Difference between revisions of "OpenSSH changelog"

From wikieduonline
Jump to navigation Jump to search
 
(93 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Source: https://www.openssh.com/releasenotes.html
+
* Source: https://www.openssh.com/releasenotes.html
[[git clone]] https://github.com/openssh/openssh-portable.git
+
* <code>[[git clone]] https://github.com/openssh/openssh-portable.git</code>
 +
* <code>[[ssh -V]]</code>
 
__NOTOC__
 
__NOTOC__
  ssh -V
+
 
 +
== 2023 ==
 +
* [[OpenSSH 9.6]] https://www.openssh.com/txt/release-9.6
 +
** ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in [[PEM PKCS8]] format. Previously only the OpenSSH private key format was supported.
 +
* [[OpenSSH 9.5]] https://www.openssh.com/txt/release-9.5
 +
**  ssh(1), sshd(8): Introduce a transport-level [[ping]] facility
 +
* [[OpenSSH 9.4]] https://www.openssh.com/txt/release-9.4
 +
** ssh: allow forwarding [[Unix Domain sockets]] via <code>[[ssh -W]]</code>
 +
* [[OpenSSH 9.3]] https://www.openssh.com/txt/release-9.3
 +
* [[OpenSSH 9.2]] Feb 2023 https://www.openssh.com/txt/release-9.2
 +
** [[ssh-keyscan]]: allow scanning of complete CIDR address ranges: <code>ssh-keyscan 192.168.0.0/24</code>
 +
 
 +
== 2022 ==
 +
* [[OpenSSH]] 9.1 Oct 2022 https://www.openssh.com/txt/release-9.1
 +
** <code>[[RequiredRSASize]]</code>
 +
** <code>[[sftp -D]] "/usr/libexec/[[sftp-server]] -el debug3"</code>
 +
 
 +
* [[OpenSSH]] 9.0 Aug 2022 https://www.openssh.com/txt/release-9.0
 +
** This release switches [[scp]] from using the legacy scp/rcp protocol to using the [[SFTP]] protocol by default
 +
** Use the hybrid Streamlined [[NTRU]] Prime + [[x25519]] [[key exchange]] method by default
 +
** [[sftp-server]]: support the "[[copy-data]]" extension to allow server-side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00
 +
** [[sftp]]: add a "<code>[[cp]]</code>" command to allow the [[sftp client]] to perform [[server-side file copies]].
 +
 
 +
* [[OpenSSH]] 8.9 Feb 2022 https://www.openssh.com/txt/release-8.9
 +
** SECURITY [[integer overflow]] in the user authentication path
 +
** [[Trust on first use (TOFU)]]: [[ssh-keygen -Y match-principals]]
 +
 
 +
== 2021 ==
 +
* [[OpenSSH]] 8.8 September 2021 https://www.openssh.com/txt/release-8.8
 +
**  Disables [[RSA]] signatures using the [[SHA-1]] [[hash algorithm]] by default. It can be enabled for specific hosts using [[HostkeyAlgorithms]] directive.
 +
** SECURITY: Potential privilege escalation on <code>[[AuthorizedKeysCommand]]</code> or <code>[[AuthorizedPrincipalsCommand]]</code>
 +
** FEATURE: ssh(1): allow the [[ssh_config]](5) [[CanonicalizePermittedCNAMEs]] directive to accept a "none" argument to specify the default behaviour
 +
* [[OpenSSH]] 8.7 August 2021 https://www.openssh.com/txt/release-8.7
 +
** [[scp]] (1): experimental support for transfers using the [[SFTP protocol]]
 +
** ssh <code>[[ForkAfterAuthentication]]</code>
 +
 
 +
* [[OpenSSH]] 8.6 19 April 2021 https://www.openssh.com/txt/release-8.6
 +
** SECURITY: <code>[[LogVerbose]]</code> keyword vulnerability fixed
 +
** FEATURE: Add <code>[[ModuliFile]]</code> keyword to [[sshd_config]] to specify the location of the "[[moduli]]" file containing the groups for [[DH-GEX]]
 +
 
 +
* [[OpenSSH]] 8.5 03 March 2021 https://www.openssh.com/txt/release-8.5
 +
** SECURITY: <code>[[ssh-agent]]</code>: fixed a [[double-free memory corruption]] that was introduced in OpenSSH 8.2 (Feb 2020)
 +
** Update/replace the experimental [[post-quantum]] hybrid [[key exchange method]]
 +
** FEATURE: new <code>[[LogVerbose]]</code> configuration directive in <code>[[ssh]]</code> and </code>[[sshd]]</code> for that allows forcing maximum debug logging by file/function/line pattern-lists.
  
 
== 2020 ==  
 
== 2020 ==  
 
* [[OpenSSH]] 8.4 Sep 2020 https://www.openssh.com/txt/release-8.4
 
* [[OpenSSH]] 8.4 Sep 2020 https://www.openssh.com/txt/release-8.4
** [[ssh-keygen]]: Enable [[FIDO]] 2.1
+
** FEATURE: <code>[[ssh-keygen]]</code>: Enable [[FIDO]] 2.1
 +
** <code>ssh</code>, <code>sshd</code> add a new <code>[[LogVerbose]]</code> configuration directive
  
 
* [[OpenSSH]] 8.3, May 2020 https://www.openssh.com/txt/release-8.3
 
* [[OpenSSH]] 8.3, May 2020 https://www.openssh.com/txt/release-8.3
Line 30: Line 75:
 
== 2017 ==
 
== 2017 ==
 
* OpenSSH 7.6<ref>http://www.openssh.com/txt/release-7.6</ref>, released in October 2017. Included in [[Ubuntu 18.04.4 LTS]]
 
* OpenSSH 7.6<ref>http://www.openssh.com/txt/release-7.6</ref>, released in October 2017. Included in [[Ubuntu 18.04.4 LTS]]
** FEATURE: Add <code>RemoteCommand</code> option
+
** FEATURE: Add <code>[[RemoteCommand]]</code> option
** FEATURE: Add <code>SyslogFacility</code> option to ssh matching the equivalent option in sshd
+
** FEATURE: Add <code>[[SyslogFacility]]</code> option to ssh matching the equivalent option in sshd
** FEATURE: [[ssh client]] reverse dynamic forwarding <code>-R</code>
+
** FEATURE: [[ssh client]] [[reverse dynamic forwarding]] <code>-R</code>
 
* OpenSSH 7.5<ref>http://www.openssh.com/txt/release-7.5</ref>, released in March 2017  
 
* OpenSSH 7.5<ref>http://www.openssh.com/txt/release-7.5</ref>, released in March 2017  
 
** BUGFIX: This is a mainly a bugfix release.
 
** BUGFIX: This is a mainly a bugfix release.
 
** [[ssh]] <code>accept-new</code> new option for <code>[[StrictHostKeyChecking]]</code>
 
** [[ssh]] <code>accept-new</code> new option for <code>[[StrictHostKeyChecking]]</code>
 +
** Refuse [[RSA]] [[keys]] <1024 bits in length and improve reporting for keys that do not meet this requirement.
  
 
== 2016 ==
 
== 2016 ==
* OpenSSH 7.4<ref>http://www.openssh.com/txt/release-7.4</ref>, released in December 2016  
+
* OpenSSH 7.4 <ref>http://www.openssh.com/txt/release-7.4</ref>, released in December 2016  
 
** sshd(8): Add a <code>[[sshd_config]]</code> <code>DisableForwarding</code> option
 
** sshd(8): Add a <code>[[sshd_config]]</code> <code>DisableForwarding</code> option
* OpenSSH 7.3<ref>http://www.openssh.com/txt/release-7.3</ref>, released August 01, 2016
+
* OpenSSH 7.3 <ref>http://www.openssh.com/txt/release-7.3</ref>, released August 01, 2016
 
** FEATURE: Adds <code>[[ProxyJump]]</code> option (<code>-J</code>)  
 
** FEATURE: Adds <code>[[ProxyJump]]</code> option (<code>-J</code>)  
** FEATURE: Add an <code>Include</code> directive for <code>[[ssh_config]]</code> files
+
** FEATURE: Add an <code>[[include]]</code> directive for <code>[[ssh_config]]</code> files
 +
** FEATURE: <code>ssh</code> add an <code>[[include]]</code> directive for <code>[[ssh_config]]</code> files.
 +
* OpenSSH 7.2 <ref>https://www.openssh.com/txt/release-7.2</ref> Feb 2016
  
 
== 2015 ==
 
== 2015 ==
Line 99: Line 147:
 
** Added support for encrypt-then-mac MAC modes
 
** Added support for encrypt-then-mac MAC modes
 
** Added support for multiple required authentication methods
 
** Added support for multiple required authentication methods
** Added support for Key Revocation Lists (KRL)
+
** Added support for [[Key Revocation Lists]] (KRL)
  
 
== 2012 ==
 
== 2012 ==
Line 120: Line 168:
 
* OpenSSH 5.6: August 23, 2010
 
* OpenSSH 5.6: August 23, 2010
 
** Added a <code>[[ControlPersist]]</code >option to [[ssh_config]]
 
** Added a <code>[[ControlPersist]]</code >option to [[ssh_config]]
 +
** Add a new [[-3]] option to [[scp]]: Copies between two remote hosts are transferred through the local host.  Without this option the data is copied directly between the two remote hosts.
 
* OpenSSH 5.5: April 16, 2010
 
* OpenSSH 5.5: April 16, 2010
 
* OpenSSH 5.4: March 8, 2010
 
* OpenSSH 5.4: March 8, 2010
Line 138: Line 187:
 
* OpenSSH 5.0: April 3, 2008 <ref>http://www.openssh.com/txt/release-5.0</ref>
 
* OpenSSH 5.0: April 3, 2008 <ref>http://www.openssh.com/txt/release-5.0</ref>
 
* OpenSSH 4.9: March 30, 2008 <ref>http://www.openssh.com/txt/release-4.9</ref>
 
* OpenSSH 4.9: March 30, 2008 <ref>http://www.openssh.com/txt/release-4.9</ref>
** Added [[chroot]] support for sshd(8)
+
** Added [[chroot]] support for <code>[[sshd]]</code>
 
** Create an internal [[SFTP]] (<code>[[internal-sftp]]</code> directive) server for easier use of the [[chroot]] functionality
 
** Create an internal [[SFTP]] (<code>[[internal-sftp]]</code> directive) server for easier use of the [[chroot]] functionality
  
Line 153: Line 202:
  
 
== 2005 ==
 
== 2005 ==
* OpenSSH 4.2: September 1, 2005
+
* OpenSSH 4.2: September 1, 2005 https://www.openssh.com/txt/release-4.2
 +
** Increase the default size of new [[RSA]]/[[DSA]] keys generated by <code>[[ssh-keygen]]</code> from 1024 to 2048 bits.
 +
** Added <code>[[ControlMaster]]=auto/autoask</code> options to support opportunistic multiplexing (see the ssh_config(5) manpage for details).
 +
 
 
* OpenSSH 4.1: May 26, 2005
 
* OpenSSH 4.1: May 26, 2005
 
* OpenSSH 4.0: March 9, 2005
 
* OpenSSH 4.0: March 9, 2005

Latest revision as of 14:19, 4 April 2024


2023[edit]

2022[edit]

2021[edit]

2020[edit]

2019[edit]

2018[edit]

  • OpenSSH 7.9[7], released in October 2018
  • OpenSSH 7.8[8], released in August 2018
    • Incompatible changes: ssh-keygen write OpenSSH format private keys by default instead of using OpenSSL's PEM format.
  • OpenSSH 7.7[9], released in February 2018

2017[edit]

2016[edit]

2015[edit]

