OpenSSH Changelog

New in version 6.7

October 7th, 2014
  • Potentially-incompatible changes:
  • sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options.
  • sshd(8): Support for tcpwrappers/libwrap has been removed.
  • OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the curve25519-sha256@libssh.org KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions.
  • New Features:
  • Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form.
  • ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket.
  • ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types.
  • sftp(1): Allow resumption of interrupted uploads.
  • ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange; bz#2154
  • sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family; bz#2222
  • sshd(8): Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option; bz#2160
  • ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths; bz#2220
  • sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages; bz#2199
  • Added unit and fuzz tests for refactored code. These are run automatically in portable OpenSSH via the "make tests" target.
  • Bugfixes:
  • sshd(8): Fix remote forwarding with the same listen port but different listen address.
  • ssh(1): Fix inverted test that caused PKCS#11 keys that were explicitly listed in ssh_config or on the commandline not to be preferred.
  • ssh-keygen(1): Fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted.
  • ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in exit status. Previously we were always returning 0; bz#2255
  • ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the randomart border; bz#2247
  • ssh-agent(1): Only cleanup agent socket in the main agent process and not in any subprocesses it may have started (e.g. forked askpass). Fixes agent sockets being zapped when askpass processes fatal(); bz#2236
  • ssh-add(1): Make stdout line-buffered; saves partial output getting lost when ssh-add fatal()s part-way through (e.g. when listing keys from an agent that supports key types that ssh-add doesn't); bz#2234
  • ssh-keygen(1): When hashing or removing hosts, don't choke on @revoked markers and don't remove @cert-authority markers; bz#2241
  • ssh(1): Don't fatal when hostname canonicalisation fails and a ProxyCommand is in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion)
  • scp(1): When copying local->remote fails during read, don't send uninitialised heap to the remote end.
  • sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing filenames with a single quote char somewhere in the string; bz#2238
  • ssh-keyscan(1): Scan for Ed25519 keys by default.
  • ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down- convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225
  • Fix some strict-alignment errors.

New in version 6.5 (January 30th, 2014)

