Difference between revisions of "OpenSSH changelog"

• Source: https://www.openssh.com/releasenotes.html
• git clone https://github.com/openssh/openssh-portable.git
• ssh -V

2023[edit]

• OpenSSH 9.6 https://www.openssh.com/txt/release-9.6
  • ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported.
• OpenSSH 9.5 https://www.openssh.com/txt/release-9.5
  • ssh(1), sshd(8): Introduce a transport-level ping facility
• OpenSSH 9.4 https://www.openssh.com/txt/release-9.4
  • ssh: allow forwarding Unix Domain sockets via ssh -W
• OpenSSH 9.3 https://www.openssh.com/txt/release-9.3
• OpenSSH 9.2 Feb 2023 https://www.openssh.com/txt/release-9.2
  • ssh-keyscan: allow scanning of complete CIDR address ranges: ssh-keyscan 192.168.0.0/24

2022[edit]

• OpenSSH 9.1 Oct 2022 https://www.openssh.com/txt/release-9.1
  • RequiredRSASize
  • sftp -D "/usr/libexec/sftp-server -el debug3"

• OpenSSH 9.0 Aug 2022 https://www.openssh.com/txt/release-9.0
  • This release switches scp from using the legacy scp/rcp protocol to using the SFTP protocol by default
  • Use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default
  • sftp-server: support the "copy-data" extension to allow server-side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00
  • sftp: add a "cp" command to allow the sftp client to perform server-side file copies.

• OpenSSH 8.9 Feb 2022 https://www.openssh.com/txt/release-8.9
  • SECURITY integer overflow in the user authentication path
  • Trust on first use (TOFU): ssh-keygen -Y match-principals

2021[edit]

• OpenSSH 8.8 September 2021 https://www.openssh.com/txt/release-8.8
  • Disables RSA signatures using the SHA-1 hash algorithm by default. It can be enabled for specific hosts using HostkeyAlgorithms directive.
  • SECURITY: Potential privilege escalation on AuthorizedKeysCommand or AuthorizedPrincipalsCommand
  • FEATURE: ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs directive to accept a "none" argument to specify the default behaviour
• OpenSSH 8.7 August 2021 https://www.openssh.com/txt/release-8.7
  • scp (1): experimental support for transfers using the SFTP protocol
  • ssh ForkAfterAuthentication

• OpenSSH 8.6 19 April 2021 https://www.openssh.com/txt/release-8.6
  • SECURITY: LogVerbose keyword vulnerability fixed
  • FEATURE: Add ModuliFile keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX

• OpenSSH 8.5 03 March 2021 https://www.openssh.com/txt/release-8.5
  • SECURITY: ssh-agent: fixed a double-free memory corruption that was introduced in OpenSSH 8.2 (Feb 2020)
  • Update/replace the experimental post-quantum hybrid key exchange method
  • FEATURE: new LogVerbose configuration directive in ssh and sshd for that allows forcing maximum debug logging by file/function/line pattern-lists.

2020[edit]

• OpenSSH 8.4 Sep 2020 https://www.openssh.com/txt/release-8.4
  • FEATURE: ssh-keygen: Enable FIDO 2.1
  • ssh, sshd add a new LogVerbose configuration directive

• OpenSSH 8.3, May 2020 https://www.openssh.com/txt/release-8.3
  • sshd: IgnoreRhosts has a new option: shosts-only. 3 options in total: yes|no|shosts-only
  • scp security bug fix, see Scp#Security
• OpenSSH 8.2, February 2020 ^[1]. Included in Ubuntu 20.04 LTS
  • FEATURE: FIDO/U2F Support for MFA

2019[edit]

• OpenSSH 8.1^[2][3], released in October 2019
  • ssh, sshd, ssh-agent: add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed.
• OpenSSH 8.0^[4][5], released in April 2019
  • SECURITY: CVE-2019-6111^[6] related to scp tool and protocol allowing to overwrite arbitrary files in the scp client target directory

2018[edit]

• OpenSSH 7.9^[7], released in October 2018
  • allow key revocation lists (KRLs) to revoke keys specified by SHA256 hash
• OpenSSH 7.8^[8], released in August 2018
  • Incompatible changes: ssh-keygen write OpenSSH format private keys by default instead of using OpenSSL's PEM format.
• OpenSSH 7.7^[9], released in February 2018
  • FEATURE: Add "expiry-time" option in sshd for authorized_keys files to allow for expiring keys.

2017[edit]

• OpenSSH 7.6^[10], released in October 2017. Included in Ubuntu 18.04.4 LTS
  • FEATURE: Add RemoteCommand option
  • FEATURE: Add SyslogFacility option to ssh matching the equivalent option in sshd
  • FEATURE: ssh client reverse dynamic forwarding -R
• OpenSSH 7.5^[11], released in March 2017
  • BUGFIX: This is a mainly a bugfix release.
  • ssh accept-new new option for StrictHostKeyChecking
  • Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement.

2016[edit]

• OpenSSH 7.4 ^[12], released in December 2016
  • sshd(8): Add a sshd_config DisableForwarding option
• OpenSSH 7.3 ^[13], released August 01, 2016
  • FEATURE: Adds ProxyJump option (-J)
  • FEATURE: Add an include directive for ssh_config files
  • FEATURE: ssh add an include directive for ssh_config files.
• OpenSSH 7.2 ^[14] Feb 2016

2015[edit]

• OpenSSH 7.1: August 20, 2015^[15]
  • Bugfix: This is a bugfix release.
• OpenSSH 7.0: August 11, 2015^[16]
  • The focus of this release is primarily to deprecate weak, legacy and unsafe cryptography.
• OpenSSH 6.9: July 1, 2015^[17]
  • Bugfix: This is primarily a bugfix release.
• OpenSSH 6.8: March 18, 2015
  • Added new [email protected] extension to facilitate public key discovery and rotation for trusted hosts (for transition from DSA to Ed25519 public host keys)^[18]
  • AuthenticationMethods=publickey,publickey to require that users authenticate using two different public keys^[19]

2014[edit]

• OpenSSH 6.7: October 6, 2014
  • The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default.
  • Compile-time option to not depend on OpenSSL^[20]
  • Add support for Unix domain socket forwarding

• OpenSSH 6.6: March 16, 2014
  • This is primarily a bugfix release.

• OpenSSH 6.5^[21][22]: January 30, 2014
  • Added new ssh-ed25519 and [email protected] public key types (available since 2005 but more popular since some suspicious that NSA had chosen values that gave them an advantage in factoring public-keys)^[23]
  • Added new chacha20-poly1305@openssh.com transport cipher^[24][25]
  • Added curve25519-sha256@libssh.org key exchange
  • FEATURE: ssh, added Match keyword for ssh_config that allows conditional configuration to be applied ^[26]
  • FEATURE: client-side hostname canonicalisation: CanonicalDomains, CanonicalizeFallbackLocal, CanonicalizeHostname, CanonicalizeMaxDots and CanonicalizePermittedCNAMEs.^[27][28]
  • Add a new private key format that uses a bcrypt KDF

2013[edit]

• OpenSSH 6.4: November 8, 2013 ^[29]
  • This release fixes a security bug with AES-GCM

• OpenSSH 6.3: September 13, 2013
  • This release is predominantly a bugfix release

• OpenSSH 6.2: March 22, 2013
  • Add a GCM-mode for the AES cipher, similar to RFC, RFI
  • Added support for encrypt-then-mac MAC modes
  • Added support for multiple required authentication methods
  • Added support for Key Revocation Lists (KRL)

2012[edit]

• OpenSSH 6.1: August 29, 2012
  • This is primarily a bugfix release.
  • Enables pre-auth sandboxing by default
  • Finds ECDSA keys in ssh-keyscan and SSHFP DNS records by default now

• OpenSSH 6.0: April 22, 2012
  • This is primarily a bugfix release.

2011[edit]

• OpenSSH 5.9: September 6, 2011
  • Introduce sandboxing of the pre-auth privilege separated child
• OpenSSH 5.8: February 4, 2011
• OpenSSH 5.7: January 24, 2011
  • Added support for elliptic curve cryptography for key exchange as well as host/user keys, per RFC, RFI

2010[edit]

• OpenSSH 5.6: August 23, 2010
  • Added a ControlPersistoption to ssh_config
  • Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts.
• OpenSSH 5.5: April 16, 2010
• OpenSSH 5.4: March 8, 2010
  • Disabled SSH protocol 1 default support. Clients and servers must now explicitly enable it.
  • Added PKCS11 authentication support for ssh(1) (-I pkcs11)
  • Added Certificate based authentication
  • Added "Netcat mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1) ProxyCommand to route connections via intermediate servers, without the need for nc(1) on the server machine.
  • Added the ability to revoke public keys in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used.

2009[edit]

• OpenSSH 5.3: October 1, 2009
• OpenSSH 5.2: February 23, 2009

2008[edit]

• OpenSSH 5.1: July 21, 2008^[30]
  • Added a MaxSessions option to sshd_config to control the number of multiplexed sessions
  • Added sshd -T, an extended test mode
• OpenSSH 5.0: April 3, 2008 ^[31]
• OpenSSH 4.9: March 30, 2008 ^[32]
  • Added chroot support for sshd
  • Create an internal SFTP (internal-sftp directive) server for easier use of the chroot functionality

2007[edit]

• OpenSSH 4.7: September 4, 2007

Added chroot(2) support for sshd(8), controlled by a new option "ChrootDirectory". Please refer to sshd_config(5) for details, and please use this feature carefully. (bz#177 bz#1352)

• OpenSSH 4.6: March 9, 2007

2006[edit]

• OpenSSH 4.5: November 7, 2006
• OpenSSH 4.4: September 27, 2006
• OpenSSH 4.3: February 1, 2006
  • Added OSI layer 2/3 tun-based VPN (-w option on ssh(1))

2005[edit]

• OpenSSH 4.2: September 1, 2005 https://www.openssh.com/txt/release-4.2
  • Increase the default size of new RSA/DSA keys generated by ssh-keygen from 1024 to 2048 bits.
  • Added ControlMaster=auto/autoask options to support opportunistic multiplexing (see the ssh_config(5) manpage for details).

• OpenSSH 4.1: May 26, 2005
• OpenSSH 4.0: March 9, 2005

2004[edit]

• OpenSSH 3.9^[33]: August 18, 2004
  • Implement session multiplexing. ControlMaster option
  • Added a MaxAuthTries option to sshd, allowing control over the maximum number of authentication attempts permitted per connection
  • Added IdentitiesOnly option to ssh which specifies that it should use keys specified in ssh_config, rather than any keys in ssh-agent
  • Re-introduce support for PAM password authentication
• OpenSSH 3.8: February 24, 2004

2003[edit]

• OpenSSH 3.7.1: September 16, 2003
• OpenSSH 3.7: September 16, 2003
  • rhosts authentication has been removed in ssh(1) and sshd(8).
• OpenSSH 3.6.1: April 1, 2003
• OpenSSH 3.6: March 31, 2003

2002[edit]

• OpenSSH 3.5: October 14, 2002
• OpenSSH 3.4: June 26, 2002
• OpenSSH 3.0: ^[34]
  • Improved Kerberos support in protocol v1 (KerbIV and KerbV)
• OpenSSH 2.9.9: ^[35]

2001[edit]

• OpenSSH 2.5.1p1: February 19, 2001^[36]
  • SkeyAuthentication absoleted, use ChallengeResponseAuthentication instead.

2000[edit]

• OpenSSH 1.2.2p1^[37]: March 5, 2000

1995[edit]

• Added client configuration option StrictHostKeyChecking^[38]

See also[edit]

• SHA, SHA-0, SHA-1, SHA-2, SHA-3, SHA-256, shasum, sha1sum, sha256sum, sha512sum
• OpenSSH (changelog): /etc/ssh/sshd_config | /etc/ssh/ssh_config | ~/.ssh/ | openSSL | sshd logs | sftp | scp | authorized_keys | ssh-keygen | ssh-keyscan | ssh-add | ssh-agent | ssh | Ssh -O stop | ssh-copy-id | CheckHostIP | UseKeychain, OpenSSF
• Software changelogs, git log, GA, EoL, EOS, release cycle, apt changelog, docker-compose changelog

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy.

Source: Wikiversity