass. The LoginGraceTime timeout in sshd(8) and any
authentication failure delays implemented by the authentication
mechanism itself were still applied. Found by Kingcope.
Potentially-incompatible Changes.
Support for the legacy SSH version 1 protocol is disabled by
default at compile time.
Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html.
Support for ssh-dss, ssh-dss-cert- host and user keys is disabled
by default at run-time. These may be re-enabled using the
instructions at http://www.openssh.com/legacy.html.
Support for the legacy v00 cert format has been removed.
The default for the sshd_config(5) PermitRootLogin option has
changed from "yes" to "prohibit-password".
PermitRootLogin=without-password/prohibit-password now bans all
interactive authentication
6.902 Jul 2015 13:45
minor feature:
This is primarily a bugfix release.
Security.
ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
connections made after ForwardX11Timeout expired could be permitted
and no longer subject to XSECURITY restrictions because of an
ineffective timeout check in ssh(1) coupled with "fail open"
behaviour in the X11 server when clients attempted connections with
expired credentials. This problem was reported by Jann Horn.
ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
password guessing by implementing an increasing failure delay,
storing a salted hash of the password rather than the password
itself and using a timing-safe comparison function for verifying
unlock attempts. This problem was reported by Ryan Castellucci.
New Features.
ssh(1), sshd(8): promote chacha20-poly1305@openssh.com to be the
default cipher.
sshd(8): support admin-specified arguments to AuthorizedKeysCommand;
bz#2081.
sshd(8): add AuthorizedPrincipalsCommand that allows retrieving
authorized principals information from a subprocess rather than
a file.
ssh(1), ssh-add(1): support PKCS#11 devices with external PIN
entry devices bz#2240.
sshd(8): allow GSSAPI host credential check to be relaxed for
multihomed hosts via GSSAPIStrictAcceptorCheck option; bz#928.
ssh-keygen(1): support "ssh-keygen -lF hostname" to search
known_hosts and print key hashes rather than full keys.
ssh-agent(1): add -D flag to leave ssh-agent in foreground without
enabling debug mode; bz#2381.
Bugfixes.
ssh(1), sshd(8): deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD
message and do not try to use it against some 3rd-party SSH
implementations that use it (older PuTTY, WinSCP).
Many fixes for problems caused by compile-time deactivation of
SSH1 support.
ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco
implementations as some would fail when attempting to use group
sizes 4K; bz#2209.
ssh(1): fix out-of-bound read in EscapeChar configuration option
parsing; bz#2396.
sshd(8): fix application of Per
6.819 Mar 2015 00:25
major feature:
This is a major release, containing a number of new features as well as a large internal re-factoring. Potentially-incompatible changes. sshd: UseDNS now defaults to 'no'. Configurations that match against the client host name may need to re-enable it or convert to matching against addresses. New Features. Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout. Add FingerprintHash option to ssh and sshd, and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different. ssh, sshd: Experimental host key rotation support. Add a protocol extension for a server to inform a client of all its available host keys after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option . ssh: Add a ssh_config HostbasedKeyType option to control which host public key types are tried during host-based authentication. ssh, sshd: fix connection-killing host key mismatch errors when sshd offers multiple ECDSA keys of different lengths. ssh: when host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. fixes bzand avoiding needless DNS lookups in some cases. ssh-keygen, sshd: Key Revocation Lists no longer require OpenSSH to be compiled with OpenSSL support. ssh, ssh-keysign: Make ed25519 keys work for host based authentication. sshd: SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fa
6.708 Oct 2014 23:58
major feature:
The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default.
Support for tcpwrappers/libwrap has been removed.
Major internal refactoring to begin to make part of OpenSSH usable
as a library. So far the wire parsing, key handling and KRL code
has been refactored. Please note that we do not consider the API
stable yet, nor do we offer the library in separable form.
Add support for Unix domain socket forwarding.
Add support for SSHFP DNS records for
ED25519 key types.
Allow resumption of interrupted sftp uploads.
When rekeying, skip file/DNS lookups of the hostkey if it
is the same as the one sent during initial key exchange.
Allow explicit ::1 and 127.0.0.1 forwarding bind
addresses when GatewayPorts=no; allows client to choose address family.
Add a C escape sequence for LocalCommand and ControlPath.
Added unit and fuzz tests for refactored code. These are run
automatically in portable OpenSSH via the "make tests" target.
Many bugfixes were applied.