OpenSSH Changelog

What's new in OpenSSH 9.6

Dec 18, 2023

This release contains a number of security fixes, some small features and bugfixes.
Security:
This release contains fixes for a newly-discovered weakness in the SSH transport protocol, a logic error relating to constrained PKCS#11 keys in ssh-agent(1) and countermeasures for programs that invoke ssh(1) with user or hostnames containing invalid characters.
ssh(1), sshd(8): implement protocol extensions to thwart the so-called "Terrapin attack" discovered by Fabian BÃ¤umer, Marcus Brinkmann and JÃ¶rg Schwenk. This attack allows a MITM to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. A peer SSH client/server would not be able to detect that messages were deleted.
While cryptographically novel, the security impact of this attack is fortunately very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user user authentication from proceeding and results in a stuck connection.
The most serious identified impact is that it lets a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5. There is no other discernable impact to session secrecy or session integrity.
OpenSSH 9.6 addresses this protocol weakness through a new "strict KEX" protocol extension that will be automatically enabled when both the client and server support it. This extension makes two changes to the SSH transport protocol to improve the integrity of the initial key exchange.
Firstly, it requires endpoints to terminate the connection if any unnecessary or unexpected message is received during key exchange (including messages that were previously legal but not strictly required like SSH2_MSG_DEBUG). This removes most malleability from the early protocol.
Secondly, it resets the Message Authentication Code counter at the conclusion of each key exchange, preventing previously inserted messages from being able to make persistent changes to the sequence number across completion of a key exchange. Either of these changes should be sufficient to thwart the Terrapin Attack.
More details of these changes are in the PROTOCOL file in the OpenSSH source distribition.
ssh-agent(1): when adding PKCS#11-hosted private keys while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. Use of regular private keys, FIDO tokens and unconstrained keys are unaffected.
ssh(1): if an invalid user or hostname that contained shell metacharacters was passed to ssh(1), and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via %u, %h or similar expansion token, then an attacker who could supply arbitrary user/hostnames to ssh(1) could potentially perform command injection depending on what quoting was present in the user-supplied ssh_config(5) directive.
This situation could arise in the case of git submodules, where a repository could contain a submodule with shell characters in its user/hostname. Git does not ban shell metacharacters in user or host names when checking out repositories from untrusted sources.
Although we believe it is the user's responsibility to ensure validity of arguments passed to ssh(1), especially across a security boundary such as the git example above, OpenSSH 9.6 now bans most shell metacharacters from user and hostnames supplied via the command-line. This countermeasure is not guaranteed to be effective in all situations, as it is infeasible for ssh(1) to universally filter shell metacharacters potentially relevant to user-supplied commands.
User/hostnames provided via ssh_config(5) are not subject to these restrictions, allowing configurations that use strange names to continue to be used, under the assumption that the user knows what they are doing in their own configuration files.
Potentially incompatible changes:
ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this limit was exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH 9.6, ssh(1)/sshd(8) will now terminate the connection if a peer exceeds the window limit by more than a small grace factor. This change should have no effect of SSH implementations that follow the specification.
New features:
ssh(1): add a %j token that expands to the configured ProxyJump hostname (or the empty string if this option is not being used) that can be used in a number of ssh_config(5) keywords. bz3610
ssh(1): add ChannelTimeout support to the client, mirroring the same option in the server and allowing ssh(1) to terminate quiescent channels.
ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported.
ssh(1), sshd(8): introduce a protocol extension to allow renegotiation of acceptable signature algorithms for public key authentication after the server has learned the username being used for authentication. This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a "Match user" block.
ssh-add(1), ssh-agent(1): add an agent protocol extension to allow specifying certificates when loading PKCS#11 keys. This allows the use of certificates backed by PKCS#11 private keys in all OpenSSH tools that support ssh-agent(1). Previously only ssh(1) supported this use-case.
Bugfixes:
ssh(1): when deciding whether to enable the keystroke timing obfuscation, enable it only if a channel with a TTY is active.
ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals before checking flags set in signal handler. Avoids potential race condition between signaling ssh to exit and polling. bz3531
ssh(1): when connecting to a destination with both the AddressFamily and CanonicalizeHostname directives in use, the AddressFamily directive could be ignored. bz5326
sftp(1): correct handling of the [email protected] option when the server returned an unexpected message.
A number of fixes to the PuTTY and Dropbear regress/integration tests.
ssh(1): release GSS OIDs only at end of authentication, avoiding unnecessary init/cleanup cycles. bz2982
ssh_config(5): mention "none" is a valid argument to IdentityFile in the manual. bz3080
scp(1): improved debugging for paths from the server rejected for not matching the client's glob(3) pattern in old SCP/RCP protocol mode.
ssh-agent(1): refuse signing operations on destination-constrained keys if a previous session-bind operation has failed. This may prevent a fail-open situation in future if a user uses a mismatched ssh(1) client and ssh-agent(1) where the client supports a key type that the agent does not support.
Portability:
Better identify unsupported and unstable compiler flags, such as -fzero-call-used-regs which has been unstable across a several clang releases.
A number of fixes to regression test reliability and log collection.
Update the OpenSSL dependency in the RPM specification.
sshd(8): for OpenSolaris systems that support privilege limitation via the getpflags() interface, prefer using the newer PRIV_XPOLICY to PRIV_LIMIT. bz2833

New in OpenSSH 9.5 (Oct 6, 2023)

Potentially incompatible changes:
ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys are very convenient due to their small size. Ed25519 keys are specified in RFC 8709 and OpenSSH has supported them since version 6.5 (January 2014).
sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. This may change behaviour for exotic configurations, but the most common subsystem configuration (sftp-server) is unlikely to be affected.
New features:
ssh(1): add keystroke timing obfuscation to the client. This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword.
ssh(1), sshd(8): Introduce a transport-level ping facility. This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "[email protected]" ext-info message with a string version number of "0".
sshd(8): allow override of Subsystem directives in sshd Match blocks.
Bugfixes:
scp(1): fix scp in SFTP mode recursive upload and download of directories that contain symlinks to other directories. In scp mode, the links would be followed, but in SFTP mode they were not. bz3611
ssh-keygen(1): handle cr+lf (instead of just cr) line endings in sshsig signature files.
ssh(1): interactive mode for ControlPersist sessions if they originally requested a tty.
sshd(8): make PerSourceMaxStartups first-match-wins
sshd(8): limit artificial login delay to a reasonable maximum (5s) and don't delay at all for the "none" authentication mechanism.cw bz3602
sshd(8): Log errors in kex_exchange_identification() with level verbose instead of error to reduce preauth log spam. All of those get logged with a more generic error message by sshpkt_fatal().
sshd(8): correct math for ClientAliveInterval that caused the probes to be sent less frequently than configured.
ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused multiplexed sessions to ignore SIGINT under some circumstances.
Portability:
Avoid clang zero-call-used-regs=all bug on Apple compilers, which for some reason have version numbers that do not match the upstream clang version numbers. bz#3584
Fix configure test for zlib 1.3 and later/development versions. bz3604

New in OpenSSH 9.4 (Aug 10, 2023)

Potentially incompatible changes:
This release removes support for older versions of libcrypto. OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1. Note that these versions are already deprecated by their upstream vendors.
ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories.
New features:
ssh(1): allow forwarding Unix Domain sockets via ssh -W.
ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name.
ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location.
ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point.
sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now accept two additional %-expansion sequences: %D which expands to the routing domain of the connected session and %C which expands to the addresses and port numbers for the source and destination of the connection.
ssh-keygen(1): increase the default work factor (rounds) for the bcrypt KDF used to derive symmetric encryption keys for passphrase protected key files by 50%.
Bugfixes:
ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider.
ssh(1): make -f (fork after authentication) work correctly with multiplexed connections, including ControlPersist. bz3589 bz3589
ssh(1): make ConnectTimeout apply to multiplexing sockets and not just to network connections.
ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it.
sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand appears before it in sshd_config. Since OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was incorrectly ignored in this situation. bz3574
sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL signatures When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. This release removes the partially-implemented code to verify KRLs. All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in KRL files.
All: fix a number of memory leaks and unreachable/harmless integer overflows.
ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11 modules; GHPR406
sshd(8), ssh(1): better validate CASignatureAlgorithms in ssh_config and sshd_config. Previously this directive would accept certificate algorithm names, but these were unusable in practice as OpenSSH does not support CA chains. bz3577
ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature algorithms that are valid for CA signing. Previous behaviour was to list all signing algorithms, including certificate algorithms.
ssh-keyscan(1): gracefully handle systems where rlimits or the maximum number of open files is larger than INT_MAX; bz3581
ssh-keygen(1): fix "no comment" not showing on when running `ssh-keygen -l` on multiple keys where one has a comment and other following keys do not. bz3580
scp(1), sftp(1): adjust ftruncate() logic to handle servers that reorder requests. Previously, if the server reordered requests then the resultant file would be erroneously truncated.
ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567
scp(1): when copying local->remote, check that the source file exists before opening an SFTP connection to the server. Based on GHPR#370
Portability:
All: a number of build fixes for various platforms and configuration combinations.
sshd(8): provide a replacement for the SELinux matchpathcon() function, which is deprecated.
All: relax libcrypto version checks for OpenSSL >=3. Beyond OpenSSL 3.0, the ABI compatibility guarantees are wider (only the library major must match instead of major and minor in earlier versions). bz#3548.
Tests: fix build problems for the sk-dummy.so FIDO provider module used in some tests.

New in OpenSSH 9.3 (Mar 16, 2023)

Security:
This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs.
ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu.
ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of-service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer.
New features:
ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493
sshd(8): add a `sshd -G` option that parses and prints the effective configuration without attempting to load private keys and perform other checks. This allows usage of the option before keys have been generated and for configuration evaluation and verification by unprivileged users.
Bugfixes:
scp(1), sftp(1): fix progressmeter corruption on wide displays; bz3534
ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability of private keys as some systems are starting to disable RSA/SHA1 in libcrypto.
sftp-server(8): fix a memory leak. GHPR363
ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol compatibility code and simplify what's left.
Fix a number of low-impact Coverity static analysis findings. These include several reported via bz2687
ssh_config(5), sshd_config(5): mention that some options are not first-match-wins.
Rework logging for the regression tests. Regression tests will now capture separate logs for each ssh and sshd invocation in a test.
ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says it should; bz3532.
ssh(1): ensure that there is a terminating newline when adding a new entry to known_hosts; bz3529
Portability:
sshd(8): harden Linux seccomp sandbox. Move to an allowlist of mmap(2), madvise(2) and futex(2) flags, removing some concerning kernel attack surface.
sshd(8): improve Linux seccomp-bpf sandbox for older systems; bz3537

New in OpenSSH 9.2 (Feb 2, 2023)

Security:
This release contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs.
sshd(8): fix a pre-authentication double-free memory fault introduced in OpenSSH 9.1. This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms.
ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option would ignore its first argument unless it was one of the special keywords "any" or "none", causing the permission list to fail open if only one permission was specified. bz3515
ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs options were enabled, and the system/libc resolver did not check that names in DNS responses were valid, then use of these options could allow an attacker with control of DNS to include invalid characters (possibly including wildcards) in names added to known_hosts files when they were updated. These names would still have to match the CanonicalizePermittedCNAMEs allow-list, so practical exploitation appears unlikely.
Potentially-incompatible changes:
ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime.
This option defaults to "no", disabling the ~C command-line that was previously enabled by default. Turning off the command-line allows platforms that support sandboxing of the ssh(1) client (currently only OpenBSD) to use a stricter default sandbox policy.
New features:
sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels.
sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above.
sshd(8): add a -V (version) option to sshd like the ssh client has.
ssh(1): add a "Host" line to the output of ssh -G showing the original hostname argument. bz3343
scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence.
ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976
ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499
Bugfixes:
ssh(1): when restoring non-blocking mode to stdio fds, restore exactly the flags that ssh started with and don't just clobber them with zero, as this could also remove the append flag from the set. bz3523
ssh(1): avoid printf("%s", NULL) if using UserKnownHostsFile=none and a hostkey in one of the system known hosts file changes.
scp(1): switch scp from using pipes to a socket-pair for communication with its ssh sub-processes, matching how sftp(1) operates.
sshd(8): clear signal mask early in main(); sshd may have been started with one or more signals masked (sigprocmask(2) is not cleared on fork/exec) and this could interfere with various things, e.g. the login grace timer. Execution environments that fail to clear the signal mask before running sshd are clearly broken, but apparently they do exist.
ssh(1): warn if no host keys for hostbased auth can be loaded.
sshd(8): Add server debugging for hostbased auth that is queued and sent to the client after successful authentication, but also logged to assist in diagnosis of HostbasedAuthentication problems. bz3507
ssh(1): document use of the IdentityFile option as being usable to list public keys as well as private keys. GHPR352
sshd(8): check for and disallow MaxStartups values less than or equal to zero during config parsing, rather than failing later at runtime. bz3489
ssh-keygen(1): fix parsing of hex cert expiry times specified on the command-line when acting as a CA.
scp(1): when scp(1) is using the SFTP protocol for transport (the default), better match scp/rcp's handling of globs that don't match the globbed characters but do match literally (e.g. trying to transfer a file named "foo.[1]"). Previously scp(1) in SFTP mode would not match these pathnames but legacy scp/rcp mode would. bz3488
ssh-agent(1): document the "-O no-restrict-websafe" command-line option.
ssh(1): honour user's umask(2) if it is more restrictive then the ssh default (022).
Portability:
sshd(8): allow writev(2) in the Linux seccomp sandbox. This seems to be used by recent glibcs at least in some configurations during error conditions. bz3512.
sshd(8): simply handling of SSH_CONNECTION PAM env var, removing global variable and checking the return value from pam_putenv. bz3508
sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was mistakenly enabled during the OpenSSH 9.1 release cycle.
misc: update autotools and regenerate the config files using the latest autotools
all: use -fzero-call-used-regs=used on clang 15 instead of -fzero-call-used-reg=all, as some versions of clang 15 have miscompile code when it was enabled. bz3475
sshd(8): defer PRNG seeding until after the initial closefrom(2) call. PRNG seeding will initialize OpenSSL, and some engine providers (e.g. Intel's QAT) will open descriptors for their own use that closefrom(2) could clobber. bz3483
misc: in the poll(2)/ppoll(2) compatibility code, avoid assuming the layout of fd_set.
sftp-server(8), ssh-agent(1): fix ptrace(2) disabling on older FreeBSD kernels. Some versions do not support using id 0 to refer to the current PID for procctl, so try again with getpid() explicitly before failing.
configure.ac: fix -Wstrict-prototypes in configure test code. Clang 16 now warns on this and legacy prototypes will be removed in C23. GHPR355
configure.ac: fix setres*id checks to work with clang-16. glibc has the prototypes for setresuid behind _GNU_SOURCE, and clang 16 will error out on implicit function definitions. bz3497

New in OpenSSH 9.1 (Oct 4, 2022)

Security:
This release contains fixes for three minor memory safety problems.
None are believed to be exploitable, but we report most memory safety problems as potential security vulnerabilities out of caution.
ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing. Reported by Qualys
ssh-keygen(1): double free() in error path of file hashing step in signing/verify code; GHPR333
ssh-keysign(8): double-free in error path introduced in openssh-8.9
Potentially-incompatible changes:
The portable OpenSSH project now signs commits and release tags using git's recent SSH signature support. The list of developer signing keys is included in the repository as .git_allowed_signers and is cross-signed using the PGP key that is still used to sign release artifacts: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438
ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.
New features:
ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8).
ssh(1) will terminate a connection if the server offers an RSA key that falls below this limit, as the SSH protocol does not include the ability to retry a failed key exchange.
sftp-server(8): add a "[email protected]" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids.
sftp(1): use "[email protected]" sftp-server extension (when available) to fill in user/group names for directory listings.
sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "[email protected]", but some other clients support it.
ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character.
Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468
sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3"
ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429
Bugfixes:
ssh-keygen(1): implement the "verify-required" certificate option. This was already documented when support for user-verified FIDO keys was added, but the ssh-keygen(1) code was missing.
ssh-agent(1): hook up the restrict_websafe command-line flag; previously the flag was accepted but never actually used.
sftp(1): improve filename tab completions: never try to complete names to non-existent commands, and better match the completion type (local or remote filename) against the argument position being completed.
ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key handling, especially relating to keys that request user-verification. These should reduce the number of unnecessary PIN prompts for keys that support intrinsic user verification. GHPR302, GHPR329
ssh-keygen(1): when enrolling a FIDO resident key, check if a credential with matching application and user ID strings already exists and, if so, prompt the user for confirmation before overwriting the credential. GHPR329
sshd(8): improve logging of errors when opening authorized_keys files. bz2042
ssh(1): avoid multiplexing operations that could cause SIGPIPE from causing the client to exit early. bz3454
ssh_config(5), sshd_config(5): clarify that the RekeyLimit directive applies to both transmitted and received data. GHPR328
ssh-keygen(1): avoid double fclose() in error path.
sshd(8): log an error if pipe() fails while accepting a connection. bz3447
ssh(1), ssh-keygen(1): fix possible NULL deref when built without FIDO support. bz3443
ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage. GHPR294.
sshd(8): ensure that authentication passwords are cleared from memory in error paths. GHPR286
ssh(1), ssh-agent(1): avoid possibility of notifier code executing kill(-1). GHPR286
ssh_config(5): note that the ProxyJump directive also accepts the same tokens as ProxyCommand. GHPR305.
scp(1): do not not ftruncate(3) files early when in sftp mode. The previous behaviour of unconditionally truncating the destination file would cause "scp ~/foo localhost:foo" and the reverse "scp localhost:foo ~/foo" to delete all the contents of their destination. bz3431
ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is unable to load a private key; bz3429
sftp(1), scp(1): when performing operations that glob(3) a remote path, ensure that the implicit working directory used to construct that path escapes glob(3) characters. This prevents glob characters from being processed in places they shouldn't, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation treat the path "/tmp/a*" literally and not attempt to expand it.
ssh(1), sshd(8): be stricter in which characters will be accepted in specifying a mask length; allow only 0-9. GHPR278
ssh-keygen(1): avoid printing hash algorithm twice when dumping a KRL
ssh(1), sshd(8): continue running local I/O for open channels during SSH transport rekeying. This should make ~-escapes work in the client (e.g. to exit) if the connection happened to have stalled during a rekey event.
ssh(1), sshd(8): avoid potential poll() spin during rekeying
Further hardening for sshbuf internals: disallow "reparenting" a hierarchical sshbuf and zero the entire buffer if reallocation fails. GHPR287
Portability:
ssh(1), ssh-keygen(1), sshd(8): automatically enable the built-in FIDO security key support if libfido2 is found and usable, unless --without-security-key-builtin was requested.
ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello FIDO device usable on Cygwin. The windows://hello FIDO device will be automatically used by default on this platform unless requested otherwise, or when probing resident FIDO credentials (an operation not currently supported by WinHello).
Portable OpenSSH: remove workarounds for obsolete and unsupported versions of OpenSSL libcrypto. In particular, this release removes fallback support for OpenSSL that lacks AES-CTR or AES-GCM.
Those AES cipher modes were added to OpenSSL prior to the minimum
version currently supported by OpenSSH, so this is not expected to
impact any currently supported configurations.
sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current Linux/glibc
All: resync and clean up internal CSPRNG code.
scp(1), sftp(1), sftp-server(8): avoid linking these programs with unnecessary libraries. They are no longer linked against libz and libcrypto. This may be of benefit to space constrained systems using any of those components in isolation.
sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox architectures.
configure: remove special casing of crypt(). configure will no longer search for crypt() in libcrypto, as it was removed from there years ago. configure will now only search libc and libcrypt.
configure: refuse to use OpenSSL 3.0.4 due to potential RCE in its RSA implementation (CVE-2022-2274) on x86_64.
All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR#322
ssh(1), ssh-keygen(1), sshd(8): fix a number of missing includes required by the XMSS code on some platforms.
sshd(8): cache timezone data in capsicum sandbox.

New in OpenSSH 9.0 (Apr 8, 2022)

This release is focused on bug fixing.
Potentially-incompatible changes:
This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "[email protected]" to support this.
In case of incompatibility, the scp(1) client may be instructed to use the legacy scp/rcp using the -O flag.
New features:
ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("[email protected]"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo.
We are making this change now (i.e. ahead of cryptographically- relevant quantum computers) to prevent "capture now, decrypt later" attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available.
sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948
sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies.
Bugfixes:
ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output fd closes without data in the channel buffer. bz3405 and bz3411
sshd(8): pack pollfd array in server listen/accept loop. Could cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE
ssh-keygen(1): avoid NULL deref via the find-principals and check-novalidate operations. bz3409 and GHPR#307 respectively.
scp(1): fix a memory leak in argument processing. bz3404
sshd(8): don't try to resolve ListenAddress directives in the sshd re-exec path. They are unused after re-exec and parsing errors (possible for example if the host's network configuration changed) could prevent connections from being accepted.
sshd(8): when refusing a public key authentication request from a client for using an unapproved or unsupported signature algorithm include the algorithm name in the log message to make debugging easier.
Portability:
sshd(8): refactor platform-specific locked account check, fixing an incorrect free() on platforms with both libiaf and shadow passwords (probably only Unixware) GHPR#284,
ssh(1), sshd(8): Fix possible integer underflow in scan_scaled(3) parsing of K/M/G/etc quantities. bz#3401.
sshd(8): provide killpg implementation (mostly for Tandem NonStop) GHPR#301.
Check for missing ftruncate prototype. GHPR#301
sshd(8): default to not using sandbox when cross compiling. On most systems poll(2) does not work when the number of FDs is reduced with setrlimit, so assume it doesn't when cross compiling and we can't run the test. bz#3398.
sshd(8): allow ppoll_time64 in seccomp sandbox. Should fix sandbox violations on some (at least i386 and armhf) 32bit Linux platforms. bz#3396.
Improve detection of -fzero-call-used-regs=all support in configure script.

New in OpenSSH 8.9 (Feb 23, 2022)

New features:
ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1)
A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release.
ssh(1), sshd(8): add the [email protected] hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method.
ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs.
ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts.
ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git.
ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time.
ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256).
ssh(1), sshd(8): read network data directly to the packet input buffer instead indirectly via a small stack buffer. Provides a modest performance improvement.
ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement.
ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys.
Bugfixes:
sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. PR#277.
sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names.
ssh-keysign(1): unbreak for KEX algorithms that use SHA384/51 exchange hashes
ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. bz3360
scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths.
ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case.
ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys.
ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX; bz3375
ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. bz3375
All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. On platforms with missing or broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is available.
ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file.
ssh-keygen(1): make sshsig verify-time argument parsing optional
sshd(8): fix truncation in rhosts/shosts path construction.
ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364
ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it.
Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. bz3366
ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. bz#3373
ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option.
ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line
ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719
ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. bz3378
ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. bz3372
scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour.
scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode.
sshd(8): fix potential race in SIGTERM handling PR#289
ssh(1), ssh(8): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. PR#295
ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files
Portability:
ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's implementation does not work in a chroot when the kernel does not have close_range(2). It tries to read from /proc/self/fd and when that fails dies with an assertion of sorts. Instead, call close_range(2) directly from our compat code and fall back if that fails. bz#3349,
OS X poll(2) is broken; use compat replacement. For character- special devices like /dev/null, Darwin's poll(2) returns POLLNVAL when polled with POLLIN. Apparently this is Apple bug 3710161 - not public but a websearch will find other OSS projects rediscovering it periodically since it was first identified in 2005.
Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation.
Cygwin: correct checking of mbstowcs() return value.
Add a basic SECURITY.md that refers people to the openssh.com website.
Enable additional compiler warnings and toolchain hardening flags, including -Wbitwise-instead-of-logical, -Wmisleading-indentation, -fzero-call-used-regs and -ftrivial-auto-var-init.
HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version is not reliable.

New in OpenSSH 8.8 (Sep 28, 2021)

New in OpenSSH 8.7 (Aug 23, 2021)

New features:
scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. SFTP offers more predictable filename handling and does not require expansion of glob(3) patterns via the shell on the remote side.
SFTP support may be enabled via a temporary scp -s flag. It is intended for SFTP to become the default transfer mode in the near future, at which time the -s flag will be removed. The -O flag exists to force use of the original SCP/RCP protocol for cases where SFTP may be unavailable or incompatible.
sftp-server(8): add a protocol extension to support expansion of ~/ and ~user/ prefixed paths. This was added to support these paths when used by scp(1) while in SFTP mode.
ssh(1): add a ForkAfterAuthentication ssh_config(5) counterpart to the ssh(1) -f flag. GHPR#231
ssh(1): add a StdinNull directive to ssh_config(5) that allows the config file to do the same thing as -n does on the ssh(1) command-line. GHPR#231
ssh(1): add a SessionType directive to ssh_config, allowing the configuration file to offer equivalent control to the -N (no session) and -s (subsystem) command-line flags. GHPR#231
ssh-keygen(1): allowed signers files used by ssh-keygen(1) signatures now support listing key validity intervals alongside they key, and ssh-keygen(1) can optionally check during signature verification whether a specified time falls inside this interval. This feature is intended for use by git to support signing and verifying objects using ssh keys.
ssh-keygen(8): support printing of the full public key in a sshsig signature via a -Oprint-pubkey flag.
Bugfixes:
ssh(1)/sshd(8): start time-based re-keying exactly on schedule in the client and server mainloops. Previously the re-key timeout could expire but re-keying would not start until a packet was sent or received, causing a spin in select() if the connection was quiescent.
ssh-keygen(1): avoid Y2038 problem in printing certificate validity lifetimes. Dates past 2^31-1 seconds since epoch were displayed incorrectly on some platforms. bz#3329
scp(1): allow spaces to appear in usernames for local to remote and scp -3 remote to remote copies. bz#1164
ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as a deprecated alias so configuration files continue to work as well as a reference in the man page for people looking for it. bz#3303
ssh(1)/ssh-add(1)/ssh-keygen(1): fix decoding of X.509 subject name when extracting a key from a PKCS#11 certificate. bz#3327
ssh(1): restore blocking status on stdio fds before close. ssh(1) needs file descriptors in non-blocking mode to operate but it was not restoring the original state on exit. This could cause problems with fds shared with other programs via the shell, bz#3280 and GHPR#246
ssh(1)/sshd(8): switch both client and server mainloops from select(3) to pselect(3). Avoids race conditions where a signal may arrive immediately before select(3) and not be processed until an event fires. bz#2158
ssh(1): sessions started with ControlPersist were incorrectly executing a shell when the -N (no shell) option was specified. bz#3290
ssh(1): check if IPQoS or TunnelDevice are already set before overriding. Prevents values in config files from overriding values supplied on the command line. bz#3319
ssh(1): fix debug message when finding a private key to match a certificate being attempted for user authentication. Previously it would print the certificate's path, whereas it was supposed to be showing the private key's path. GHPR#247
sshd(8): match host certificates against host public keys, not private keys. Allows use of certificates with private keys held in a ssh-agent. bz#3524
ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8), which allows RSA/SHA2 signatures for public key authentication but fails to advertise this correctly via SSH2_MSG_EXT_INFO. This causes clients of these server to incorrectly match PubkeyAcceptedAlgorithmse and potentially refuse to offer valid keys. bz#3213
sftp(1)/scp(1): degrade gracefully if a sftp-server offers the [email protected] extension but fails when the client tries to invoke it. bz#3318
ssh(1): allow ssh_config SetEnv to override $TERM, which is otherwise handled specially by the protocol. Useful in ~/.ssh/config to set TERM to something generic (e.g. "xterm" instead of "xterm-256color") for destinations that lack terminfo entries.
sftp-server(8): the [email protected] extension was incorrectly marked as an operation that writes to the filesystem, which made it unavailable in sftp-server read-only mode. bz#3318
ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered when the update removed more host keys than remain present.
many manual page fixes.
Portability:
ssh(1): move closefrom() to before first malloc. When built against tcmalloc, the closefrom() would stomp on file descriptors created for tcmalloc's internal use. bz#3321
sshd(8): handle GIDs > 2^31 in getgrouplist. When compiled in 32bit mode, the getgrouplist implementation may fail for GIDs greater than LONG_MAX.
ssh(1): xstrdup environment variable used by ForwardAgent. bz#3328
sshd(8): don't sigdie() in signal handler in privsep child process; this can end up causing sandbox violations per bz3286

New in OpenSSH 8.6 (Apr 19, 2021)

New in OpenSSH 8.5 (Mar 3, 2021)

Future deprecation notice:
It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K.
In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. OpenSSH will disable this signature scheme by default in the near future.
Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default.
This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default.
The better alternatives include:
The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.
The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5.
The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7.
To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host
If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded.
This release enables the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms.
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf
Security:
ssh-agent(1): fixed a double-free memory corruption that was introduced in OpenSSH 8.2 . We treat all such memory faults as potentially exploitable. This bug could be reached by an attacker with access to the agent socket.
On modern operating systems where the OS can provide information about the user identity connected to a socket, OpenSSH ssh-agent and sshd limit agent socket access only to the originating user and root. Additional mitigation may be afforded by the system's malloc(3)/free(3) implementation, if it detects double-free conditions.
The most likely scenario for exploitation is a user forwarding an agent either to an account shared with a malicious user or to a host with an attacker holding root access.
Portable sshd(8): Prevent excessively long username going to PAM. This is a mitigation for a buffer overflow in Solaris' PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations. This is not a problem in sshd itself, it only prevents sshd from being used as a vector to attack Solaris' PAM. It does not prevent the bug in PAM from being exploited via some other PAM application. GHPR#212
Potentially-incompatible changes:
This release includes a number of changes that may affect existing configurations:
ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519.
ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
ssh(1), sshd(8): remove the pre-standardization [email protected]. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001.
ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519.
The previous [email protected] method is replaced with [email protected]. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761.
(note this both the updated method and the one that it replaced are disabled by default)
ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers.

New in OpenSSH 8.4 (Sep 28, 2020)

Security:
ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys.
When signing messages in ssh-agent using a FIDO key that has an application string that does not start with "ssh:", ensure that the message being signed is one of the forms expected for the SSH protocol (currently public key authentication and sshsig signatures).
This prevents ssh-agent forwarding on a host that has FIDO keys attached granting the ability for the remote side to sign challenges for web authentication using those keys too.
Note that the converse case of web browsers signing SSH challenges is already precluded because no web RP can have the "ssh:" prefix in the application string that we require.
ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating a FIDO resident key.
The recent FIDO 2.1 Client to Authenticator Protocol introduced a "credProtect" feature to better protect resident keys. We use this option to require a PIN prior to all operations that may retrieve a resident key from a FIDO token.
Potentially-incompatible changes:
This release includes a number of changes that may affect existing configurations:
For FIDO/U2F support, OpenSSH recommends the use of libfido2 1.5.0 or greater. Older libraries have limited support at the expense of disabling particular features. These include resident keys, PIN-required keys and multiple attached tokens.
ssh-keygen(1): the format of the attestation information optionally recorded when a FIDO key is generated has changed. It now includes the authenticator data needed to validate attestation signatures.
The API between OpenSSH and the FIDO token middleware has changed and the SSH_SK_VERSION_MAJOR version has been incremented as a result. Third-party middleware libraries must support the current API version (7) to work with OpenSSH 8.4.
The portable OpenSSH distribution now requires automake to rebuild the configure script and supporting files. This is not required when simply building portable OpenSSH from a release tar file.

New in OpenSSH 8.3 (May 27, 2020)

The focus of this release is bug fixing.
NEW FEATURES:
sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only" to allow .shosts files but not .rhosts.
sshd(8): allow the IgnoreRhosts directive to appear anywhere in a sshd_config, not just before any Match blocks; bz3148 ssh(1): add %TOKEN percent expansion for the LocalFoward and RemoteForward keywords when used for Unix domain socket forwarding.
all: allow loading public keys from the unencrypted envelope of a private key file if no corresponding public key file is present.
ssh(1), sshd(8): prefer to use chacha20 from libcrypto where possible instead of the (slower) portable C implementation included in OpenSSH.
ssh-keygen(1): add ability to dump the contents of a binary key revocation list via "ssh-keygen -lQf /path" bz#3132
BUF FIXES:
ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from a PKCS11Provider; bz#3141
ssh-keygen(1): avoid NULL dereference when trying to convert an invalid RFC4716 private key.
scp(1): when performing remote-to-remote copies using "scp -3", start the second ssh(1) channel with BatchMode=yes enabled to avoid confusing and non-deterministic ordering of prompts.
ssh(1), ssh-keygen(1): when signing a challenge using a FIDO token, perform hashing of the message to be signed in the middleware layer rather than in OpenSSH code. This permits the use of security key middlewares that perform the hashing implicitly, such as Windows Hello.
ssh(1): fix incorrect error message for "too many known hosts files."
ssh(1): make failures when establishing "Tunnel" forwarding terminate the connection when ExitOnForwardFailure is enabled; bz#3116
ssh-keygen(1): fix printing of fingerprints on private keys and add a regression test for same.
sshd(8): document order of checking AuthorizedKeysFile (first) and AuthorizedKeysCommand (subsequently, if the file doesn't match);
sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are not considered for HostbasedAuthentication when the target user is root; bz#3148
ssh(1), ssh-keygen(1): fix NULL dereference in private certificate key parsing (oss-fuzz #20074).
ssh(1), sshd(8): more consistency between sets of %TOKENS are accepted in various configuration options.
ssh(1), ssh-keygen(1): improve error messages for some common PKCS#11 C_Login failure cases; bz#3130
ssh(1), sshd(8): make error messages for problems during SSH banner exchange consistent with other SSH transport-layer error messages and ensure they include the relevant IP addresses bz#3129
various: fix a number of spelling errors in comments and debug/error messages
ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys from a token, don't prompt for a PIN until the token has told us that it needs one. Avoids double-prompting on devices that implement on-device authentication.
sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option should be an extension, not a critical option.
ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when trying to use a FIDO key function and SecurityKeyProvider is empty.
ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the values allowed by the wire format (u32). Prevents integer wraparound of the timeout values. bz#3119
ssh(1): detect and prevent trivial configuration loops when using ProxyJump. bz#3057.
PORTABILITY:
Detect systems where signals flagged with SA_RESTART will interrupt select(2). POSIX permits implementations to choose whether select(2) will return when interrupted with a SA_RESTART-flagged signal, but OpenSSH requires interrupting behaviour.
Several compilation fixes for HP/UX and AIX.
On platforms that do not support setting process-wide routing domains (all excepting OpenBSD at present), fail to accept a configuration attempts to set one at process start time rather than fatally erroring at run time. bz#3126
Improve detection of egrep (used in regression tests) on platforms that offer a poor default one (e.g. Solaris).
A number of shell portability fixes for the regression tests.
Fix theoretical infinite loop in the glob(3) replacement implementation.
Fix seccomp sandbox compilation problems for some Linux configurations bz#3085
Improved detection of libfido2 and some compilation fixes for some configurations when --with-security-key-builtin is selected.

New in OpenSSH 8.2 (Feb 17, 2020)

FIDO/U2F Support:
This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types.
ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them.
Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation: $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub
This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used.
FIDO tokens are most commonly connected via USB but may be attached via other means such as Bluetooth or NFC. In OpenSSH, communication with the token is managed via a middleware library, specified by the SecurityKeyProvider directive in ssh/sshd_config(5) or the $SSH_SK_PROVIDER environment variable for ssh-keygen(1) and ssh-add(1). The API for this middleware is documented in the sk-api.h and PROTOCOL.u2f files in the source distribution.
OpenSSH includes a middleware ("SecurityKeyProvider=internal") with support for USB tokens. It is automatically enabled in OpenBSD and may be enabled in portable OpenSSH via the configure flag --with-security-key-builtin. If the internal middleware is enabled then it is automatically used by default. This internal middleware requires that libfido2 (https://github.com/Yubico/libfido2) and its dependencies be installed. We recommend that packagers of portable OpenSSH enable the built-in middleware, as it provides the lowest-friction experience for users.
Note: FIDO/U2F tokens are required to implement the ECDSA-P256 "ecdsa-sk" key type, but hardware support for Ed25519 "ed25519-sk" is less common. Similarly, not all hardware tokens support some of the optional features such as resident keys.
The protocol-level changes to support FIDO/U2F keys in SSH are documented in the PROTOCOL.u2f file in the OpenSSH source distribution.
There are a number of supporting changes to this feature:
ssh-keygen(1): add a "no-touch-required" option when generating FIDO-hosted keys, that disables their default behaviour of requiring a physical touch/tap on the token during authentication. Note: not all tokens support disabling the touch requirement.
sshd(8): add a sshd_config PubkeyAuthOptions directive that collects miscellaneous public key authentication-related options for sshd(8). At present it supports only a single option "no-touch-required". This causes sshd to skip its default check for FIDO/U2F keys that the signature was authorised by a touch or press event on the token hardware.
ssh(1), sshd(8), ssh-keygen(1): add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that FIDO key signatures attest that the user touched their key to authorize them, mirroring the similar PubkeyAuthOptions sshd_config option.
ssh-keygen(1): add support for the writing the FIDO attestation information that is returned when new keys are generated via the "-O write-attestation=/path" option. FIDO attestation certificates may be used to verify that a FIDO key is hosted in trusted hardware. OpenSSH does not currently make use of this information, beyond optionally writing it to disk.
FIDO2 resident keys:
FIDO/U2F OpenSSH keys consist of two parts: a "key handle" part stored in the private key file on disk, and a per-device private key that is unique to each FIDO/U2F token and that cannot be exported from the token hardware. These are combined by the hardware at authentication time to derive the real key that is used to sign authentication challenges.
For tokens that are required to move between computers, it can be cumbersome to have to move the private key file first. To avoid this requirement, tokens implementing the newer FIDO2 standard support "resident keys", where it is possible to effectively retrieve the key handle part of the key from the hardware.
OpenSSH supports this feature, allowing resident keys to be generated using the ssh-keygen(1) "-O resident" flag. This will produce a public/private key pair as usual, but it will be possible to retrieve the private key part from the token later. This may be done using "ssh-keygen -K", which will download all available resident keys from the tokens attached to the host and write public/private key files for them. It is also possible to download and add resident keys directly to ssh-agent(1) without writing files to the file-system using "ssh-add -K".
Resident keys are indexed on the token by the application string and user ID. By default, OpenSSH uses an application string of "ssh:" and an empty user ID. If multiple resident keys on a single token are desired then it may be necessary to override one or both of these defaults using the ssh-keygen(1) "-O application=" or "-O user=" options. Note: OpenSSH will only download and use resident keys whose application string begins with "ssh:"
Storing both parts of a key on a FIDO token increases the likelihood of an attacker being able to use a stolen token device. For this reason, tokens should enforce PIN authentication before allowing download of keys, and users should set a PIN on their tokens before creating any resident keys.
Other New Features:
sshd(8): add an Include sshd_config keyword that allows including additional configuration files via glob(3) patterns. bz2468
ssh(1)/sshd(8): make the LE (low effort) DSCP code point available via the IPQoS directive; bz2986,
ssh(1): when AddKeysToAgent=yes is set and the key contains no comment, add the key to the agent with the key's path as the comment. bz2564 * ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509 subjects as key comments, rather than simply listing the PKCS#11 provider library path. PR138
ssh-keygen(1): allow PEM export of DSA and ECDSA keys; bz3091
ssh(1), sshd(8): make zlib compile-time optional, available via the Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure option for OpenSSH portable.
sshd(8): when clients get denied by MaxStartups, send a notification prior to the SSH2 protocol banner according to RFC4253 section 4.2.
ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt program, pass a hint to the program to describe the type of desired prompt. The possible values are "confirm" (indicating that a yes/no confirmation dialog with no text entry should be shown), "none" (to indicate an informational message only), or blank for the original ssh-askpass behaviour of requesting a password/phrase.
ssh(1): allow forwarding a different agent socket to the path specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to accepting an explicit path or the name of an environment variable in addition to yes/no. * ssh-keygen(1): add a new signature operations "find-principals" to look up the principal associated with a signature from an allowed- signers file. * sshd(8): expose the number of currently-authenticating connections along with the MaxStartups limit in the process title visible to "ps".
Bugfixes:
sshd(8): make ClientAliveCountMax=0 have sensible semantics: it will now disable connection killing entirely rather than the current behaviour of instantly killing the connection after the first liveness test regardless of success. bz2627 * sshd(8): clarify order of AllowUsers / DenyUsers vs AllowGroups / DenyGroups in the sshd(8) manual page. bz1690
sshd(8): better describe HashKnownHosts in the manual page. bz2560
sshd(8): clarify that that permitopen=/PermitOpen do no name or address translation in the manual page. bz3099
sshd(8): allow the UpdateHostKeys feature to function when multiple known_hosts files are in use. When updating host keys, ssh will now search subsequent known_hosts files, but will add updated host keys to the first specified file only. bz2738 * All: replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. * sftp(1): fix a race condition in the SIGCHILD handler that could turn in to a kill(-1); bz3084
sshd(8): fix a case where valid (but extremely large) SSH channel IDs were being incorrectly rejected. bz3098
ssh(1): when checking host key fingerprints as answers to new hostkey prompts, ignore whitespace surrounding the fingerprint itself.
All: wait for file descriptors to be readable or writeable during non-blocking connect, not just readable. Prevents a timeout when the server doesn't immediately send a banner (e.g. multiplexers like sslh) * sshd_config(5): document the [email protected] key exchange algorithm. PR#151
Portability:
sshd(8): multiple adjustments to the Linux seccomp sandbox: - Non-fatally deny IPC syscalls in sandbox - Allow clock_gettime64() in sandbox (MIPS / glibc >= 2.31) - Allow clock_nanosleep_time64 in sandbox (ARM) bz3100 - Allow clock_nanosleep() in sandbox (recent glibc) bz3093
Explicit check for memmem declaration and fix up declaration if the system headers lack it. bz3102

New in OpenSSH 8.1 (Oct 9, 2019)

New in OpenSSH 8.0 (Apr 18, 2019)

New in OpenSSH 7.9 (Oct 25, 2018)

New Features:
ssh(1), sshd(8): allow most port numbers to be specified using service names from getservbyname(3) (typically /etc/services).
ssh(1): allow the IdentityAgent configuration directive to accept environment variable names. This supports the use of multiple agent sockets without needing to use fixed paths.
sshd(8): support signalling sessions via the SSH protocol. A limited subset of signals is supported and only for login or command sessions (i.e. not subsystems) that were not subject to a forced command via authorized_keys or sshd_config. bz#1424
ssh(1): support "ssh -Q sig" to list supported signature options. Also "ssh -Q help" to show the full set of supported queries.
ssh(1), sshd(8): add a CASignatureAlgorithms option for the client and server configs to allow control over which signature formats are allowed for CAs to sign certificates. For example, this allows banning CAs that sign certificates using the RSA-SHA1 signature algorithm.
sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke keys specified by SHA256 hash.
ssh-keygen(1): allow creation of key revocation lists directly from base64-encoded SHA256 fingerprints. This supports revoking keys using only the information contained in sshd(8) authentication log messages.
Bugfixes:
ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when attempting to load PEM private keys while using an incorrect passphrase. bz#2901
sshd(8): when a channel closed message is received from a client, close the stderr file descriptor at the same time stdout is closed. This avoids stuck processes if they were waiting for stderr to close and were insensitive to stdin/out closing. bz#2863
ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11 forwarding timeout and support X11 forwarding indefinitely. Previously the behaviour of ForwardX11Timeout=0 was undefined.
sshd(8): when compiled with GSSAPI support, cache supported method OIDs regardless of whether GSSAPI authentication is enabled in the main section of sshd_config. This avoids sandbox violations if GSSAPI authentication was later enabled in a Match block. bz#2107
sshd(8): do not fail closed when configured with a text key revocation list that contains a too-short key. bz#2897
ssh(1): treat connections with ProxyJump specified the same as ones with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't try to canonicalise the hostname unless CanonicalizeHostname is set to 'always'). bz#2896
ssh(1): fix regression in OpenSSH 7.8 that could prevent public-key authentication using certificates hosted in a ssh-agent(1) or against sshd(8) from OpenSSH

New in OpenSSH 7.8 (Aug 24, 2018)

New Features:
ssh(1)/sshd(8): add new signature algorithms "rsa-sha2-256-cert- [email protected]" and "[email protected]" to explicitly force use of RSA/SHA2 signatures in authentication.
sshd(8): extend the PermitUserEnvironment option to accept a whitelist of environment variable names in addition to global "yes" or "no" settings.
sshd(8): add a PermitListen directive to sshd_config(5) and a corresponding permitlisten= authorized_keys option that control which listen addresses and port numbers may be used by remote forwarding (ssh -R ...).
sshd(8): add some countermeasures against timing attacks used for account validation/enumeration. sshd will enforce a minimum time or each failed authentication attempt consisting of a global 5ms minimum plus an additional per-user 0-4ms delay derived from a host secret.
sshd(8): add a SetEnv directive to allow an administrator to explicitly specify environment variables in sshd_config. Variables set by SetEnv override the default and client-specified environment.
ssh(1): add a SetEnv directive to request that the server sets an environment variable in the session. Similar to the existing SendEnv option, these variables are set subject to server configuration.
ssh(1): allow "SendEnv -PATTERN" to clear environment variables previously marked for sending to the server. bz#1285
ssh(1)/sshd(8): make UID available as a %-expansion everywhere that the username is available currently. bz#2870
ssh(1): allow setting ProxyJump=none to disable ProxyJump functionality. bz#2869
Bug fixes:
sshd(8): avoid observable differences in request parsing that could be used to determine whether a target user is valid.
all: substantial internal refactoring
ssh(1)/sshd(8): fix some memory leaks; bz#2366
ssh(1): fix a pwent clobber (introduced in openssh-7.7) that could occur during key loading, manifesting as crash on some platforms.
sshd_config(5): clarify documentation for AuthenticationMethods option; bz#2663
ssh(1): ensure that the public key algorithm sent in a public key SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob. Previously, these could be inconsistent when a legacy or non-OpenSSH ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2 signature.
sshd(8): fix failures to read authorized_keys caused by faulty supplemental group caching. bz#2873
scp(1): apply umask to directories, fixing potential mkdir/chmod race when copying directory trees bz#2839
ssh-keygen(1): return correct exit code when searching for and hashing known_hosts entries in a single operation; bz#2772
ssh(1): prefer the ssh binary pointed to via argv[0] to $PATH when re-executing ssh for ProxyJump. bz#2831
sshd(8): do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog. (regression in openssh-7.7).
ssh(1)/sshd(8): fix error reporting from select() failures.
ssh(1): improve documentation for -w (tunnel) flag, emphasising that -w implicitly sets Tunnel=point-to-point. bz#2365
ssh-agent(1): implement EMFILE mitigation for ssh-agent. ssh-agent will no longer spin when its file descriptor limit is exceeded. bz#2576
ssh(1)/sshd(8): disable SSH2_MSG_DEBUG messages for Twisted Conch clients. Twisted Conch versions that lack a version number in their identification strings will mishandle these messages when running on Python 2.x (https://twistedmatrix.com/trac/ticket/9422)
sftp(1): notify user immediately when underlying ssh process dies expectedly. bz#2719
ssh(1)/sshd(8): fix tunnel forwarding; regression in 7.7 release. bz#2855
ssh-agent(1): don't kill ssh-agent's listening socket entirely if it fails to accept(2) a connection. bz#2837
sshd(8): relax checking of authorized_keys environment="..." options to allow underscores in variable names (regression introduced in 7.7). bz#2851
ssh(1): add some missing options in the configuration dump output (ssh -G). bz#2835
Portability
sshd(8): Expose details of completed authentication to PAM auth modules via SSH_AUTH_INFO_0 in the PAM environment. bz#2408
Fix compilation problems caused by fights between zlib and OpenSSL colliding uses of "free_func"
Improve detection of unsupported compiler options. Recently these may have manifested as "unsupported -Wl,-z,retpoline" warnings during linking.
sshd(8): some sandbox support for Linux/s390 bz#2752.
regress tests: unbreak key-options.sh test on platforms without openpty(3). bz#2856
use getrandom(2) for PRNG seeding when built without OpenSSL.

New in OpenSSH 7.7 (Apr 3, 2018)

NEW FEATURES:
All: Add experimental support for PQC XMSS keys (Extended Hash- Based Signatures) based on the algorithm described in https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 The XMSS signature code is experimental and not compiled in by default.
sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which routing domain a connection was received on (currently supported on OpenBSD and Linux).
sshd_config(5): Add an optional rdomain qualifier to the ListenAddress directive to allow listening on different routing domains. This is supported only on OpenBSD and Linux at present.
sshd_config(5): Add RDomain directive to allow the authenticated session to be placed in an explicit routing domain. This is only supported on OpenBSD at present.
sshd(8): Add "expiry-time" option for authorized_keys files to allow for expiring keys.
ssh(1): Add a BindInterface option to allow binding the outgoing connection to an interface's address (basically a more usable BindAddress)
ssh(1): Expose device allocated for tun/tap forwarding via a new %T expansion for LocalCommand. This allows LocalCommand to be used to prepare the interface.
sshd(8): Expose the device allocated for tun/tap forwarding via a new SSH_TUNNEL environment variable. This allows automatic setup of the interface and surrounding network configuration automatically on the server.
ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g. ssh://user@host or sftp://user@host/path. Additional connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses the deprecated MD5 hash with no way to specify the any other algorithm.
ssh-keygen(1): Allow certificate validity intervals that specify only a start or stop time (instead of both or neither).
sftp(1): Allow "cd" and "lcd" commands with no explicit path argument. lcd will change to the local user's home directory as usual. cd will change to the starting directory for session (because the protocol offers no way to obtain the remote user's home directory). bz#2760
sshd(8): When doing a config test with sshd -T, only require the attributes that are actually used in Match criteria rather than (an incomplete list of) all criteria.
BUG FIXES:
ssh(1)/sshd(8): More strictly check signature types during key exchange against what was negotiated. Prevents downgrade of RSA signatures made with SHA-256/512 to SHA-1.
sshd(8): Fix support for client that advertise a protocol version of "1.99" (indicating that they are prepared to accept both SSHv1 and SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1 support. bz#2810
ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a rsa-sha2-256/512 signature was requested. This condition is possible when an old or non-OpenSSH agent is in use. bz#2799
ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent to fatally exit if presented an invalid signature request message.
sshd_config(5): Accept yes/no flag options case-insensitively, as has been the case in ssh_config(5) for a long time. bz#2664
ssh(1): Improve error reporting for failures during connection. Under some circumstances misleading errors were being shown. bz#2814
ssh-keyscan(1): Add -D option to allow printing of results directly in SSHFP format. bz#2821
regress tests: fix PuTTY interop test broken in last release's SSHv1 removal. bz#2823
ssh(1): Compatibility fix for some servers that erroneously drop the connection when the IUTF8 (RFC8160) option is sent.
scp(1): Disable RemoteCommand and RequestTTY in the ssh session started by scp (sftp was already doing this.)
ssh-keygen(1): Refuse to create a certificate with an unusable number of principals.
ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the public key during key generation. Previously it would silently ignore errors writing the comment and terminating newline.
ssh(1): Do not modify hostname arguments that are addresses by automatically forcing them to lower-case. Instead canonicalise them to resolve ambiguities (e.g. ::0001 => ::1) before they are matched against known_hosts. bz#2763
ssh(1): Don't accept junk after "yes" or "no" responses to hostkey prompts. bz#2803
sftp(1): Have sftp print a warning about shell cleanliness when decoding the first packet fails, which is usually caused by shells polluting stdout of non-interactive startups. bz#2800
ssh(1)/sshd(8): Switch timers in packet code from using wall-clock time to monotonic time, allowing the packet layer to better function over a clock step and avoiding possible integer overflows during steps.
Numerous manual page fixes and improvements.
PORTABILITY:
sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes sandbox violations on some environments.
sshd(8): Remove UNICOS support. The hardware and software are literal museum pieces and support in sshd is too intrusive to justify maintaining.
All: Build and link with "retpoline" flags when available to mitigate the "branch target injection" style (variant 2) of the Spectre branch-prediction vulnerability.
All: Add auto-generated dependency information to Makefile.
Numerous fixed to the RPM spec files.

New in OpenSSH 7.6 (Jan 15, 2018)

Security:
sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. Reported by Michal Zalewski.
New Features:
ssh(1): add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This allows the configuration file to specify the command that will be executed on the remote host.
sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session.
ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported.
sshd(8): allow LogLevel directive in sshd_config Match blocks; bz#2717
ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options.
ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377
ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default.
ssh-add(1): added -q option to make ssh-add quiet on success.
ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400
ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). bz#2705
Bug fixes:
ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728
sftp(1): implement sorting for globbed ls; bz#2649
ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. bz#2720
ssh(1): accept unknown EXT_INFO extension values that contain � characters. These are legal, but would previously cause fatal connection errors if received.
ssh(1)/sshd(8): repair compression statistics printed at connection exit
sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. bz#2710
ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. bz#2707
ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances; bz#2709
Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys; bz#2699
sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. bz#2748
ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. bz#1906, bz#2744
ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. bz#2561
ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background.
ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734
sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. bz#2704
sshd_config(8): document available AuthenticationMethods; bz#2453
ssh(1): avoid truncation in some login prompts; bz#2768
sshd(8): Fix various compilations failures, inc bz#2767
ssh(1): make "--" before the hostname terminate argument processing after the hostname too.
ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. bz#2754
ssh(1): warn and do not attempt to use keys when the public and private halves do not match. bz#2737
sftp(1): don't print verbose error message when ssh disconnects from under sftp. bz#2750
sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent; bz#2756
sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem.
Make integrity.sh regression tests more robust against timeouts. bz#2658
ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF.
Portability:
sshd(9): drop two more privileges in the Solaris sandbox: PRIV_DAX_ACCESS and PRIV_SYS_IB_INFO; bz#2723
sshd(8): expose list of completed authentication methods to PAM via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408
ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code, mostly to do with host/network byte order confusion. bz#2735
Add --with-cflags-after and --with-ldflags-after configure flags to allow setting CFLAGS/LDFLAGS after configure has completed. These are useful for setting sanitiser/fuzzing options that may interfere with configure's operation.
sshd(8): avoid Linux seccomp violations on ppc64le over the socketcall syscall.
Fix use of ldns when using ldns-config; bz#2697
configure: set cache variables when cross-compiling. The cross- compiling fallback message was saying it assumed the test passed, but it wasn't actually set the cache variables and this would cause later tests to fail.
Add clang libFuzzer harnesses for public key parsing and signature verification.

New in OpenSSH 7.5 (Mar 20, 2017)

This is a bugfix release.
Security:
ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by default, sshd offers them as lowest-preference options and will remove them by default entriely in the next release. Reported by Jean Paul Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of Royal Holloway, University of London.
sftp-client(1): [portable OpenSSH only] On Cygwin, a client making a recursive file transfer could be maniuplated by a hostile server to perform a path-traversal attack. creating or modifying files outside of the intended target directory. Reported by Jann Horn of Google Project Zero.
New Features:
ssh(1), sshd(8): Support "=-" syntax to easily remove methods from algorithm lists, e.g. Ciphers=-*cbc. bz#2671
Bug fixes:
sshd(1): Fix NULL dereference crash when key exchange start messages are sent out of sequence.
ssh(1), sshd(8): Allow form-feed characters to appear in configuration files.
sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs extension, where SHA2 RSA signature methods were not being correctly advertised. bz#2680
ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in known_hosts processing. bz#2591 bz#2685
ssh(1): Allow ssh to use certificates accompanied by a private key file but no corresponding plain *.pub public key. bz#2617
ssh(1): When updating hostkeys using the UpdateHostKeys option, accept RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and not the old ssh-rsa method. bz#2650 ssh(1): Detect and report excessively long configuration file lines. bz#2651
Merge a number of fixes found by Coverity and reported via Redhat and FreeBSD. Includes fixes for some memory and file descriptor leaks in error paths. bz#2687 ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692
ssh(1), sshd(8): When logging long messages to stderr, don't truncate "rn" if the length of the message exceeds the buffer. bz#2688
ssh(1): Fully quote [host]:port in generated ProxyJump/-J command- line; avoid confusion over IPv6 addresses and shells that treat square bracket characters specially. ssh-keygen(1): Fix corruption of known_hosts when running "ssh-keygen -H" on a known_hosts containing already-hashed entries.
Fix various fallout and sharp edges caused by removing SSH protocol 1 support from the server, including the server banner string being incorrectly terminated with only n (instead of rn), confusing error messages from ssh-keyscan bz#2583 and a segfault in sshd if protocol v.1 was enabled for the client and sshd_config contained references to legacy keys bz#2686.
ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
sshd(8): Fix Unix domain socket forwarding for root (regression in OpenSSH 7.4). sftp(1): Fix division by zero crash in "df" output when server returns zero total filesystem blocks/inodes.
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors encountered during key loading to more meaningful error codes. bz#2522 bz#2523
ssh-keygen(1): Sanitise escape sequences in key comments sent to printf but preserve valid UTF-8 when the locale supports it; bz#2520
ssh(1), sshd(8): Return reason for port forwarding failures where feasible rather than always "administratively prohibited". bz#2674
sshd(8): Fix deadlock when AuthorizedKeysCommand or AuthorizedPrincipalsCommand produces a lot of output and a key is matched early. bz#2655
Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659 ssh(1): Fix typo in ~C error message for bad port forward cancellation. bz#2672
ssh(1): Show a useful error message when included config files can't be opened; bz#2653
sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page (previously incorrectly) advertised. bz#2637
sshd_config(5): Repair accidentally-deleted mention of %k token in AuthorizedKeysCommand; bz#2656
sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bz#2665
ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common 32-bit compatibility library directories.
sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME response handling.
ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys. It was not possible to delete them except by specifying their full physical path. bz#2682
Portability:
sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA crypto coprocessor.
sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg inspection.
ssh(1): Fix X11 forwarding on OSX where X11 was being started by launchd. bz#2341
ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that contain non-printable characters where the codeset in use is ASCII.
build: Fix builds that attempt to link a kerberised libldns. bz#2603
build: Fix compilation problems caused by unconditionally defining _XOPEN_SOURCE in wide character detection.
sshd(8): Fix sandbox violations for clock_gettime VSDO syscall fallback on some Linux/X32 kernels. bz#2142

New in OpenSSH 7.4 (Dec 19, 2016)

Security:
ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside a trusted whitelist (run-time configurable). Requests to load modules could be passed via agent forwarding and an attacker could attempt to load a hostile PKCS#11 module across the forwarded agent channel: PKCS#11 modules are shared libraries, so this would result in code execution on the system running the ssh-agent if the attacker has control of the forwarded agent-socket (on the host running the sshd server) and the ability to write to the filesystem of the host running ssh-agent (usually the host running the ssh client). Reported by Jann Horn of Project Zero.
sshd(8): When privilege separation is disabled, forwarded Unix- domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. This release refuses Unix-domain socket forwarding when privilege separation is disabled (Privilege separation has been enabled by default for 14 years). Reported by Jann Horn of Project Zero.
sshd(8): Avoid theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. Reported by Jann Horn of Project Zero.
sshd(8): The shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first). This release removes support for pre-authentication compression from sshd(8). Reported by Guido Vranken using the Stack unstable optimisation identification tool (http://css.csail.mit.edu/stack/)
sshd(8): Fix denial-of-service condition where an attacker who sends multiple KEXINIT messages may consume up to 128MB per connection. Reported by Shi Lei of Gear Team, Qihoo 360.
sshd(8): Validate address ranges for AllowUser and DenyUsers directives at configuration load time and refuse to accept invalid ones. It was previously possible to specify invalid CIDR address ranges (e.g. [email protected]/55) and these would always match, possibly resulting in granting access where it was not intended. Reported by Laurence Parry.
New Features:
ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the version in PuTTY by Simon Tatham. This allows a multiplexing client to communicate with the master process using a subset of the SSH packet and channels protocol over a Unix-domain socket, with the main process acting as a proxy that translates channel IDs, etc. This allows multiplexing mode to run on systems that lack file- descriptor passing (used by current multiplexing code) and potentially, in conjunction with Unix-domain socket forwarding, with the client and multiplexing master process on different machines. Multiplexing proxy mode may be invoked using "ssh -O proxy ..."
sshd(8): Add a sshd_config DisableForwarding option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. Like the 'restrict' authorized_keys flag, this is intended to be a simple and future-proof way of restricting an account.
sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method. This is identical to the currently-supported method named "[email protected]".
sshd(8): Improve handling of SIGHUP by checking to see if sshd is already daemonised at startup and skipping the call to daemon(3) if it is. This ensures that a SIGHUP restart of sshd(8) will retain the same process-ID as the initial execution. sshd(8) will also now unlink the PidFile prior to SIGHUP restart and re-create it after a successful restart, rather than leaving a stale file in the case of a configuration error. bz#2641
sshd(8): Allow ClientAliveInterval and ClientAliveCountMax directives to appear in sshd_config Match blocks.
sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match those supported by AuthorizedKeysCommand (key, key type, fingerprint, etc.) and a few more to provide access to the contents of the certificate being offered.
Added regression tests for string matching, address matching and string sanitisation functions.
Improved the key exchange fuzzer harness.
Bug fixes:
ssh(1): Allow IdentityFile to successfully load and use certificates that have no corresponding bare public key. bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub).
ssh(1): Fix public key authentication when multiple authentication is in use and publickey is not just the first method attempted. bz#2642
regress: Allow the PuTTY interop tests to run unattended. bz#2639
ssh-agent(1), ssh(1): improve reporting when attempting to load keys from PKCS#11 tokens with fewer useless log messages and more detail in debug messages. bz#2610
ssh(1): When tearing down ControlMaster connections, don't pollute stderr when LogLevel=quiet.
sftp(1): On ^Z wait for underlying ssh(1) to suspend before suspending sftp(1) to ensure that ssh(1) restores the terminal mode correctly if suspended during a password prompt.
ssh(1): Avoid busy-wait when ssh(1) is suspended during a password prompt.
ssh(1), sshd(8): Correctly report errors during sending of ext- info messages.
sshd(8): fix NULL-deref crash if sshd(8) received an out-of- sequence NEWKEYS message.
sshd(8): Correct list of supported signature algorithms sent in the server-sig-algs extension. bz#2547
sshd(8): Fix sending ext_info message if privsep is disabled.
sshd(8): more strictly enforce the expected ordering of privilege separation monitor calls used for authentication and allow them only when their respective authentication methods are enabled in the configuration
sshd(8): Fix uninitialised optlen in getsockopt() call; harmless on Unix/BSD but potentially crashy on Cygwin.
Fix false positive reports caused by explicit_bzero(3) not being recognised as a memory initialiser when compiled with -fsanitize-memory. sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for configuration examples.
Portability:
On environments configured with Turkish locales, fall back to the C/POSIX locale to avoid errors in configuration parsing caused by that locale's unique handling of the letters 'i' and 'I'. bz#2643
sftp-server(8), ssh-agent(1): Deny ptrace on OS X using ptrace(PT_DENY_ATTACH, ..)
ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL.
Fix compilation for libcrypto compiled without RIPEMD160 support.
contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640 sshd(8): Improve PRNG reseeding across privilege separation and force libcrypto to obtain a high-quality seed before chroot or sandboxing.
All: Explicitly test for broken strnvis. NetBSD added an strnvis and unfortunately made it incompatible with the existing one in OpenBSD and Linux's libbsd (the former having existed for over ten years). Try to detect this mess, and assume the only safe option if we're cross compiling.

New in OpenSSH 7.3p1 (Aug 2, 2016)

This is primarily a bugfix release.
Security:
sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters. Independently reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.
sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at verint.com
ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers are disabled by default and only included for legacy compatibility.
ssh(1), sshd(8): Improve operation ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This removes the possibility of timing differences leaking facts about the plaintext, though no such leakage has been observed. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes. If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh.
New Features:
ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".
ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment. ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. bz#2577
ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per draft-sgtatham-secsh-iutf8-00. ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA signatures in certificates; ssh(1): Add an Include directive for ssh_config(5) files.
ssh(1): Permit UTF-8 characters in pre-authentication banners sent from the server. bz#2058
Bugfixes:
ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events from LOG_CRIT. bz#2585
sshd(8): Refuse AuthenticationMethods="" in configurations and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. bz#2398
sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. bz#2585
ssh(1): Close ControlPersist background process stderr except in debug mode or when logging to syslog. bz#1988
misc: Make PROTOCOL description for [email protected] channel open messages match deployed code. bz#2529
ssh(1): Deduplicate LocalForward and RemoteForward entries to fix failures when both ExitOnForwardFailure and hostname canonicalisation are enabled. bz#2562
sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001. bz#2559.
sshd_config(5): Correct description of UseDNS: it affects ssh hostname processing for authorized_keys, not known_hosts; bz#2554 ssh(1): Fix authentication using lone certificate keys in an agent without corresponding private keys on the filesystem. bz#2550
sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit is set; previously keepalive packets were not being sent. bz#2252

New in OpenSSH 7.2p2 (Mar 10, 2016)

New in OpenSSH 7.2p1 (Feb 29, 2016)

This is primarily a bugfix release.
Security:
ssh(1), sshd(8): remove unfinished and unused roaming code (was already forcibly disabled in OpenSSH 7.1p2).
ssh(1): eliminate fallback from untrusted X11 forwarding to trusted forwarding when the X server disables the SECURITY extension.
ssh(1), sshd(8): increase the minimum modulus size supported for diffie-hellman-group-exchange to 2048 bits.
sshd(8): pre-auth sandboxing is now enabled by default (previous releases enabled it for new installations via sshd_config).
New Features:
all: add support for RSA signatures using SHA-256/512 hash algorithms based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt.
ssh(1): Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm').
sshd(8): add a new authorized_keys option "restrict" that includes all current and future key restrictions (no-*-forwarding, etc.). Also add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. ssh(1): add ssh_config CertificateFile option to explicitly list certificates. bz#2436
ssh-keygen(1): allow ssh-keygen to change the key comment for all supported formats.
ssh-keygen(1): allow fingerprinting from standard input, e.g. "ssh-keygen -lf -"
ssh-keygen(1): allow fingerprinting multiple public keys in a file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319
sshd(8): support "none" as an argument for sshd_config Foreground and ChrootDirectory. Useful inside Match blocks to override a global default. bz#2486
ssh-keygen(1): support multiple certificates (one per line) and reading from standard input (using "-f -") for "ssh-keygen -L" ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching certificates instead of plain keys.
ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostname canonicalisation - treat them as already canonical and remove the trailing '.' before matching ssh_config.
Bugfixes:
sftp(1): existing destination directories should not terminate recursive uploads (regression in openssh 6.8) bz#2528
ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during key exchange. bz#2949
ssh(1): refuse attempts to set ConnectionAttempts=0, which does not make sense and would cause ssh to print an uninitialised stack variable. bz#2500
ssh(1): fix errors when attempting to connect to scoped IPv6 addresses with hostname canonicalisation enabled.
sshd_config(5): list a couple more options usable in Match blocks. bz#2489
sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block. ssh(1): expand tilde characters in filenames passed to -i options before checking whether or not the identity file exists. Avoids confusion for cases where shell doesn't expand (e.g. "-i ~/file" vs. "-i~/file"). bz#2481
ssh(1): do not prepend "exec" to the shell command run by "Match exec" in a config file, which could cause some commands to fail in certain environments. bz#2471
ssh-keyscan(1): fix output for multiple hosts/addrs on one line when host hashing or a non standard port is in use bz#2479
sshd(8): skip "Could not chdir to home directory" message when ChrootDirectory is active. bz#2485
ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump. sshd(8): avoid changing TunnelForwarding device flags if they are already what is needed; makes it possible to use tun/tap networking as non-root user if device permissions and interface flags are pre-established
ssh(1), sshd(8): RekeyLimits could be exceeded by one packet. bz#2521
ssh(1): fix multiplexing master failure to notice client exit.
ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present empty key IDs. bz#1773
sshd(8): avoid printf of NULL argument. bz#2535
ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521
ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature support.
ssh(1), sshd(8): fix connections with peers that use the key exchange guess feature of the protocol. bz#2515
sshd(8): include remote port number in log messages. bz#2503
ssh(1): don't try to load SSHv1 private key when compiled without SSHv1 support. bz#2505
ssh-agent(1), ssh(1): fix incorrect error messages during key loading and signing errors. bz#2507
ssh-keygen(1): don't leave empty temporary files when performing known_hosts file edits when known_hosts doesn't exist.
sshd(8): correct packet format for tcpip-forward replies for requests that don't allocate a port bz#2509
ssh(1), sshd(8): fix possible hang on closed output. bz#2469 ssh(1): expand %i in ControlPath to UID. bz#2449
ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460
ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182
ssh(1): add a some debug output before DNS resolution; it's a place where ssh could previously silently stall in cases of unresponsive DNS servers. bz#2433 ssh(1): remove spurious newline in visual hostkey. bz#2686
ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+...
ssh(1): fix expansion of HostkeyAlgorithms=+...
Documentation:
ssh_config(5), sshd_config(5): update default algorithm lists to match current reality. bz#2527
ssh(1): mention -Q key-plain and -Q key-cert query options. bz#2455
sshd_config(8): more clearly describe what AuthorizedKeysFile=none does.
ssh_config(5): better document ExitOnForwardFailure. bz#2444
sshd(5): mention internal DH-GEX fallback groups in manual. bz#2302
sshd_config(5): better description for MaxSessions option. bz#2531
Portability:
ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/ Solaris fine-grained privileges. Including a pre-auth privsep sandbox and several pledge() emulations. bz#2511
Renovate redhat/openssh.spec, removing deprecated options and syntax.
configure: allow --without-ssl-engine with --without-openssl
sshd(8): fix multiple authentication using S/Key. bz#2502
sshd(8): read back from libcrypto RAND_* before dropping privileges. Avoids sandboxing violations with BoringSSL.
Fix name collision with system-provided glob(3) functions. bz#2463
Adapt Makefile to use ssh-keygen -A when generating host keys. bz#2459
configure: correct default value for --with-ssh1 bz#2457
configure: better detection of _res symbol bz#2259
support getrandom() syscall on Linux

New in OpenSSH 7.1p2 (Jan 14, 2016)

New in OpenSSH 7.1 (Aug 21, 2015)

New in OpenSSH 7.0 (Aug 11, 2015)

Security:
sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world- writable. Local attackers may be able to write arbitrary messages to logged-in users, including terminal escape sequences. Reported by Nikolay Edigaryev.
sshd(8): Portable OpenSSH only: Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users. Reported by Moritz Jodeit.
sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution. Also reported by Moritz Jodeit.
sshd(8): fix circumvention of MaxAuthTries using keyboard- interactive authentication. By specifying a long, repeating keyboard-interactive "devices" string, an attacker could request the same authentication method be tried thousands of times in a single pass. The LoginGraceTime timeout in sshd(8) and any authentication failure delays implemented by the authentication mechanism itself were still applied. Found by Kingcope.
Potentially-incompatible Changes:
Support for the legacy SSH version 1 protocol is disabled by default at compile time.
Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using the instructions at http://www.openssh.com/legacy.html
Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at http://www.openssh.com/legacy.html
Support for the legacy v00 cert format has been removed.
The default for the sshd_config(5) PermitRootLogin option has changed from "yes" to "prohibit-password".
PermitRootLogin=without-password/prohibit-password now bans all interactive authentication methods, allowing only public-key, hostbased and GSSAPI authentication (previously it permitted keyboard-interactive and password-less authentication if those were enabled).
New Features:
ssh_config(5): add PubkeyAcceptedKeyTypes option to control which public key types are available for user authentication.
sshd_config(5): add HostKeyAlgorithms option to control which public key types are offered for host authentications.
ssh(1), sshd(8): extend Ciphers, MACs, KexAlgorithms, HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes options to allow appending to the default set of algorithms instead of replacing it. Options may now be prefixed with a '+' to append to the default, e.g. "HostKeyAlgorithms=+ssh-dss".
sshd_config(5): PermitRootLogin now accepts an argument of 'prohibit-password' as a less-ambiguous synonym of 'without- password'.
Bugfixes:
ssh(1), sshd(8): add compatability workarounds for Cisco and more PuTTY versions. bz#2424
Fix some omissions and errors in the PROTOCOL and PROTOCOL.mux documentation relating to Unix domain socket forwarding; bz#2421 bz#2422
ssh(1): Improve the ssh(1) manual page to include a better description of Unix domain socket forwarding; bz#2423
ssh(1), ssh-agent(1): skip uninitialised PKCS#11 slots, fixing failures to load keys when they are present. bz#2427
ssh(1), ssh-agent(1): do not ignore PKCS#11 hosted keys that wth empty CKA_ID; bz#2429
sshd(8): clarify documentation for UseDNS option; bz#2045
Portable OpenSSH:
Check realpath(3) behaviour matches what sftp-server requires and use a replacement if necessary.

New in OpenSSH 6.9 (Jul 1, 2015)

This is primarily a bug fix release.
Security:
ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn.
ssh-agent(1): fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci.
New Features:
ssh(1), sshd(8): promote [email protected] to be the default cipher
sshd(8): support admin-specified arguments to AuthorizedKeysCommand; bz#2081
sshd(8): add AuthorizedPrincipalsCommand that allows retrieving authorized principals information from a subprocess rather than a file.
ssh(1), ssh-add(1): support PKCS#11 devices with external PIN entry devices bz#2240
sshd(8): allow GSSAPI host credential check to be relaxed for multihomed hosts via GSSAPIStrictAcceptorCheck option; bz#928
ssh-keygen(1): support "ssh-keygen -lF hostname" to search known_hosts and print key hashes rather than full keys.
ssh-agent(1): add -D flag to leave ssh-agent in foreground without enabling debug mode; bz#2381
Bug fixes:
ssh(1), sshd(8): deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and do not try to use it against some 3rd-party SSH implementations that use it (older PuTTY, WinSCP).
Many fixes for problems caused by compile-time deactivation of SSH1 support (including bz#2369)
ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco implementations as some would fail when attempting to use group sizes >4K; bz#2209
ssh(1): fix out-of-bound read in EscapeChar configuration option parsing; bz#2396
sshd(8): fix application of PermitTunnel, LoginGraceTime, AuthenticationMethods and StreamLocalBindMask options in Match blocks
ssh(1), sshd(8): improve disconnection message on TCP reset; bz#2257
ssh(1): remove failed remote forwards established by muliplexing from the list of active forwards; bz#2363
sshd(8): make parsing of authorized_keys "environment=" options independent of PermitUserEnv being enabled; bz#2329
sshd(8): fix post-auth crash with permitopen=none; bz#2355
ssh(1), ssh-add(1), ssh-keygen(1): allow new-format private keys to be encrypted with AEAD ciphers; bz#2366
ssh(1): allow ListenAddress, Port and AddressFamily configuration options to appear in any order; bz#86
sshd(8): check for and reject missing arguments for VersionAddendum and ForceCommand; bz#2281
ssh(1), sshd(8): don't treat unknown certificate extensions as fatal; bz#2387
ssh-keygen(1): make stdout and stderr output consistent; bz#2325
ssh(1): mention missing DISPLAY environment in debug log when X11 forwarding requested; bz#1682
sshd(8): correctly record login when UseLogin is set; bz#378
sshd(8): Add some missing options to sshd -T output and fix output of VersionAddendum and HostCertificate. bz#2346
Document and improve consistency of options that accept a "none" argument" TrustedUserCAKeys, RevokedKeys (bz#2382), AuthorizedPrincipalsFile (bz#2288)
ssh(1): include remote username in debug output; bz#2368
sshd(8): avoid compatibility problem with some versions of Tera Term, which would crash when they received the hostkeys notification message ([email protected])
sshd(8): mention ssh-keygen -E as useful when comparing legacy MD5 host key fingerprints; bz#2332
ssh(1): clarify pseudo-terminal request behaviour and use make manual language consistent; bz#1716
ssh(1): document that the TERM environment variable is not subject to SendEnv and AcceptEnv; bz#2386

New in OpenSSH 6.8 (Mar 18, 2015)

Potentially-incompatible changes:
sshd(8): UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses.
New Features:
Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout.
Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64.
Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different.
ssh(1), sshd(8): Experimental host key rotation support. Add a protocol extension for a server to inform a client of all its available host keys after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys.
The client side of this is controlled by a UpdateHostkeys config option (default off).
ssh(1): Add a ssh_config HostbasedKeyType option to control which host public key types are tried during host-based authentication.
ssh(1), sshd(8): fix connection-killing host key mismatch errors when sshd offers multiple ECDSA keys of different lengths.
ssh(1): when host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. fixes bz#2074 and avoiding needless DNS lookups in some cases.
ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer require OpenSSH to be compiled with OpenSSL support.
ssh(1), ssh-keysign(8): Make ed25519 keys work for host based authentication.
sshd(8): SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA decryption.
sshd(8): Remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ public keys.
sshd(8): add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all.
sshd(8): Don't count partial authentication success as a failure against MaxAuthTries.
ssh(1): Add RevokedHostKeys option for the client to allow text-file or KRL-based revocation of host keys.
ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA.
ssh(1): Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass.
ssh(1): Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T".
ssh(1): Allow Match criteria to be negated. E.g. "Match !host".
The regression test suite has been extended to cover more OpenSSH features. The unit tests have been expanded and now cover key exchange.
Bugfixes:
ssh-keyscan(1): ssh-keyscan has been made much more robust again servers that hang or violate the SSH protocol.
ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were being lost as comment fields.
ssh(1): Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2286
ssh(1): Tweak config re-parsing with host canonicalisation - make the second pass through the config files always run when host name canonicalisation is enabled (and not whenever the host name changes) bz#2267
ssh(1): Fix passing of wildcard forward bind addresses when connection multiplexing is in use; bz#2324;
ssh-keygen(1): Fix broken private key conversion from non-OpenSSH formats; bz#2345.
ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use.
Various fixes to manual pages: bz#2288, bz#2316, bz#2273
Portable OpenSSH:
Support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features, including SSH protocol 1 are not supported and the set of crypto options is greatly restricted. This will only work on systems with native arc4random or /dev/urandom.
Considered highly experimental for now.
Support --without-ssh1 option at configure time
Allows disabling support for SSH protocol 1.
sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296
Allow custom service name for sshd on Cygwin. Permits the use of multiple sshd running with different service names.

New in OpenSSH 6.7 (Oct 7, 2014)

Potentially-incompatible changes:
sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default.
The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options.
sshd(8): Support for tcpwrappers/libwrap has been removed.
OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the [email protected] KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions.
New Features:
Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form.
ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket.
ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types.
sftp(1): Allow resumption of interrupted uploads.
ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange; bz#2154
sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family; bz#2222
sshd(8): Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160
ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths; bz#2220
sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199
Added unit and fuzz tests for refactored code. These are run automatically in portable OpenSSH via the "make tests" target.
Bug fixes:
sshd(8): Fix remote forwarding with the same listen port but different listen address.
ssh(1): Fix inverted test that caused PKCS#11 keys that were explicitly listed in ssh_config or on the commandline not to be preferred.
ssh-keygen(1): Fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted.
ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in exit status. Previously we were always returning 0; bz#2255
ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the randomart border; bz#2247
ssh-agent(1): Only cleanup agent socket in the main agent process and not in any subprocesses it may have started (e.g. forked askpass). Fixes agent sockets being zapped when askpass processes fatal(); bz#2236
ssh-add(1): Make stdout line-buffered; saves partial output getting lost when ssh-add fatal()s part-way through (e.g. when listing keys from an agent that supports key types that ssh-add doesn't); bz#2234
ssh-keygen(1): When hashing or removing hosts, don't choke on @revoked markers and don't remove @cert-authority markers; bz#2241
ssh(1): Don't fatal when hostname canonicalisation fails and a ProxyCommand is in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion)
scp(1): When copying local->remote fails during read, don't send uninitialised heap to the remote end.
sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing filenames with a single quote char somewhere in the string; bz#2238
ssh-keyscan(1): Scan for Ed25519 keys by default.
ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down- convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
Fix some strict-alignment errors.
Portable OpenSSH:
Portable OpenSSH now supports building against libressl-portable.
Portable OpenSSH now requires openssl 0.9.8f or greater. Older versions are no longer supported.
In the OpenSSL version check, allow fix version upgrades (but not downgrades. Debian bug #748150.
sshd(8): On Cygwin, determine privilege separation user at runtime, since it may need to be a domain account.
sshd(8): Don't attempt to use vhangup on Linux. It doesn't work for non-root users, and for them it just messes up the tty settings.
Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is available. It considers time spent suspended, thereby ensuring timeouts (e.g. for expiring agent keys) fire correctly. bz#2228
Add support for ed25519 to opensshd.init init script.
sftp-server(8): On platforms that support it, use prctl() to prevent sftp-server from accessing /proc/self/{mem,maps}

New in OpenSSH 6.6 (Jun 6, 2014)

This is primarily a bugfix release.
Security:
sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character.
New / changed features:
ssh(1), sshd(8): this release removes the J-PAKE authentication code. This code was experimental, never enabled and had been unmaintained for some time.
ssh(1): when processing Match blocks, skip 'exec' clauses other clauses predicates failed to match.
ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied.
Bug fixes:
ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692
sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase.
ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions.
sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184
ssh(1): avoid unnecessary hostname lookups when canonicalisation is disabled. bz#2205
sshd(8): avoid sandbox violation crashes in GSSAPI code by caching the supported list of GSSAPI mechanism OIDs before entering the sandbox. bz#2107
ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption that the SOCKS username is nul-terminated.
ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is not specified.
ssh(1), sshd(8): fix memory leak in ECDSA signature verification.
ssh(1): fix matching of 'Host' directives in ssh_config(5) files to be case-insensitive again (regression in 6.5).
Portable OpenSSH:
sshd(8): don't fatal if the FreeBSD Capsicum is offered by the system headers and libc but is not supported by the kernel.
Fix build using the HP-UX compiler.

New in OpenSSH 6.4 (Nov 13, 2013)

New in OpenSSH 6.0 (Apr 23, 2012)

Features:
ssh-keygen(1): Add optional checkpoints for moduli screening
ssh-add(1): new -k option to load plain keys (skipping certificates)
sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857
ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings
support cancellation of local/dynamic forwardings from ~C commandline
Bug fixes:
ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games.
ssh(1): unbreak remote portforwarding with dynamic allocated listen ports
scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms
ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class
ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying
ssh(1): skip attempting to create ~/.ssh when -F is passed
sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943
sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859
sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683
Fixed a number of memory and file descriptor leaks
Portable OpenSSH:
Add a new privilege separation sandbox implementation for Linux's new seccomp sandbox, automatically enabled on platforms that support it. (Note: privilege separation sandboxing is still experimental)
Fix compilation problems on FreeBSD, where libutil contained openpty() but not login().
ssh-keygen(1): don't fail in -A on platforms that don't support ECC
Add optional support for LDNS, a BSD licensed DNS resolver library which supports DNSSEC
Relax OpenSSL version check to allow running OpenSSH binaries on systems with OpenSSL libraries with a newer "fix" or "patch" level than the binaries were originally compiled on (previous check only allowed movement within "patch" releases). bz#1991
Fix builds using contributed Redhat spec file. bz#1992

New in OpenSSH 5.9 (Sep 7, 2011)

Features:
Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. This intention is to prevent a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. Three concrete sandbox implementation are provided (selected at configure time): systrace, seatbelt and rlimit.
The systrace sandbox uses systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option (only OpenBSD has this mode at present).
The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a strict (kSBXProfilePureComputation) policy that disables access to filesystem and network resources.
The rlimit sandbox is a fallback choice for platforms that don't support a better one; it uses setrlimit() to reset the hard-limit of file descriptors and processes to zero, which should prevent the privsep child from forking or opening new network connections.
Sandboxing of the privilege separated child process is currently experimental but should become the default in a future release. Native sandboxes for other platforms are welcome (e.g. Capsicum, Linux pid/net namespaces, etc.)
Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, and hmac-sha2-512-96, and are available by default in ssh(1) and sshd(8)
The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot.
ssh(1) now warns when a server refuses X11 forwarding
sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace. The undocumented AuthorizedKeysFile2 option is deprecated (though the default for AuthorizedKeysFile includes .ssh/authorized_keys2)
sshd_config(5): similarly deprecate UserKnownHostsFile2 and GlobalKnownHostsFile2 by making UserKnownHostsFile and GlobalKnownHostsFile accept multiple options and default to include known_hosts2
Retain key comments when loading v.2 keys. These will be visible in "ssh-add -l" and other places. bz#439
ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as IPv4 ToS/DSCP). bz#1855
ssh_config(5)'s ControlPath option now expands %L to the host portion of the destination host name.
ssh_config(5) "Host" options now support negated Host matching, e.g. Host *.example.org !c.example.org User mekmitasdigoat Will match "a.example.org", "b.example.org", but not "c.example.org"
ssh_config(5): a new RequestTTY option provides control over when a TTY is requested for a connection, similar to the existing -t/-tt/-T ssh(1) commandline options.
sshd(8): allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244
ssh-keygen(1): Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is useful for system initialisation scripts.
ssh(1): Allow graceful shutdown of multiplexing: request that a mux server removes its listener socket and refuse future multiplexing requests but don't kill existing connections. This may be requested using "ssh -O stop ..."
ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key"
ssh-keysign(8) now signs hostbased authentication challenges correctly using ECDSA keys; bz#1858
sftp(1): document that sftp accepts square brackets to delimit addresses (useful for IPv6); bz#1847a
ssh(1): when using session multiplexing, the master process will change its process title to reflect the control path in use and when a ControlPersist-ed master is waiting to close; bz#1883 and bz#1911
Other minor bugs fixed: 1849 1861 1862 1869 1875 1878 1879 1892 1900 1905 1913
Portable OpenSSH Bugfixes:
Fix a compilation error in the SELinux support code. bz#1851
This release removes support for ssh-rand-helper. OpenSSH now obtains its random numbers directly from OpenSSL or from a PRNGd/EGD instance specified at configure time.
sshd(8) now resets the SELinux process execution context before executing passwd for password changes; bz#1891
Since gcc >= 4.x ignores all -Wno-options options, test only the corresponding -W-option when trying to determine whether it is accepted; bz#1901
Add ECDSA key generation to the Cygwin ssh-{host,user}-config scripts.
Updated .spec and init files for Linux; bz#1920
Improved SELinux error messages in context change failures and suppress error messages when attempting to change from the "unconfined_t" type; bz#1924 bz#1919
Fix build errors on platforms without dlopen(); bz#1929
Checksums:
SHA1 (openssh-5.9.tar.gz) = bc0cb728bbc394769f9a2ce5b8cd99dc41e12632
SHA1 (openssh-5.9p1.tar.gz) = ac4e0055421e9543f0af5da607a72cf5922dcc56
Reporting Bugs:
Please read http://www.openssh.com/report.html
Security bugs should be reported directly to [email protected]
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

New in OpenSSH 5.8 (May 3, 2011)

New in OpenSSH 5.7 (Jan 25, 2011)

Features:
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656) is NOT implemented. Certificate host and user keys using the new ECDSA key types are supported - an ECDSA key may be certified, and an ECDSA key may act as a CA to sign certificates.
ECDH in a 256 bit curve field is the preferred key agreement algorithm when both the client and server support it. ECDSA host keys are preferred when learning a host's keys for the first time, or can be learned using ssh-keyscan(1).
sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command
scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts.
ssh(1): automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys, since these are now preferred when learning hostkeys for the first time.
ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. bz#1733
sftp(1): the sftp client is now significantly faster at performing directory listings, using OpenBSD glob(3) extensions to preserve the results of stat(3) operations performed in the course of its execution rather than performing expensive round trips to fetch them again afterwards.
ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races. stale server sockets are now automatically removed. (also fixes bz#1711)
ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism and use it to add a bandwidth limit option to sftp(1). bz#1147
BugFixes:
ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories. bz#1809
ssh(1): avoid NULL deref on receiving a channel request on an unknown or invalid channel; bz#1842
sshd(8): remove a debug() that pollutes stderr on client connecting to a server in debug mode; bz#1719
scp(1): pass through ssh command-line flags and options when doing remote-remote transfers, e.g. to enable agent forwarding which is particularly useful in this case; bz#1837
sftp-server(8): umask should be parsed as octal
sftp(1): escape '[' in filename tab-completion
ssh(1): Typo in confirmation message. bz#1827
sshd(8): prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block
sshd(8): Use default shell /bin/sh if $SHELL is ""
ssh(1): kill proxy command on fatal() (we already killed it on clean exit);
ssh(1): install a SIGCHLD handler to reap expiried child process; bz#1812
Support building against openssl-1.0.0a
Portable OpenSSH Bugfixes:
Use mandoc as preferred manpage formatter if it is present, followed by nroff and groff respectively.
sshd(8): Relax permission requirement on btmp logs to allow group read/write
bz#1840: fix warning when configuring --with-ssl-engine
sshd(8): Use correct uid_t/pid_t types instead of int. bz#1817
sshd(8): bz#1824: Add Solaris Project support.
sshd(8): Check is_selinux_enabled for exact return code since it can apparently return -1 under some conditions.

New in OpenSSH 5.6 (Aug 24, 2010)

Features:
Added a ControlPersist option to ssh_config(5) that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity.
Hostbased authentication may now use certificate host keys. CA keys must be specified in a known_hosts file using the @cert-authority marker as described in sshd(8).
ssh-keygen(1) now supports signing certificate using a CA key that has been stored in a PKCS#11 token.
ssh(1) will now log the hostname and address that we connected to at LogLevel=verbose after authentication is successful to mitigate "phishing" attacks by servers with trusted keys that accept authentication silently and automatically before presenting fake password/passphrase prompts.
Note that, for such an attack to be successful, the user must have disabled StrictHostKeyChecking (enabled by default) or an attacker must have access to a trusted host key for the destination server.
Expand %h to the hostname in ssh_config Hostname options. While this sounds useless, it is actually handy for working with unqualified hostnames: Host *.* Hostname %h Host * Hostname %h.example.org Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8 keys in addition to RFC4716 (SSH.COM) encodings via a new -m option (bz#1749)
sshd(8) will now queue debug messages for bad ownership or permissions on the user's keyfiles encountered during authentication and will send them after authentication has successfully completed. These messages may be viewed in ssh(1) at LogLevel=debug or higher.
ssh(1) connection multiplexing now supports remote forwarding with dynamic port allocation and can report the allocated port back to the user:
LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
sshd(8) now supports indirection in matching of principal names listed in certificates. By default, if a certificate has an embedded principals list then the username on the server must match one of the names in the list for it to be accepted for authentication.
sshd(8) now has a new AuthorizedPrincipalsFile option to specify a file containing a list of names that may be accepted in place of the username when authorizing a certificate trusted via the sshd_config(5) TrustedCAKeys option. Similarly, authentication using a CA trusted in ~/.ssh/authorized_keys now accepts a principals="name1[,name2,...]" to specify a list of permitted names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates.
Additional sshd_config(5) options are now valid inside Match blocks:
AuthorizedKeysFile AuthorizedPrincipalsFile HostbasedUsesNameFromPacketOnly PermitTunnel
Revised the format of certificate keys. The new format, identified as ssh-{dss,rsa}[email protected] includes the following changes: - Adding a serial number field. This may be specified by the CA at the time of certificate signing.
Moving the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash (currently infeasible against the SHA1 hash used) - Renaming the "constraints" field to "critical options" - Addng a new non-critical "extensions" field. The "permit-*" options are now extensions, rather than critical options to permit non-OpenSSH implementation of this key format to degrade gracefully when encountering keys with options they do not recognize. The older format is still supported for authentication and may still be used when signing certificates (use "ssh-keygen -t v00 ..."). The v00 format, introduced in OpenSSH 5.4, will be supported for at least one year from this release, after which it will be deprecated and removed.
BugFixes:
The PKCS#11 code now retries a lookup for a private key if there is no matching key with CKA_SIGN attribute enabled; this fixes fixes MuscleCard support (bz#1736) Unbreak strdelim() skipping past quoted strings (bz#1757). For example, the following directive was not parsed correctly: AllowUsers "blah blah" blah
sftp(1): fix swapped args in upload_dir_internal(), breaking recursive upload depth checks and causing verbose printing of transfers to always be turned on (bz#1797)
Fix a longstanding problem where if you suspend scp(1) at the password/passphrase prompt the terminal mode is not restored.
Fix a PKCS#11 crash on some smartcards by validating the length returned for C_GetAttributValue (bz#1773)
sftp(1): fix ls in working directories that contain globbing characters in their pathnames (bz#1655)
Print warning for missing home directory when ChrootDirectory=none (bz#1564)
sftp(1): fix a memory leak in do_realpath() error path (bz#1771)
ssk-keygen(1): Standardise error messages when attempting to open private key files to include "progname: filename: error reason" (bz#1783)
Replace verbose and overflow-prone Linebuf code with read_keyfile_line() (bz#1565)
Include the user name on "subsystem request for ..." log messages
ssh(1) and sshd(8): remove hardcoded limit of 100 permitopen clauses and port forwards per direction (bz#1327)
sshd(8): ignore stderr output from subsystems to avoid hangs if a subsystem or shell initialisation writes to stderr (bz#1750)
Skip the initial check for access with an empty password when PermitEmptyPasswords=no (bz#1638)
sshd(8): fix logspam when key options (from="..." especially) deny non-matching keys (bz#1765)
ssh-keygen(1): display a more helpful error message when $HOME is inaccessible while trying to create .ssh directory (bz#1740)
ssh(1): fix hang when terminating a mux slave using ~. (bz#1758)
ssh-keygen(1): refuse to generate keys longer than OPENSSL_[RD]SA_MAX_MODULUS_BITS, since we would refuse to use them anyway (bz#1516)
Suppress spurious tty warning when using -O and stdin is not a tty (bz#1746)
Kill channel when pty allocation requests fail. Fixed stuck client if the server refuses pty allocation (bz#1698)
Portable OpenSSH Bugfixes:
sshd(8): increase the maximum username length for login recording to 512 characters (bz#1579)
Initialize the values to be returned from PAM to sane values in case the PAM method doesn't write to them. (bz#1795)
Let configure find OpenSSL libraries in a lib64 subdirectory. (bz#1756)

New in OpenSSH 5.3 (Oct 3, 2009)

New in OpenSSH 5.2 (Feb 24, 2009)

This release changes the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH".
This release also adds countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack. We believe that these attacks are rendered infeasible by these changes.
New features:
Added a -y option to ssh(1) to force logging to syslog rather than stderr, which is useful when running daemonised (ssh -f)
The sshd_config(5) ForceCommand directive now accepts commandline arguments for the internal-sftp server.
The ssh(1) ~C escape commandline now support runtime creation of dynamic (-D) port forwards.
Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards. (bz#1482)
Support remote port forwarding with a listen port of '0'. This informs the server that it should dynamically allocate a listen port and report it back to the client. (bz#1003)
sshd(8) now supports setting PermitEmptyPasswords and AllowAgentForwarding in Match blocks
Bug and documentation fixes:
Repair a ssh(1) crash introduced in openssh-5.1 when the client is sent a zero-length banner (bz#1496)
Due to interoperability problems with certain broken SSH implementations, the [email protected] and [email protected] protocol extensions are now only sent to peers that identify themselves as OpenSSH.
Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1.
Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1).
Avoid double-free in ssh(1) ~C escape -L handler (bz#1539)
Correct fail-on-error behaviour in sftp(1) batchmode for remote stat operations. (bz#1541)
Disable nonfunctional ssh(1) ~C escape handler in multiplex slave connections. (bz#1543)
Avoid hang in ssh(1) when attempting to connect to a server that has MaxSessions=0 set.
Multiple fixes to sshd(8) configuration test (-T) mode
Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418, 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540
Many manual page improvements.

New in OpenSSH 5.1 (Jul 23, 2008)

sshd(8): Avoid X11 man-in-the-middle attack on HP/UX (and possibly other platforms) when X11UseLocalhost=no
When attempting to bind(2) to a port that has previously been bound with SO_REUSEADDR set, most operating systems check that either the effective user-id matches the previous bind (common on BSD-derived systems) or that the bind addresses do not overlap (Linux and Solaris).
Some operating systems, such as HP/UX, do not perform these checks and are vulnerable to an X11 man-in-the-middle attack when the sshd_config(5) option X11UseLocalhost has been set to "no" - an attacker may establish a more-specific bind, which will be used in preference to sshd's wildcard listener.
Modern BSD operating systems, Linux, OS X and Solaris implement the above checks and are not vulnerable to this attack, nor are systems where the X11UseLocalhost has been left at the default value of "yes".
Portable OpenSSH 5.1 avoids this problem for all operating systems by not setting SO_REUSEADDR when X11UseLocalhost is set to no.
This vulnerability was reported by sway2004009 AT hotmail.com.
Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1) and ssh-keygen(1). Visual fingerprinnt display is controlled by a new ssh_config(5) option "VisualHostKey". The intent is to render SSH host keys in a visual form that is amenable to easy recall and rejection of changed host keys. This technique inspired by the graphical hash visualisation schemes known as "random art[*]", and by Dan Kaminsky's musings at 23C3 in Berlin.
Fingerprint visualisation in is currently disabled by default, as the algorithm used to generate the random art is still subject to change.
sshd_config(5) now supports CIDR address/masklen matching in "Match address" blocks, with a fallback to classic wildcard matching.
sshd(8) now supports CIDR matching in ~/.ssh/authorized_keys from="..." restrictions, also with a fallback to classic wildcard matching.
Added an extended test mode (-T) to sshd(8) to request that it write its effective configuration to stdout and exit. Extended test mode also supports the specification of connection parameters (username, source address and hostname) to test the application of sshd_config(5) Match rules.
ssh(1) now prints the number of bytes transferred and the overall connection throughput for SSH protocol 2 sessions when in verbose mode (previously these statistics were displayed for protocol 1 connections only).
sftp-server(8) now supports extension methods [email protected] and [email protected] that implement statvfs(2)-like operations.
sftp(1) now has a "df" command to the sftp client that uses the [email protected] to produce a df(1)-like display of filesystem space and inode utilisation (requires [email protected] support on the server)
Added a MaxSessions option to sshd_config(5) to allow control of the number of multiplexed sessions supported over a single TCP connection. This allows increasing the number of allowed sessions above the previous default of 10, disabling connection multiplexing (MaxSessions=1) or disallowing login/shell/subsystem sessions entirely (MaxSessions=0).
Added a [email protected] global request extension that is sent from ssh(1) to sshd(8) when the client knows that it will never request another session (i.e. when session multiplexing is disabled). This allows a server to disallow further session requests and terminate the session in cases where the client has been hijacked.
ssh-keygen(1) now supports the use of the -l option in combination with -F to search for a host in ~/.ssh/known_hosts and display its fingerprint.
ssh-keyscan(1) now defaults to "rsa" (protocol 2) keys, instead of "rsa1".
Added an AllowAgentForwarding option to sshd_config(8) to control whether authentication agent forwarding is permitted. Note that this is a loose control, as a client may install their own unofficial forwarder.
ssh(1) and sshd(8): avoid unnecessary malloc/copy/free when receiving network data, resulting in a ~10% speedup
ssh(1) and sshd(8) will now try additional addresses when connecting to a port forward destination whose DNS name resolves to more than one address. The previous behaviour was to try the only first address and give up if that failed. (bz#383)
ssh(1) and sshd(8) now support signalling that channels are half-closed for writing, through a channel protocol extension notification "[email protected]". This allows propagation of closed file descriptors, so that commands such as: "ssh -2 localhost od /bin/ls | true" do not send unnecessary data over the wire. (bz#85)
sshd(8): increased the default size of ssh protocol 1 ephemeral keys from 768 to 1024 bits.
When ssh(1) has been requested to fork after authentication ("ssh -f") with ExitOnForwardFailure enabled, delay the fork until after replies for any -R forwards have been seen. Allows for robust detection of -R forward failure when using -f. (bz#92)
"Match group" blocks in sshd_config(5) now support negation of groups. E.g. "Match group staff,!guests" (bz#1315)
sftp(1) and sftp-server(8) now allow chmod-like operations to set set[ug]id/sticky bits. (bz#1310)
The MaxAuthTries option is now permitted in sshd_config(5) match blocks
Multiplexed ssh(1) sessions now support a subset of the ~ escapes that are available to a primary connection. (bz#1331)
ssh(1) connection multiplexing will now fall back to creating a new connection in most error cases. (bz#1439 bz#1329)
Added some basic interoperability tests against Twisted Conch.
Documented OpenSSH's extensions to and deviations from the published SSH protocols (the PROTOCOL file in the distribution)
Documented OpenSSH's ssh-agent protocol (PROTOCOL.agent).
Bug and documentation fixes
Make ssh(1) deal more gracefully with channel requests that fail. Previously it would optimistically assume that requests would always succeed, which could cause hangs if they did not (e.g. when the server runs out of file descriptors). (bz#1384)
ssh(1) now reports multiplexing errors via the multiplex slave's stderr where possible (subject to LogLevel in the mux master).
ssh(1) and sshd(8) now send terminate protocol banners with CR LF for protocol 2 to comply with RFC 4253. Previously they were terminated with CR alone. Protocol 1 banners remain CR terminated. (bz#1443)
Merged duplicate authentication file checks in sshd(8) and refuse to read authorised_keys and .shosts from non-regular files. (bz#1438)
Ensure that sshd(8)'s umask disallows at least group and world write, even if a more permissive one has been inherited. (bz#1433)
Suppress the warning message from sshd(8) when changing to a non-existent user home directory after chrooting. (bz#1461)
Mention that scp(1) follows symlinks when performing recursive copies. (bz#1466)
Prevent sshd(8) from erroneously applying public key restrictions leaned from ~/.ssh/authorized_keys to other authentication methods when public key authentication subsequently fails. (bz#1472)
Fix protocol keepalive timeouts - in some cases, keepalive packets were being sent, but the connection was not being closed when the limit for missing replies was exceeded. (bz#1465)
Fix ssh(1) sending invalid TTY modes when a TTY was forced (ssh -tt) but stdin was not a TTY. (bz#1199)
ssh(1) will now exit with a non-zero exit status if ExitOnForwardFailure was set and forwardings were disabled due to a failed host key check.
Fix MaxAuthTries tests to disallow a free authentication try to clients that skipped the protocol 2 "none" authentication method. (part of bz#1432)
Make keepalive timeouts apply while synchronously waiting for a packet, particularly during key renegotiation. (bz#1363)
sshd(8) has been audited to eliminate fd leaks and calls to fatal() in conditions of file descriptor exhaustion.
Avoid a sshd(8) hang-on-exit on Solaris caused by depending on the success of isatty() on a PTY master (undefined behaviour). Probably affected other platforms too. (bz#1463)
Fixed test for locked accounts on HP/UX with shadowed passwords disabled. (bz#1083)
Disable poll() fallback in atomiciov for Tru64. readv doesn't seem to be a comparable object there, which lead to compilation errors. (bz#1386)
Fall back to racy rename if link returns EXDEV. (bz#1447)
Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on some platforms (HP nonstop) it is a distinct errno. (bz#1467)
Avoid NULL dereferences in ancient sigaction replacement code. (bz#1240)
Avoid linking against libgssapi, which despite its name doesn't seem to implement all of GSSAPI. (bz#1276)
Use explicit noreturn attribute instead of __dead, fixing compilation problems on Interix. (bz#1112)
Added support password expiry on Tru64 SIA systems. (bz#1241)
Fixed an UMAC alignment problem that manifested on Itanium platforms. (bz#1462)
The sftp-server(8) manual now describes the requirements for transfer logging in chroot environments. (bz#1488)
Strip trailing dot from hostnames when the sshd_config(5) HostbasedUsesNameFromPacketOnly option is set. (bz#1200)

New in OpenSSH 5.0 (Apr 4, 2008)

New in OpenSSH 4.9 (Mar 31, 2008)

Added chroot(2) support for sshd(8), controlled by a new option "ChrootDirectory". Please refer to sshd_config(5) for details, and please use this feature carefully.
Linked sftp-server(8) into sshd(8). The internal sftp server is used when the command "internal-sftp" is specified in a Subsystem or ForceCommand declaration. When used with ChrootDirectory, the internal sftp server requires no special configuration of files inside the chroot environment. Please refer to sshd_config(5) for more information.
Added a "no-user-rc" option for authorized_keys to disable execution of ~/.ssh/rc
Added a protocol extension method "[email protected]" for sftp-server(8) to perform POSIX atomic rename() operations.
Removed the fixed limit of 100 file handles in sftp-server(8). The server will now dynamically allocate handles up to the number of available file descriptors.
ssh(8) will now skip generation of SSH protocol 1 ephemeral server keys when in inetd mode and protocol 2 connections are negotiated. This speeds up protocol 2 connections to inetd-mode servers that also allow Protocol 1
Accept the PermitRootLogin directive in a sshd_config(5) Match block. Allows for, e.g. permitting root only from the local network.
Reworked sftp(1) argument splitting and escaping to be more internally consistent (i.e. between sftp commands) and more consistent with sh(1). Please note that this will change the interpretation of some quoted strings, especially those with embedded backslash escape sequences.
Support "Banner=none" in sshd_config(5) to disable sending of a pre-login banner (e.g. in a Match block).
ssh(1) ProxyCommands are now executed with $SHELL rather than /bin/sh.
ssh(1)'s ConnectTimeout option is now applied to both the TCP connection and the SSH banner exchange (previously it just covered the TCP connection). This allows callers of ssh(1) to better detect and deal with stuck servers that accept a TCP connection but don't progress the protocol, and also makes ConnectTimeout useful for connections via a ProxyCommand.
Many new regression tests, including interop tests against PuTTY's plink.
Support BSM auditing on Mac OS X