  • OpenSSH 7.1: August 20, 2015[15]
    • Bugfix: This is a bugfix release.
  • OpenSSH 7.0: August 11, 2015[16]
    • The focus of this release is primarily to deprecate weak, legacy and unsafe cryptography.
  • OpenSSH 6.9: July 1, 2015[17]
    • Bugfix: This is primarily a bugfix release.
  • OpenSSH 6.8: March 18, 2015
    • Added new [email protected] extension to facilitate public key discovery and rotation for trusted hosts (for transition from DSA to Ed25519 public host keys)[18]
    • AuthenticationMethods=publickey,publickey to require that users authenticate using two different public keys[19]

2014[edit]

  • OpenSSH 6.7: October 6, 2014
    • The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default.
    • Compile-time option to not depend on OpenSSL[20]
    • Add support for Unix domain socket forwarding
  • OpenSSH 6.6: March 16, 2014
    • This is primarily a bugfix release.
  • OpenSSH 6.5[21][22]: January 30, 2014
    • Added new ssh-ed25519 and [email protected] public key types (available since 2005 but more popular since some suspicious that NSA had chosen values that gave them an advantage in factoring public-keys)[23]
    • Added new chacha20-poly1305@openssh.com transport cipher[24][25]
    • Added curve25519-sha256@libssh.org key exchange
    • FEATURE: ssh, added Match keyword for ssh_config that allows conditional configuration to be applied [26]
    • FEATURE: client-side hostname canonicalisation: CanonicalDomains, CanonicalizeFallbackLocal, CanonicalizeHostname, CanonicalizeMaxDots and CanonicalizePermittedCNAMEs.[27][28]
    • Add a new private key format that uses a bcrypt KDF

2013[edit]

  • OpenSSH 6.4: November 8, 2013 [29]
    • This release fixes a security bug with AES-GCM
  • OpenSSH 6.3: September 13, 2013
    • This release is predominantly a bugfix release
  • OpenSSH 6.2: March 22, 2013
    • Add a GCM-mode for the AES cipher, similar to RFC, RFI
    • Added support for encrypt-then-mac MAC modes
    • Added support for multiple required authentication methods
    • Added support for Key Revocation Lists (KRL)

2012[edit]

  • OpenSSH 6.1: August 29, 2012
    • This is primarily a bugfix release.
    • Enables pre-auth sandboxing by default
    • Finds ECDSA keys in ssh-keyscan and SSHFP DNS records by default now
  • OpenSSH 6.0: April 22, 2012
    • This is primarily a bugfix release.

2011[edit]

2010[edit]

  • OpenSSH 5.6: August 23, 2010
    • Added a ControlPersistoption to ssh_config
    • Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts.
  • OpenSSH 5.5: April 16, 2010
  • OpenSSH 5.4: March 8, 2010
    • Disabled SSH protocol 1 default support. Clients and servers must now explicitly enable it.
    • Added PKCS11 authentication support for ssh(1) (-I pkcs11)
    • Added Certificate based authentication
    • Added "Netcat mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1) ProxyCommand to route connections via intermediate servers, without the need for nc(1) on the server machine.
    • Added the ability to revoke public keys in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used.

2009[edit]

  • OpenSSH 5.3: October 1, 2009
  • OpenSSH 5.2: February 23, 2009

2008[edit]

2007[edit]

  • OpenSSH 4.7: September 4, 2007
Added chroot(2) support for sshd(8), controlled by a new option "ChrootDirectory". Please refer to sshd_config(5) for details, and please use this feature carefully. (bz#177 bz#1352)
  • OpenSSH 4.6: March 9, 2007

2006[edit]

  • OpenSSH 4.5: November 7, 2006
  • OpenSSH 4.4: September 27, 2006
  • OpenSSH 4.3: February 1, 2006
    • Added OSI layer 2/3 tun-based VPN (-w option on ssh(1))

2005[edit]

  • OpenSSH 4.1: May 26, 2005
  • OpenSSH 4.0: March 9, 2005

2004[edit]

  • OpenSSH 3.9[33]: August 18, 2004
    • Implement session multiplexing. ControlMaster option
    • Added a MaxAuthTries option to sshd, allowing control over the maximum number of authentication attempts permitted per connection
    • Added IdentitiesOnly option to ssh which specifies that it should use keys specified in ssh_config, rather than any keys in ssh-agent
    • Re-introduce support for PAM password authentication
  • OpenSSH 3.8: February 24, 2004

2003[edit]

  • OpenSSH 3.7.1: September 16, 2003
  • OpenSSH 3.7: September 16, 2003
  • OpenSSH 3.6.1: April 1, 2003
  • OpenSSH 3.6: March 31, 2003

2002[edit]

  • OpenSSH 3.5: October 14, 2002
  • OpenSSH 3.4: June 26, 2002
  • OpenSSH 3.0: [34]
    • Improved Kerberos support in protocol v1 (KerbIV and KerbV)
  • OpenSSH 2.9.9: [35]

2001[edit]

2000[edit]

  • OpenSSH 1.2.2p1[37]: March 5, 2000


1995[edit]

See also[edit]


Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy.

Source: Wikiversity

  1. https://www.openssh.com/txt/release-8.2
  2. https://www.openssh.com/txt/release-8.1
  3. https://www.openssh.com/releasenotes.html#8.1
  4. http://www.openssh.com/txt/release-8.0
  5. https://www.openssh.com/releasenotes.html#8.0
  6. https://nvd.nist.gov/vuln/detail/CVE-2019-6111
  7. http://www.openssh.com/txt/release-7.9
  8. http://www.openssh.com/txt/release-7.8
  9. http://www.openssh.com/txt/release-7.7
  10. http://www.openssh.com/txt/release-7.6
  11. http://www.openssh.com/txt/release-7.5
  12. http://www.openssh.com/txt/release-7.4
  13. http://www.openssh.com/txt/release-7.3
  14. https://www.openssh.com/txt/release-7.2
  15. "OpenSSH 7.1 Release Notes". openssh.com. 2015-08-20. Retrieved 2015-09-01.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  16. "OpenSSH 7.0 Release Notes". openssh.com. 2015-08-11. Retrieved 2015-08-18.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  17. "OpenSSH 6.9 Release Notes". openssh.com. 2015-07-01. Retrieved 2015-08-12.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  18. Murenin, Constantine A. (2015-02-01). Soulskill (ed.). "OpenSSH Will Feature Key Discovery and Rotation For Easier Switching To Ed25519". Slashdot. Retrieved 2015-02-01.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  19. https://lwn.net/Article s/637147/
  20. Murenin, Constantine A. (2014-04-30). Soulskill (ed.). "OpenSSH No Longer Has To Depend On OpenSSL". Slashdot. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  21. http://www.openssh.com/txt/release-6.5
  22. https://www.openssh.com/releasenotes.html#6.5
  23. https://en.wikipedia.org/wiki/Curve25519#Popularity
  24. Miller, Damien (2013-12-02). "ssh/PROTOCOL.chacha20poly1305". BSD Cross Reference, OpenBSD src/usr.bin/. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  25. Murenin, Constantine A. (2013-12-11). Unknown Lamer (ed.). "OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein". Slashdot. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  26. https://www.openssh.com/txt/release-6.5
  27. http://blog.djm.net.au/2014/01/hostname-canonicalisation-in-openssh.html
  28. https://github.com/openssh/openssh-portable/commit/0faf747e2f77f0f7083bcd59cbed30c4b5448444
  29. https://www.openssh.com/txt/release-6.4
  30. http://www.openssh.com/txt/release-5.1
  31. http://www.openssh.com/txt/release-5.0
  32. http://www.openssh.com/txt/release-4.9
  33. https://www.openssh.com/txt/release-3.9
  34. https://www.openssh.com/txt/release-3.0
  35. https://www.openssh.com/txt/release-2.9.9
  36. https://www.openssh.com/txt/release-2.5.1p1
  37. https://www.openssh.com/txt/release-1.2.2p1
  38. http://web.mit.edu/Crypto/src/ssh-1.2.26/ChangeLog

Advertising: