Difference between revisions of "OpenSSH changelog"
Jump to navigation
Jump to search
(→2021) Tags: Mobile web edit, Mobile edit |
(→2021) |
||
Line 6: | Line 6: | ||
== 2021 == | == 2021 == | ||
* [[OpenSSH]] 8.8 September 2021 https://www.openssh.com/txt/release-8.8 | * [[OpenSSH]] 8.8 September 2021 https://www.openssh.com/txt/release-8.8 | ||
− | ** Disables [[RSA]] signatures using the [[SHA-1]] hash algorithm by default. It can be enabled for specific hosts using [[HostkeyAlgorithms]] directive. | + | ** Disables [[RSA]] signatures using the [[SHA-1]] [[hash algorithm]] by default. It can be enabled for specific hosts using [[HostkeyAlgorithms]] directive. |
** SECURITY: Potential privilege escalation on [[AuthorizedKeysCommand]] or [[AuthorizedPrincipalsCommand]] | ** SECURITY: Potential privilege escalation on [[AuthorizedKeysCommand]] or [[AuthorizedPrincipalsCommand]] | ||
** FEATURE: ssh(1): allow the ssh_config(5) [[CanonicalizePermittedCNAMEs]] directive to accept a "none" argument to specify the default behaviour | ** FEATURE: ssh(1): allow the ssh_config(5) [[CanonicalizePermittedCNAMEs]] directive to accept a "none" argument to specify the default behaviour |
Revision as of 10:21, 26 October 2021
Source: https://www.openssh.com/releasenotes.html
2021
- OpenSSH 8.8 September 2021 https://www.openssh.com/txt/release-8.8
- Disables RSA signatures using the SHA-1 hash algorithm by default. It can be enabled for specific hosts using HostkeyAlgorithms directive.
- SECURITY: Potential privilege escalation on AuthorizedKeysCommand or AuthorizedPrincipalsCommand
- FEATURE: ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs directive to accept a "none" argument to specify the default behaviour
- OpenSSH 8.7 August 2021 https://www.openssh.com/txt/release-8.7
- scp (1): experimental support for transfers using the SFTP protocol
- ssh
ForkAfterAuthentication
- OpenSSH 8.6 19 April 2021 https://www.openssh.com/txt/release-8.6
- SECURITY:
LogVerbose
keyword vulnerability fixed - FEATURE: Add
ModuliFile
keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX
- SECURITY:
- OpenSSH 8.5 03 March 2021 https://www.openssh.com/txt/release-8.5
- SECURITY:
ssh-agent
: fixed a double-free memory corruption that was introduced in OpenSSH 8.2 (Feb 2020) - Update/replace the experimental post-quantum hybrid key exchange method
- FEATURE: new
LogVerbose
configuration directive inssh
and sshd for that allows forcing maximum debug logging by file/function/line pattern-lists.
- SECURITY:
2020
- OpenSSH 8.4 Sep 2020 https://www.openssh.com/txt/release-8.4
- FEATURE:
ssh-keygen
: Enable FIDO 2.1 ssh
,sshd
add a newLogVerbose
configuration directive
- FEATURE:
- OpenSSH 8.3, May 2020 https://www.openssh.com/txt/release-8.3
- sshd:
IgnoreRhosts
has a new option:shosts-only
. 3 options in total:yes|no|shosts-only
- scp security bug fix, see Scp#Security
- sshd:
- OpenSSH 8.2, February 2020 [1]. Included in Ubuntu 20.04 LTS
2019
- OpenSSH 8.1[2][3], released in October 2019
ssh
,sshd
,ssh-agent
: add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed.
- OpenSSH 8.0[4][5], released in April 2019
2018
- OpenSSH 7.9[7], released in October 2018
- allow key revocation lists (KRLs) to revoke keys specified by SHA256 hash
- OpenSSH 7.8[8], released in August 2018
- Incompatible changes:
ssh-keygen
write OpenSSH format private keys by default instead of using OpenSSL's PEM format.
- Incompatible changes:
- OpenSSH 7.7[9], released in February 2018
- FEATURE: Add
"expiry-time"
option in sshd forauthorized_keys
files to allow for expiring keys.
- FEATURE: Add
2017
- OpenSSH 7.6[10], released in October 2017. Included in Ubuntu 18.04.4 LTS
- FEATURE: Add
RemoteCommand
option - FEATURE: Add
SyslogFacility
option to ssh matching the equivalent option in sshd - FEATURE: ssh client reverse dynamic forwarding
-R
- FEATURE: Add
- OpenSSH 7.5[11], released in March 2017
- BUGFIX: This is a mainly a bugfix release.
- ssh
accept-new
new option forStrictHostKeyChecking
- Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement.
2016
- OpenSSH 7.4[12], released in December 2016
- sshd(8): Add a
sshd_config
DisableForwarding
option
- sshd(8): Add a
- OpenSSH 7.3[13], released August 01, 2016
- FEATURE: Adds
ProxyJump
option (-J
) - FEATURE: Add an
include
directive forssh_config
files - FEATURE:
ssh
add aninclude
directive forssh_config
files.
- FEATURE: Adds
2015
- OpenSSH 7.1: August 20, 2015[14]
- Bugfix: This is a bugfix release.
- OpenSSH 7.0: August 11, 2015[15]
- The focus of this release is primarily to deprecate weak, legacy and unsafe cryptography.
- OpenSSH 6.9: July 1, 2015[16]
- Bugfix: This is primarily a bugfix release.
- OpenSSH 6.8: March 18, 2015
- Added new [email protected] extension to facilitate public key discovery and rotation for trusted hosts (for transition from DSA to Ed25519 public host keys)[17]
AuthenticationMethods=publickey,publickey
to require that users authenticate using two different public keys[18]
2014
- OpenSSH 6.7: October 6, 2014
- OpenSSH 6.6: March 16, 2014
- This is primarily a bugfix release.
- OpenSSH 6.5[20][21]: January 30, 2014
- Added new ssh-ed25519 and [email protected] public key types (available since 2005 but more popular since some suspicious that NSA had chosen values that gave them an advantage in factoring public-keys)[22]
- Added new chacha20-poly1305@openssh.com transport cipher[23][24]
- Added curve25519-sha256@libssh.org key exchange
- FEATURE: ssh, added Match keyword for ssh_config that allows conditional configuration to be applied [25]
- FEATURE: client-side hostname canonicalisation:
CanonicalDomains, CanonicalizeFallbackLocal, CanonicalizeHostname, CanonicalizeMaxDots and CanonicalizePermittedCNAMEs
.[26][27] - Add a new private key format that uses a bcrypt KDF
2013
- OpenSSH 6.4: November 8, 2013 [28]
- This release fixes a security bug with AES-GCM
- OpenSSH 6.3: September 13, 2013
- This release is predominantly a bugfix release
- OpenSSH 6.2: March 22, 2013
- Add a GCM-mode for the AES cipher, similar to RFC, RFI
- Added support for encrypt-then-mac MAC modes
- Added support for multiple required authentication methods
- Added support for Key Revocation Lists (KRL)
2012
- OpenSSH 6.1: August 29, 2012
- This is primarily a bugfix release.
- Enables pre-auth sandboxing by default
- Finds ECDSA keys in
ssh-keyscan
and SSHFP DNS records by default now
- OpenSSH 6.0: April 22, 2012
- This is primarily a bugfix release.
2011
- OpenSSH 5.9: September 6, 2011
- Introduce sandboxing of the pre-auth privilege separated child
- OpenSSH 5.8: February 4, 2011
- OpenSSH 5.7: January 24, 2011
- Added support for elliptic curve cryptography for key exchange as well as host/user keys, per RFC, RFI
2010
- OpenSSH 5.6: August 23, 2010
- Added a
ControlPersist
option to ssh_config
- Added a
- OpenSSH 5.5: April 16, 2010
- OpenSSH 5.4: March 8, 2010
- Disabled SSH protocol 1 default support. Clients and servers must now explicitly enable it.
- Added PKCS11 authentication support for ssh(1) (-I pkcs11)
- Added Certificate based authentication
- Added "Netcat mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1)
ProxyCommand
to route connections via intermediate servers, without the need for nc(1) on the server machine. - Added the ability to revoke public keys in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used.
2009
- OpenSSH 5.3: October 1, 2009
- OpenSSH 5.2: February 23, 2009
2008
- OpenSSH 5.1: July 21, 2008[29]
- Added a
MaxSessions
option tosshd_config
to control the number of multiplexed sessions - Added
sshd -T
, an extended test mode
- Added a
- OpenSSH 5.0: April 3, 2008 [30]
- OpenSSH 4.9: March 30, 2008 [31]
- Added chroot support for
sshd
- Create an internal SFTP (
internal-sftp
directive) server for easier use of the chroot functionality
- Added chroot support for
2007
- OpenSSH 4.7: September 4, 2007
- Added chroot(2) support for sshd(8), controlled by a new option "
ChrootDirectory
". Please refer to sshd_config(5) for details, and please use this feature carefully. (bz#177 bz#1352)
- OpenSSH 4.6: March 9, 2007
2006
- OpenSSH 4.5: November 7, 2006
- OpenSSH 4.4: September 27, 2006
- OpenSSH 4.3: February 1, 2006
2005
- OpenSSH 4.2: September 1, 2005 https://www.openssh.com/txt/release-4.2
- Increase the default size of new RSA/DSA keys generated by
ssh-keygen
from 1024 to 2048 bits. - Added
ControlMaster=auto/autoask
options to support opportunistic multiplexing (see the ssh_config(5) manpage for details).
- Increase the default size of new RSA/DSA keys generated by
- OpenSSH 4.1: May 26, 2005
- OpenSSH 4.0: March 9, 2005
2004
- OpenSSH 3.9[32]: August 18, 2004
- Implement session multiplexing.
ControlMaster
option - Added a
MaxAuthTries
option to sshd, allowing control over the maximum number of authentication attempts permitted per connection - Added
IdentitiesOnly
option tossh
which specifies that it should use keys specified in ssh_config, rather than any keys in ssh-agent - Re-introduce support for PAM password authentication
- Implement session multiplexing.
- OpenSSH 3.8: February 24, 2004
2003
- OpenSSH 3.7.1: September 16, 2003
- OpenSSH 3.7: September 16, 2003
- OpenSSH 3.6.1: April 1, 2003
- OpenSSH 3.6: March 31, 2003
2002
- OpenSSH 3.5: October 14, 2002
- OpenSSH 3.4: June 26, 2002
- OpenSSH 3.0: [33]
- Improved Kerberos support in protocol v1 (KerbIV and KerbV)
- OpenSSH 2.9.9: [34]
2001
- OpenSSH 2.5.1p1: February 19, 2001[35]
- SkeyAuthentication absoleted, use
ChallengeResponseAuthentication
instead.
- SkeyAuthentication absoleted, use
2000
- OpenSSH 1.2.2p1[36]: March 5, 2000
1995
- Added client configuration option
StrictHostKeyChecking
[37]
See also
- SHA, SHA-0, SHA-1, SHA-2, SHA-3, SHA-256,
shasum, sha1sum, sha256sum, sha512sum
- OpenSSH (changelog):
/etc/ssh/sshd_config
|/etc/ssh/ssh_config
|~/.ssh/
|openSSL | sshd logs
|sftp
|scp
|authorized_keys
|ssh-keygen
|ssh-keyscan
|ssh-add
|ssh-agent
|ssh
|Ssh -O stop
|ssh-copy-id
|CheckHostIP
|UseKeychain
, OpenSSF, ~/.ssh/authorized_keys - Software changelogs,
git log
, GA, EoL, EOS, release cycle,apt changelog
,docker-compose changelog
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy.
Source: Wikiversity
- ↑ https://www.openssh.com/txt/release-8.2
- ↑ https://www.openssh.com/txt/release-8.1
- ↑ https://www.openssh.com/releasenotes.html#8.1
- ↑ http://www.openssh.com/txt/release-8.0
- ↑ https://www.openssh.com/releasenotes.html#8.0
- ↑ https://nvd.nist.gov/vuln/detail/CVE-2019-6111
- ↑ http://www.openssh.com/txt/release-7.9
- ↑ http://www.openssh.com/txt/release-7.8
- ↑ http://www.openssh.com/txt/release-7.7
- ↑ http://www.openssh.com/txt/release-7.6
- ↑ http://www.openssh.com/txt/release-7.5
- ↑ http://www.openssh.com/txt/release-7.4
- ↑ http://www.openssh.com/txt/release-7.3
- ↑ "OpenSSH 7.1 Release Notes". openssh.com. 2015-08-20. Retrieved 2015-09-01.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ "OpenSSH 7.0 Release Notes". openssh.com. 2015-08-11. Retrieved 2015-08-18.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ "OpenSSH 6.9 Release Notes". openssh.com. 2015-07-01. Retrieved 2015-08-12.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ Murenin, Constantine A. (2015-02-01). Soulskill (ed.). "OpenSSH Will Feature Key Discovery and Rotation For Easier Switching To Ed25519". Slashdot. Retrieved 2015-02-01.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ https://lwn.net/Article s/637147/
- ↑ Murenin, Constantine A. (2014-04-30). Soulskill (ed.). "OpenSSH No Longer Has To Depend On OpenSSL". Slashdot. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ http://www.openssh.com/txt/release-6.5
- ↑ https://www.openssh.com/releasenotes.html#6.5
- ↑ https://en.wikipedia.org/wiki/Curve25519#Popularity
- ↑ Miller, Damien (2013-12-02). "ssh/PROTOCOL.chacha20poly1305". BSD Cross Reference, OpenBSD src/usr.bin/. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ Murenin, Constantine A. (2013-12-11). Unknown Lamer (ed.). "OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein". Slashdot. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ https://www.openssh.com/txt/release-6.5
- ↑ http://blog.djm.net.au/2014/01/hostname-canonicalisation-in-openssh.html
- ↑ https://github.com/openssh/openssh-portable/commit/0faf747e2f77f0f7083bcd59cbed30c4b5448444
- ↑ https://www.openssh.com/txt/release-6.4
- ↑ http://www.openssh.com/txt/release-5.1
- ↑ http://www.openssh.com/txt/release-5.0
- ↑ http://www.openssh.com/txt/release-4.9
- ↑ https://www.openssh.com/txt/release-3.9
- ↑ https://www.openssh.com/txt/release-3.0
- ↑ https://www.openssh.com/txt/release-2.9.9
- ↑ https://www.openssh.com/txt/release-2.5.1p1
- ↑ https://www.openssh.com/txt/release-1.2.2p1
- ↑ http://web.mit.edu/Crypto/src/ssh-1.2.26/ChangeLog
Advertising: