OpenSSH Changelog

What's new in OpenSSH 8.1

Oct 9, 2019

New Features:
ssh(1): Allow %n to be expanded in ProxyCommand strings
ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519"
ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email).
ssh-keygen(1): print key comment when extracting public key from a private key. bz#3052
ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. bz#3003
All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's.

New in OpenSSH 8.0 (Apr 18, 2019)

New in OpenSSH 7.4 (Dec 19, 2016)

Potentially-incompatible changes:
This release includes a number of changes that may affect existing configurations:
This release removes server support for the SSH v.1 protocol.
ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like SWEET32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the default configuration, but it's highly likely that such devices already need explicit configuration for key exchange and hostkey algorithms already anyway. sshd(8): Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client. ssh-agent will refuse to load PKCS#11 modules outside a whitelist of trusted paths by default. The path whitelist may be specified at run-time.
sshd(8): When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, sshd will now refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced-command override the other could be a bit confusing and error-prone. sshd(8): Remove the UseLogin configuration directive and support for having /bin/login manage login sessions.
Changes since OpenSSH 7.3:
Security:
ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside a trusted whitelist (run-time configurable). Requests to load modules could be passed via agent forwarding and an attacker could attempt to load a hostile PKCS#11 module across the forwarded agent channel: PKCS#11 modules are shared libraries, so this would result in code execution on the system running the ssh-agent if the attacker has control of the forwarded agent-socket (on the host running the sshd server) and the ability to write to the filesystem of the host running ssh-agent (usually the host running the ssh client). Reported by Jann Horn of Project Zero.
sshd(8): When privilege separation is disabled, forwarded Unix- domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. This release refuses Unix-domain socket forwarding when privilege separation is disabled (Privilege separation has been enabled by default for 14 years). Reported by Jann Horn of Project Zero.
sshd(8): Avoid theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. Reported by Jann Horn of Project Zero.
sshd(8): The shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first). This release removes support for pre-authentication compression from sshd(8). Reported by Guido Vranken using the Stack unstable optimisation identification tool (http://css.csail.mit.edu/stack/)
sshd(8): Fix denial-of-service condition where an attacker who sends multiple KEXINIT messages may consume up to 128MB per connection. Reported by Shi Lei of Gear Team, Qihoo 360.
sshd(8): Validate address ranges for AllowUser and DenyUsers directives at configuration load time and refuse to accept invalid ones. It was previously possible to specify invalid CIDR address ranges (e.g. [email protected]/55) and these would always match, possibly resulting in granting access where it was not intended. Reported by Laurence Parry.
New Features:
ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the version in PuTTY by Simon Tatham. This allows a multiplexing client to communicate with the master process using a subset of the SSH packet and channels protocol over a Unix-domain socket, with the main process acting as a proxy that translates channel IDs, etc. This allows multiplexing mode to run on systems that lack file- descriptor passing (used by current multiplexing code) and potentially, in conjunction with Unix-domain socket forwarding, with the client and multiplexing master process on different machines. Multiplexing proxy mode may be invoked using "ssh -O proxy ..."
sshd(8): Add a sshd_config DisableForwarding option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. Like the 'restrict' authorized_keys flag, this is intended to be a simple and future-proof way of restricting an account.
sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method. This is identical to the currently-supported method named "[email protected]".
sshd(8): Improve handling of SIGHUP by checking to see if sshd is already daemonised at startup and skipping the call to daemon(3) if it is. This ensures that a SIGHUP restart of sshd(8) will retain the same process-ID as the initial execution. sshd(8) will also now unlink the PidFile prior to SIGHUP restart and re-create it after a successful restart, rather than leaving a stale file in the case of a configuration error. bz#2641
sshd(8): Allow ClientAliveInterval and ClientAliveCountMax directives to appear in sshd_config Match blocks.
sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match those supported by AuthorizedKeysCommand (key, key type, fingerprint, etc.) and a few more to provide access to the contents of the certificate being offered.
Added regression tests for string matching, address matching and string sanitisation functions.
Improved the key exchange fuzzer harness.
Bugfixes:
ssh(1): Allow IdentityFile to successfully load and use certificates that have no corresponding bare public key. bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub).
ssh(1): Fix public key authentication when multiple authentication is in use and publickey is not just the first method attempted. bz#2642
regress: Allow the PuTTY interop tests to run unattended. bz#2639
ssh-agent(1), ssh(1): improve reporting when attempting to load keys from PKCS#11 tokens with fewer useless log messages and more detail in debug messages. bz#2610
ssh(1): When tearing down ControlMaster connections, don't pollute stderr when LogLevel=quiet.
sftp(1): On ^Z wait for underlying ssh(1) to suspend before suspending sftp(1) to ensure that ssh(1) restores the terminal mode correctly if suspended during a password prompt.
ssh(1): Avoid busy-wait when ssh(1) is suspended during a password prompt.
ssh(1), sshd(8): Correctly report errors during sending of ext- info messages.
sshd(8): fix NULL-deref crash if sshd(8) received an out-of- sequence NEWKEYS message.
sshd(8): Correct list of supported signature algorithms sent in the server-sig-algs extension. bz#2547
sshd(8): Fix sending ext_info message if privsep is disabled.
sshd(8): more strictly enforce the expected ordering of privilege separation monitor calls used for authentication and allow them only when their respective authentication methods are enabled in the configuration
sshd(8): Fix uninitialised optlen in getsockopt() call; harmless on Unix/BSD but potentially crashy on Cygwin.
Fix false positive reports caused by explicit_bzero(3) not being recognised as a memory initialiser when compiled with -fsanitize-memory. sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for configuration examples.
Portability:
On environments configured with Turkish locales, fall back to the C/POSIX locale to avoid errors in configuration parsing caused by that locale's unique handling of the letters 'i' and 'I'. bz#2643
sftp-server(8), ssh-agent(1): Deny ptrace on OS X using ptrace(PT_DENY_ATTACH, ..)
ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL.
Fix compilation for libcrypto compiled without RIPEMD160 support.
contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640 sshd(8): Improve PRNG reseeding across privilege separation and force libcrypto to obtain a high-quality seed before chroot or sandboxing.
All: Explicitly test for broken strnvis. NetBSD added an strnvis and unfortunately made it incompatible with the existing one in OpenBSD and Linux's libbsd (the former having existed for over ten years). Try to detect this mess, and assume the only safe option if we're cross compiling.

New in OpenSSH 7.3 (Aug 2, 2016)

Security:
sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters. Independently reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.
sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at verint.com
ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers are disabled by default and only included for legacy compatibility.
ssh(1), sshd(8): Improve operation ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This removes the possibility of timing differences leaking facts about the plaintext, though no such leakage has been observed. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes. If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh.
New Features:
ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".
ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment. ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. bz#2577
ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per draft-sgtatham-secsh-iutf8-00. ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA signatures in certificates; ssh(1): Add an Include directive for ssh_config(5) files.
ssh(1): Permit UTF-8 characters in pre-authentication banners sent from the server. bz#2058
Bugfixes:
ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events from LOG_CRIT. bz#2585
sshd(8): Refuse AuthenticationMethods="" in configurations and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. bz#2398
sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. bz#2585
ssh(1): Close ControlPersist background process stderr except in debug mode or when logging to syslog. bz#1988
misc: Make PROTOCOL description for [email protected] channel open messages match deployed code. bz#2529
ssh(1): Deduplicate LocalForward and RemoteForward entries to fix failures when both ExitOnForwardFailure and hostname canonicalisation are enabled. bz#2562
sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001. bz#2559.
sshd_config(5): Correct description of UseDNS: it affects ssh hostname processing for authorized_keys, not known_hosts; bz#2554 ssh(1): Fix authentication using lone certificate keys in an agent without corresponding private keys on the filesystem. bz#2550
sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit is set; previously keepalive packets were not being sent. bz#2252

New in OpenSSH 7.2 (Feb 29, 2016)

Security:
ssh(1), sshd(8): remove unfinished and unused roaming code (was already forcibly disabled in OpenSSH 7.1p2).
ssh(1): eliminate fallback from untrusted X11 forwarding to trusted forwarding when the X server disables the SECURITY extension.
ssh(1), sshd(8): increase the minimum modulus size supported for diffie-hellman-group-exchange to 2048 bits.
sshd(8): pre-auth sandboxing is now enabled by default (previous releases enabled it for new installations via sshd_config).
New Features:
all: add support for RSA signatures using SHA-256/512 hash algorithms based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt.
ssh(1): Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm').
sshd(8): add a new authorized_keys option "restrict" that includes all current and future key restrictions (no-*-forwarding, etc.). Also add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. ssh(1): add ssh_config CertificateFile option to explicitly list certificates. bz#2436
ssh-keygen(1): allow ssh-keygen to change the key comment for all supported formats.
ssh-keygen(1): allow fingerprinting from standard input, e.g. "ssh-keygen -lf -"
ssh-keygen(1): allow fingerprinting multiple public keys in a file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319
sshd(8): support "none" as an argument for sshd_config Foreground and ChrootDirectory. Useful inside Match blocks to override a global default. bz#2486
ssh-keygen(1): support multiple certificates (one per line) and reading from standard input (using "-f -") for "ssh-keygen -L" ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching certificates instead of plain keys.
ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostname canonicalisation - treat them as already canonical and remove the trailing '.' before matching ssh_config.
Bugfixes:
sftp(1): existing destination directories should not terminate recursive uploads (regression in openssh 6.8) bz#2528
ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during key exchange. bz#2949
ssh(1): refuse attempts to set ConnectionAttempts=0, which does not make sense and would cause ssh to print an uninitialised stack variable. bz#2500
ssh(1): fix errors when attempting to connect to scoped IPv6 addresses with hostname canonicalisation enabled.
sshd_config(5): list a couple more options usable in Match blocks. bz#2489
sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block. ssh(1): expand tilde characters in filenames passed to -i options before checking whether or not the identity file exists. Avoids confusion for cases where shell doesn't expand (e.g. "-i ~/file" vs. "-i~/file"). bz#2481
ssh(1): do not prepend "exec" to the shell command run by "Match exec" in a config file, which could cause some commands to fail in certain environments. bz#2471
ssh-keyscan(1): fix output for multiple hosts/addrs on one line when host hashing or a non standard port is in use bz#2479
sshd(8): skip "Could not chdir to home directory" message when ChrootDirectory is active. bz#2485
ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump. sshd(8): avoid changing TunnelForwarding device flags if they are already what is needed; makes it possible to use tun/tap networking as non-root user if device permissions and interface flags are pre-established
ssh(1), sshd(8): RekeyLimits could be exceeded by one packet. bz#2521
ssh(1): fix multiplexing master failure to notice client exit.
ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present empty key IDs. bz#1773
sshd(8): avoid printf of NULL argument. bz#2535
ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521
ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature support.
ssh(1), sshd(8): fix connections with peers that use the key exchange guess feature of the protocol. bz#2515
sshd(8): include remote port number in log messages. bz#2503
ssh(1): don't try to load SSHv1 private key when compiled without SSHv1 support. bz#2505
ssh-agent(1), ssh(1): fix incorrect error messages during key loading and signing errors. bz#2507
ssh-keygen(1): don't leave empty temporary files when performing known_hosts file edits when known_hosts doesn't exist.
sshd(8): correct packet format for tcpip-forward replies for requests that don't allocate a port bz#2509
ssh(1), sshd(8): fix possible hang on closed output. bz#2469 ssh(1): expand %i in ControlPath to UID. bz#2449
ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460
ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182
ssh(1): add a some debug output before DNS resolution; it's a place where ssh could previously silently stall in cases of unresponsive DNS servers. bz#2433 ssh(1): remove spurious newline in visual hostkey. bz#2686
ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+...
ssh(1): fix expansion of HostkeyAlgorithms=+...
Documentation:
ssh_config(5), sshd_config(5): update default algorithm lists to match current reality. bz#2527
ssh(1): mention -Q key-plain and -Q key-cert query options. bz#2455
sshd_config(8): more clearly describe what AuthorizedKeysFile=none does.
ssh_config(5): better document ExitOnForwardFailure. bz#2444
sshd(5): mention internal DH-GEX fallback groups in manual. bz#2302
sshd_config(5): better description for MaxSessions option. bz#2531
Portability:
ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/ Solaris fine-grained privileges. Including a pre-auth privsep sandbox and several pledge() emulations. bz#2511
Renovate redhat/openssh.spec, removing deprecated options and syntax.
configure: allow --without-ssl-engine with --without-openssl
sshd(8): fix multiple authentication using S/Key. bz#2502
sshd(8): read back from libcrypto RAND_before dropping privileges. Avoids sandboxing violations with BoringSSL.
Fix name collision with system-provided glob(3) functions. bz#2463
Adapt Makefile to use ssh-keygen -A when generating host keys. bz#2459
configure: correct default value for --with-ssh1 bz#2457
configure: better detection of _res symbol bz#2259
support getrandom() syscall on Linux

New in OpenSSH 7.1p2 (Jan 14, 2016)

New in OpenSSH 7.1 (Aug 23, 2015)

New in OpenSSH 6.9 (Jul 1, 2015)

Security:
ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn.
ssh-agent(1): fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci.
New Features:
ssh(1), sshd(8): promote [email protected] to be the default cipher
sshd(8): support admin-specified arguments to AuthorizedKeysCommand; bz#2081
sshd(8): add AuthorizedPrincipalsCommand that allows retrieving authorized principals information from a subprocess rather than a file.
ssh(1), ssh-add(1): support PKCS#11 devices with external PIN entry devices bz#2240
sshd(8): allow GSSAPI host credential check to be relaxed for multihomed hosts via GSSAPIStrictAcceptorCheck option; bz#928
ssh-keygen(1): support "ssh-keygen -lF hostname" to search known_hosts and print key hashes rather than full keys.
ssh-agent(1): add -D flag to leave ssh-agent in foreground without enabling debug mode; bz#2381
Bugfixes:
ssh(1), sshd(8): deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and do not try to use it against some 3rd-party SSH implementations that use it (older PuTTY, WinSCP).
Many fixes for problems caused by compile-time deactivation of SSH1 support (including bz#2369)
ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco implementations as some would fail when attempting to use group sizes >4K; bz#2209
ssh(1): fix out-of-bound read in EscapeChar configuration option parsing; bz#2396
sshd(8): fix application of PermitTunnel, LoginGraceTime, AuthenticationMethods and StreamLocalBindMask options in Match blocks
ssh(1), sshd(8): improve disconnection message on TCP reset; bz#2257
ssh(1): remove failed remote forwards established by muliplexing from the list of active forwards; bz#2363
sshd(8): make parsing of authorized_keys "environment=" options independent of PermitUserEnv being enabled; bz#2329
sshd(8): fix post-auth crash with permitopen=none; bz#2355
ssh(1), ssh-add(1), ssh-keygen(1): allow new-format private keys to be encrypted with AEAD ciphers; bz#2366
ssh(1): allow ListenAddress, Port and AddressFamily configuration options to appear in any order; bz#86
sshd(8): check for and reject missing arguments for VersionAddendum and ForceCommand; bz#2281
ssh(1), sshd(8): don't treat unknown certificate extensions as fatal; bz#2387
ssh-keygen(1): make stdout and stderr output consistent; bz#2325
ssh(1): mention missing DISPLAY environment in debug log when X11 forwarding requested; bz#1682
sshd(8): correctly record login when UseLogin is set; bz#378
sshd(8): Add some missing options to sshd -T output and fix output of VersionAddendum and HostCertificate. bz#2346
Document and improve consistency of options that accept a "none" argument" TrustedUserCAKeys, RevokedKeys (bz#2382), AuthorizedPrincipalsFile (bz#2288)
ssh(1): include remote username in debug output; bz#2368
sshd(8): avoid compatibility problem with some versions of Tera Term, which would crash when they received the hostkeys notification message ([email protected])
sshd(8): mention ssh-keygen -E as useful when comparing legacy MD5 host key fingerprints; bz#2332
ssh(1): clarify pseudo-terminal request behaviour and use make manual language consistent; bz#1716
ssh(1): document that the TERM environment variable is not subject to SendEnv and AcceptEnv; bz#2386

New in OpenSSH 6.8 (Mar 18, 2015)

New Features:
Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout.
Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different.
ssh(1), sshd(8): Experimental host key rotation support. Add a protocol extension for a server to inform a client of all its available host keys after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option (default off).
ssh(1): Add a ssh_config HostbasedKeyType option to control which host public key types are tried during host-based authentication.
ssh(1), sshd(8): fix connection-killing host key mismatch errors when sshd offers multiple ECDSA keys of different lengths.
ssh(1): when host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. fixes bz#2074 and avoiding needless DNS lookups in some cases.
ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer require OpenSSH to be compiled with OpenSSL support.
ssh(1), ssh-keysign(8): Make ed25519 keys work for host based authentication.
sshd(8): SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA decryption.
sshd(8): Remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ public keys.
sshd(8): add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all.
sshd(8): Don't count partial authentication success as a failure against MaxAuthTries.
ssh(1): Add RevokedHostKeys option for the client to allow text-file or KRL-based revocation of host keys.
ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA.
ssh(1): Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass.
ssh(1): Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T".
ssh(1): Allow Match criteria to be negated. E.g. "Match !host".
The regression test suite has been extended to cover more OpenSSH features. The unit tests have been expanded and now cover key exchange.
Bugfixes:
ssh-keyscan(1): ssh-keyscan has been made much more robust again servers that hang or violate the SSH protocol.
ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were being lost as comment fields.
ssh(1): Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2286
ssh(1): Tweak config re-parsing with host canonicalisation - make the second pass through the config files always run when host name canonicalisation is enabled (and not whenever the host name changes) bz#2267
ssh(1): Fix passing of wildcard forward bind addresses when connection multiplexing is in use; bz#2324;
ssh-keygen(1): Fix broken private key conversion from non-OpenSSH formats; bz#2345.
ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use.
Various fixes to manual pages: bz#2288, bz#2316, bz#2273

New in OpenSSH 6.7 (Oct 7, 2014)

Potentially-incompatible changes:
sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options.
sshd(8): Support for tcpwrappers/libwrap has been removed.
OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the [email protected] KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions.
New Features:
Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form.
ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket.
ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types.
sftp(1): Allow resumption of interrupted uploads.
ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange; bz#2154
sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family; bz#2222
sshd(8): Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160
ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths; bz#2220
sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199
Added unit and fuzz tests for refactored code. These are run automatically in portable OpenSSH via the "make tests" target.
Bugfixes:
sshd(8): Fix remote forwarding with the same listen port but different listen address.
ssh(1): Fix inverted test that caused PKCS#11 keys that were explicitly listed in ssh_config or on the commandline not to be preferred.
ssh-keygen(1): Fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted.
ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in exit status. Previously we were always returning 0; bz#2255
ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the randomart border; bz#2247
ssh-agent(1): Only cleanup agent socket in the main agent process and not in any subprocesses it may have started (e.g. forked askpass). Fixes agent sockets being zapped when askpass processes fatal(); bz#2236
ssh-add(1): Make stdout line-buffered; saves partial output getting lost when ssh-add fatal()s part-way through (e.g. when listing keys from an agent that supports key types that ssh-add doesn't); bz#2234
ssh-keygen(1): When hashing or removing hosts, don't choke on @revoked markers and don't remove @cert-authority markers; bz#2241
ssh(1): Don't fatal when hostname canonicalisation fails and a ProxyCommand is in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion)
scp(1): When copying local->remote fails during read, don't send uninitialised heap to the remote end.
sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing filenames with a single quote char somewhere in the string; bz#2238
ssh-keyscan(1): Scan for Ed25519 keys by default.
ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down- convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
Fix some strict-alignment errors.

New in OpenSSH 6.5 (Jan 30, 2014)

New features:
ssh(1), sshd(8): Add support for key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange method is the default when both the client and server support it.
ssh(1), sshd(8): Add support for Ed25519 as a public key type. Ed25519 is a elliptic curve signature scheme that offers better security than ECDSA and DSA and good performance. It may be used for both user and host keys.
Add a new private key format that uses a bcrypt KDF to better protect keys at rest. This format is used unconditionally for Ed25519 keys, but may be requested when generating or saving existing keys of other types via the -o ssh-keygen(1) option. We intend to make the new format the default in the near future. Details of the new format are in the PROTOCOL.key file.
ssh(1), sshd(8): Add a new transport cipher "[email protected]" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.
ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release.
ssh(1), sshd(8): Refuse old proprietary clients and servers that use a weaker key exchange hash calculation.
ssh(1): Increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by RFC4419.
ssh(1), ssh-agent(1): Support pkcs#11 tokes that only provide X.509 certs instead of raw public keys (requested as bz#1908).
ssh(1): Add a ssh_config(5) "Match" keyword that allows conditional configuration to be applied by matching on hostname, user and result of arbitrary commands.
ssh(1): Add support for client-side hostname canonicalisation using a set of DNS suffixes and rules in ssh_config(5). This allows unqualified names to be canonicalised to fully-qualified domain names to eliminate ambiguity when looking up keys in known_hosts or checking host certificate names.
sftp-server(8): Add the ability to whitelist and/or blacklist sftp protocol requests by name.
sftp-server(8): Add a sftp "[email protected]" to support calling fsync(2) on an open file handle.
sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option.
ssh(1): Add a ssh_config ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than staying around to transfer data.
Bugfixes:
ssh(1), sshd(8): Fix potential stack exhaustion caused by nested certificates.
ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort.
sftp(1): bz#2137: fix the progress meter for resumed transfer.
ssh-add(1): bz#2187: do not request smartcard PIN when removing keys from ssh-agent.
sshd(8): bz#2139: fix re-exec fallback when original sshd binary cannot be executed.
ssh-keygen(1): Make relative-specified certificate expiry times relative to current time and not the validity start time.
sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block.
sftp(1): bz#2129: symlinking a file would incorrectly canonicalise the target path.
ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent helper executable.
sshd(8): Improve logging of sessions to include the user name, remote host and port, the session type (shell, command, etc.) and allocated TTY (if any).
sshd(8): bz#1297: tell the client (via a debug message) when their preferred listen address has been overridden by the server's GatewayPorts setting.
sshd(8): bz#2162: include report port in bad protocol banner message.
sftp(1): bz#2163: fix memory leak in error path in do_readdir().
sftp(1): bz#2171: don't leak file descriptor on error.
sshd(8): Include the local address and port in "Connection from ..." message (only shown at loglevel>=verbose).
Portable OpenSSH:
Please note that this is the last version of Portable OpenSSH that will support versions of OpenSSL prior to 0.9.6. Support (i.e. SSH_OLD_EVP) will be removed following the 6.5p1 release.
Portable OpenSSH will attempt compile and link as a Position Independent Executable on Linux, OS X and OpenBSD on recent gcc- like compilers. Other platforms and older/other compilers may request this using the --with-pie configure flag.
A number of other toolchain-related hardening options are used automatically if available, including -ftrapv to abort on signed integer overflow and options to write-protect dynamic linking information. The use of these options may be disabled using the --without-hardening configure flag.
If the toolchain supports it, one of the -fstack-protector-strong, -fstack-protector-all or -fstack-protector compilation flag are used to add guards to mitigate attacks based on stack overflows. The use of these options may be disabled using the --without-stackprotect configure option.
sshd(8): Add support for pre-authentication sandboxing using the Capsicum API introduced in FreeBSD 10.
Switch to a ChaCha20-based arc4random() PRNG for platforms that do not provide their own.
sshd(8): bz#2156: restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over retart.
sshd(8): bz#2032: use local username in krb5_kuserok check rather than full client name which may be of form user@REALM.
ssh(1), sshd(8): Test for both the presence of ECC NID numbers in OpenSSL and that they actually work. Fedora (at least) has NID_secp521r1 that doesn't work.
bz#2173: use pkg-config --libs to include correct -L location for libedit.

New in OpenSSH 6.4 (Nov 9, 2013)

New in OpenSSH 6.2 (Mar 22, 2013)

Features:
ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in SSH protocol 2. The new cipher is available as [email protected] and [email protected]. It uses an identical packet format to the AES-GCM mode specified in RFC 5647, but uses simpler and different selection rules during key exchange.
ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes for SSH protocol 2. These modes alter the packet format and compute the MAC over the packet length and encrypted packet rather than over the plaintext data. These modes are considered more secure and are used by default when available.
ssh(1)/sshd(8): Added support for the UMAC-128 MAC as "[email protected]" and "[email protected]". The latter being an encrypt-then-mac mode.
sshd(8): Added support for multiple required authentication in SSH protocol 2 via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete. This allows, for example, requiring a user having to authenticate via public key or GSSAPI before they are offered password authentication.
sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists (KRLs), a compact binary format to represent lists of revoked keys and certificates that take as little as one bit per certificate when revoking by serial number. KRLs may be generated using ssh-keygen(1) and are loaded into sshd(8) via the existing RevokedKeys sshd_config option.
ssh(1): IdentitiesOnly now applies to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile.
sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local" and "remote" in addition to its previous "yes"/"no" keywords to allow the server to specify whether just local or remote TCP forwarding is enabled.
sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run under an account specified by an AuthorizedKeysCommandUser sshd_config(5) option.
sftp-server(8): Now supports a -d option to allow the starting directory to be something other than the user's home directory.
ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11 tokens using "ssh-keygen -lD pkcs11_provider".
ssh(1): When SSH protocol 2 only is selected (the default), ssh(1) now immediately sends its SSH protocol banner to the server without waiting to receive the server's banner, saving time when connecting.
ssh(1): Added ~v and ~V escape sequences to raise and lower the logging level respectively.
ssh(1): Made the escape command help (~?) context sensitive so that only commands that will work in the current session are shown.
ssh-keygen(1): When deleting host lines from known_hosts using "ssh-keygen -R host", ssh-keygen(1) now prints details of which lines were removed.
Bugfixes:
ssh(1): Force a clean shutdown of ControlMaster client sessions when the ~. escape sequence is used. This means that ~. should now work in mux clients even if the server is no longer responding.
ssh(1): Correctly detect errors during local TCP forward setup in multiplexed clients. bz#2055
ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with adding keys with respect to certificates. It now tries to delete the corresponding certificate and respects the -k option to allow deleting of the key only.
sftp(1): Fix a number of parsing and command-editing bugs, including bz#1956
ssh(1): When muxmaster is run with -N, ensured that it shuts down gracefully when a client sends it "-O stop" rather than hanging around. bz#1985
ssh-keygen(1): When screening moduli candidates, append to the file rather than overwriting to allow resumption. bz#1957
ssh(1): Record "Received disconnect" messages at ERROR rather than INFO priority. bz#2057.
ssh(1): Loudly warn if explicitly-provided private key is unreadable. bz#1981
Portable OpenSSH:
sshd(8): The Linux seccomp-filter sandbox is now supported on ARM platforms where the kernel supports it.
sshd(8): The seccomp-filter sandbox will not be enabled if the system headers support it at compile time, regardless of whether it can be enabled then. If the run-time system does not support seccomp-filter, sshd will fall back to the rlimit pseudo-sandbox.
ssh(1): Don't link in the Kerberos libraries. They aren't necessary on the client, just on sshd(8). bz#2072
Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI library. bz#2073
Fix compilation on systems with openssl-1.0.0-fips.
Fix a number of errors in the RPM spec files.

New in OpenSSH 6.0 (Apr 23, 2012)

Features:
ssh-keygen(1): Add optional checkpoints for moduli screening
ssh-add(1): new -k option to load plain keys (skipping certificates)
sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857
ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings
support cancellation of local/dynamic forwardings from ~C commandline
Bugfixes:
ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games.
ssh(1): unbreak remote portforwarding with dynamic allocated listen ports
scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms
ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class
ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying
ssh(1): skip attempting to create ~/.ssh when -F is passed
sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943
sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859
sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683
Fixed a number of memory and file descriptor leaks
Portable OpenSSH:
Add a new privilege separation sandbox implementation for Linux's new seccomp sandbox, automatically enabled on platforms that support it. (Note: privilege separation sandboxing is still experimental)
Fix compilation problems on FreeBSD, where libutil contained openpty() but not login().
ssh-keygen(1): don't fail in -A on platforms that don't support ECC
Add optional support for LDNS, a BSD licensed DNS resolver library which supports DNSSEC
Relax OpenSSL version check to allow running OpenSSH binaries on systems with OpenSSL libraries with a newer "fix" or "patch" level than the binaries were originally compiled on (previous check only allowed movement within "patch" releases). bz#1991
Fix builds using contributed Redhat spec file. bz#1992

OpenSSH Changelog

What's new in OpenSSH 8.1

New in OpenSSH 8.0 (Apr 18, 2019)

New in OpenSSH 7.4 (Dec 19, 2016)

New in OpenSSH 7.3 (Aug 2, 2016)

New in OpenSSH 7.2 (Feb 29, 2016)

New in OpenSSH 7.1p2 (Jan 14, 2016)

New in OpenSSH 7.1 (Aug 23, 2015)

New in OpenSSH 6.9 (Jul 1, 2015)

New in OpenSSH 6.8 (Mar 18, 2015)

New in OpenSSH 6.7 (Oct 7, 2014)

New in OpenSSH 6.5 (Jan 30, 2014)

New in OpenSSH 6.4 (Nov 9, 2013)

New in OpenSSH 6.2 (Mar 22, 2013)

New in OpenSSH 6.0 (Apr 23, 2012)

New in OpenSSH 5.8 (Feb 4, 2011)