  • New features:
  • ssh(1), sshd(8): Add support for key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange method is the default when both the client and server support it.
  • ssh(1), sshd(8): Add support for Ed25519 as a public key type. Ed25519 is a elliptic curve signature scheme that offers better security than ECDSA and DSA and good performance. It may be used for both user and host keys.
  • Add a new private key format that uses a bcrypt KDF to better protect keys at rest. This format is used unconditionally for Ed25519 keys, but may be requested when generating or saving existing keys of other types via the -o ssh-keygen(1) option. We intend to make the new format the default in the near future. Details of the new format are in the PROTOCOL.key file.
  • ssh(1), sshd(8): Add a new transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.
  • ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release.
  • ssh(1), sshd(8): Refuse old proprietary clients and servers that use a weaker key exchange hash calculation.
  • ssh(1): Increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by RFC4419.
  • ssh(1), ssh-agent(1): Support pkcs#11 tokes that only provide X.509 certs instead of raw public keys (requested as bz#1908).
  • ssh(1): Add a ssh_config(5) "Match" keyword that allows conditional configuration to be applied by matching on hostname, user and result of arbitrary commands.
  • ssh(1): Add support for client-side hostname canonicalisation using a set of DNS suffixes and rules in ssh_config(5). This allows unqualified names to be canonicalised to fully-qualified domain names to eliminate ambiguity when looking up keys in known_hosts or checking host certificate names.
  • sftp-server(8): Add the ability to whitelist and/or blacklist sftp protocol requests by name.
  • sftp-server(8): Add a sftp "fsync@openssh.com" to support calling fsync(2) on an open file handle.
  • sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option.
  • ssh(1): Add a ssh_config ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than staying around to transfer data.
  • Bugfixes:
  • ssh(1), sshd(8): Fix potential stack exhaustion caused by nested certificates.
  • ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort.
  • sftp(1): bz#2137: fix the progress meter for resumed transfer.
  • ssh-add(1): bz#2187: do not request smartcard PIN when removing keys from ssh-agent.
  • sshd(8): bz#2139: fix re-exec fallback when original sshd binary cannot be executed.
  • ssh-keygen(1): Make relative-specified certificate expiry times relative to current time and not the validity start time.
  • sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block.
  • sftp(1): bz#2129: symlinking a file would incorrectly canonicalise the target path.
  • ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent helper executable.
  • sshd(8): Improve logging of sessions to include the user name, remote host and port, the session type (shell, command, etc.) and allocated TTY (if any).
  • sshd(8): bz#1297: tell the client (via a debug message) when their preferred listen address has been overridden by the server's GatewayPorts setting.
  • sshd(8): bz#2162: include report port in bad protocol banner message.
  • sftp(1): bz#2163: fix memory leak in error path in do_readdir().
  • sftp(1): bz#2171: don't leak file descriptor on error.
  • sshd(8): Include the local address and port in "Connection from ..." message (only shown at loglevel>=verbose).
  • Portable OpenSSH:
  • Please note that this is the last version of Portable OpenSSH that will support versions of OpenSSL prior to 0.9.6. Support (i.e. SSH_OLD_EVP) will be removed following the 6.5p1 release.
  • Portable OpenSSH will attempt compile and link as a Position Independent Executable on Linux, OS X and OpenBSD on recent gcc- like compilers. Other platforms and older/other compilers may request this using the --with-pie configure flag.
  • A number of other toolchain-related hardening options are used automatically if available, including -ftrapv to abort on signed integer overflow and options to write-protect dynamic linking information. The use of these options may be disabled using the --without-hardening configure flag.
  • If the toolchain supports it, one of the -fstack-protector-strong, -fstack-protector-all or -fstack-protector compilation flag are used to add guards to mitigate attacks based on stack overflows. The use of these options may be disabled using the --without-stackprotect configure option.
  • sshd(8): Add support for pre-authentication sandboxing using the Capsicum API introduced in FreeBSD 10.
  • Switch to a ChaCha20-based arc4random() PRNG for platforms that do not provide their own.
  • sshd(8): bz#2156: restore Linux oom_adj setting when handling SIGHUP to maintain behaviour over retart.
  • sshd(8): bz#2032: use local username in krb5_kuserok check rather than full client name which may be of form user@REALM.
  • ssh(1), sshd(8): Test for both the presence of ECC NID numbers in OpenSSL and that they actually work. Fedora (at least) has NID_secp521r1 that doesn't work.
  • bz#2173: use pkg-config --libs to include correct -L location for libedit.

New in version 6.4 (November 9th, 2013)

  • This release fixes a security bug: sshd(8): fix a memory corruption problem triggered during rekeying when an AES-GCM cipher is selected. Full details of the vulnerability are available at: http://www.openssh.com/txt/gcmrekey.adv

New in version 6.2 (March 22nd, 2013)

  • Features:
  • ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in SSH protocol 2. The new cipher is available as aes128-gcm@openssh.com and aes256-gcm@openssh.com. It uses an identical packet format to the AES-GCM mode specified in RFC 5647, but uses simpler and different selection rules during key exchange.
  • ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes for SSH protocol 2. These modes alter the packet format and compute the MAC over the packet length and encrypted packet rather than over the plaintext data. These modes are considered more secure and are used by default when available.
  • ssh(1)/sshd(8): Added support for the UMAC-128 MAC as "umac-128@openssh.com" and "umac-128-etm@openssh.com". The latter being an encrypt-then-mac mode.
  • sshd(8): Added support for multiple required authentication in SSH protocol 2 via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete. This allows, for example, requiring a user having to authenticate via public key or GSSAPI before they are offered password authentication.
  • sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists (KRLs), a compact binary format to represent lists of revoked keys and certificates that take as little as one bit per certificate when revoking by serial number. KRLs may be generated using ssh-keygen(1) and are loaded into sshd(8) via the existing RevokedKeys sshd_config option.
  • ssh(1): IdentitiesOnly now applies to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile.
  • sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local" and "remote" in addition to its previous "yes"/"no" keywords to allow the server to specify whether just local or remote TCP forwarding is enabled.
  • sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run under an account specified by an AuthorizedKeysCommandUser sshd_config(5) option.
  • sftp-server(8): Now supports a -d option to allow the starting directory to be something other than the user's home directory.
  • ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11 tokens using "ssh-keygen -lD pkcs11_provider".
  • ssh(1): When SSH protocol 2 only is selected (the default), ssh(1) now immediately sends its SSH protocol banner to the server without waiting to receive the server's banner, saving time when connecting.
  • ssh(1): Added ~v and ~V escape sequences to raise and lower the logging level respectively.
  • ssh(1): Made the escape command help (~?) context sensitive so that only commands that will work in the current session are shown.
  • ssh-keygen(1): When deleting host lines from known_hosts using "ssh-keygen -R host", ssh-keygen(1) now prints details of which lines were removed.
  • Bugfixes:
  • ssh(1): Force a clean shutdown of ControlMaster client sessions when the ~. escape sequence is used. This means that ~. should now work in mux clients even if the server is no longer responding.
  • ssh(1): Correctly detect errors during local TCP forward setup in multiplexed clients. bz#2055
  • ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with adding keys with respect to certificates. It now tries to delete the corresponding certificate and respects the -k option to allow deleting of the key only.
  • sftp(1): Fix a number of parsing and command-editing bugs, including bz#1956
  • ssh(1): When muxmaster is run with -N, ensured that it shuts down gracefully when a client sends it "-O stop" rather than hanging around. bz#1985
  • ssh-keygen(1): When screening moduli candidates, append to the file rather than overwriting to allow resumption. bz#1957
  • ssh(1): Record "Received disconnect" messages at ERROR rather than INFO priority. bz#2057.
  • ssh(1): Loudly warn if explicitly-provided private key is unreadable. bz#1981
  • Portable OpenSSH:
  • sshd(8): The Linux seccomp-filter sandbox is now supported on ARM platforms where the kernel supports it.
  • sshd(8): The seccomp-filter sandbox will not be enabled if the system headers support it at compile time, regardless of whether it can be enabled then. If the run-time system does not support seccomp-filter, sshd will fall back to the rlimit pseudo-sandbox.
  • ssh(1): Don't link in the Kerberos libraries. They aren't necessary on the client, just on sshd(8). bz#2072
  • Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI library. bz#2073
  • Fix compilation on systems with openssl-1.0.0-fips.
  • Fix a number of errors in the RPM spec files.

New in version 6.0 (April 23rd, 2012)

  • Features:
  • ssh-keygen(1): Add optional checkpoints for moduli screening
  • ssh-add(1): new -k option to load plain keys (skipping certificates)
  • sshd(8): Add wildcard support to PermitOpen, allowing things like "PermitOpen localhost:*". bz #1857
  • ssh(1): support for cancelling local and remote port forwards via the multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host" to request the cancellation of the specified forwardings
  • support cancellation of local/dynamic forwardings from ~C commandline
  • Bugfixes:
  • ssh(1): ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games.
  • ssh(1): unbreak remote portforwarding with dynamic allocated listen ports
  • scp(1): uppress adding '--' to remote commandlines when the first argument does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms
  • ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class, but there is an "AF21" class
  • ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying
  • ssh(1): skip attempting to create ~/.ssh when -F is passed
  • sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943
  • sshd(1): send tty break to pty master instead of (probably already closed) slave side; bz#1859
  • sftp(1): silence error spam for "ls */foo" in directory with files; bz#1683
  • Fixed a number of memory and file descriptor leaks
  • Portable OpenSSH:
  • Add a new privilege separation sandbox implementation for Linux's new seccomp sandbox, automatically enabled on platforms that support it. (Note: privilege separation sandboxing is still experimental)
  • Fix compilation problems on FreeBSD, where libutil contained openpty() but not login().
  • ssh-keygen(1): don't fail in -A on platforms that don't support ECC
  • Add optional support for LDNS, a BSD licensed DNS resolver library which supports DNSSEC
  • Relax OpenSSL version check to allow running OpenSSH binaries on systems with OpenSSL libraries with a newer "fix" or "patch" level than the binaries were originally compiled on (previous check only allowed movement within "patch" releases). bz#1991
  • Fix builds using contributed Redhat spec file. bz#1992

New in version 5.8 (February 4th, 2011)

  • Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski.