Difference between revisions of "OpenSSH changelog"

From wikieduonline
Jump to navigation Jump to search
 
(168 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== [[OpenSSH]] Versions and changelog ==
+
* Source: https://www.openssh.com/releasenotes.html
 +
* <code>[[git clone]] https://github.com/openssh/openssh-portable.git</code>
 +
* <code>[[ssh -V]]</code>
 +
__NOTOC__
  
* OpenSSH 8.1<ref>https://www.openssh.com/txt/release-8.1</ref><ref>https://www.openssh.com/releasenotes.html#8.1</ref>, released in October 2019
+
== 2023 ==
 +
* [[OpenSSH 9.6]] https://www.openssh.com/txt/release-9.6
 +
** ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in [[PEM PKCS8]] format. Previously only the OpenSSH private key format was supported.
 +
* [[OpenSSH 9.5]] https://www.openssh.com/txt/release-9.5
 +
**  ssh(1), sshd(8): Introduce a transport-level [[ping]] facility
 +
* [[OpenSSH 9.4]] https://www.openssh.com/txt/release-9.4
 +
** ssh: allow forwarding [[Unix Domain sockets]] via <code>[[ssh -W]]</code>
 +
* [[OpenSSH 9.3]] https://www.openssh.com/txt/release-9.3
 +
* [[OpenSSH 9.2]] Feb 2023 https://www.openssh.com/txt/release-9.2
 +
** [[ssh-keyscan]]: allow scanning of complete CIDR address ranges: <code>ssh-keyscan 192.168.0.0/24</code>
 +
 
 +
== 2022 ==
 +
* [[OpenSSH]] 9.1 Oct 2022 https://www.openssh.com/txt/release-9.1
 +
** <code>[[RequiredRSASize]]</code>
 +
** <code>[[sftp -D]] "/usr/libexec/[[sftp-server]] -el debug3"</code>
 +
 
 +
* [[OpenSSH]] 9.0 Aug 2022 https://www.openssh.com/txt/release-9.0
 +
** This release switches [[scp]] from using the legacy scp/rcp protocol to using the [[SFTP]] protocol by default
 +
** Use the hybrid Streamlined [[NTRU]] Prime + [[x25519]] [[key exchange]] method by default
 +
** [[sftp-server]]: support the "[[copy-data]]" extension to allow server-side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00
 +
** [[sftp]]: add a "<code>[[cp]]</code>" command to allow the [[sftp client]] to perform [[server-side file copies]].
 +
 
 +
* [[OpenSSH]] 8.9 Feb 2022 https://www.openssh.com/txt/release-8.9
 +
** SECURITY [[integer overflow]] in the user authentication path
 +
** [[Trust on first use (TOFU)]]: [[ssh-keygen -Y match-principals]]
 +
 
 +
== 2021 ==
 +
* [[OpenSSH]] 8.8 September 2021 https://www.openssh.com/txt/release-8.8
 +
**  Disables [[RSA]] signatures using the [[SHA-1]] [[hash algorithm]] by default. It can be enabled for specific hosts using  [[HostkeyAlgorithms]] directive.
 +
** SECURITY: Potential privilege escalation on <code>[[AuthorizedKeysCommand]]</code> or <code>[[AuthorizedPrincipalsCommand]]</code>
 +
** FEATURE: ssh(1): allow the [[ssh_config]](5) [[CanonicalizePermittedCNAMEs]] directive to accept a "none" argument to specify the default behaviour
 +
* [[OpenSSH]] 8.7 August 2021 https://www.openssh.com/txt/release-8.7
 +
** [[scp]] (1): experimental support for transfers using the [[SFTP protocol]]
 +
** ssh <code>[[ForkAfterAuthentication]]</code>
 +
 
 +
* [[OpenSSH]] 8.6 19 April 2021 https://www.openssh.com/txt/release-8.6
 +
** SECURITY: <code>[[LogVerbose]]</code> keyword vulnerability fixed
 +
** FEATURE: Add <code>[[ModuliFile]]</code> keyword to [[sshd_config]] to specify the location of the "[[moduli]]" file containing the groups for [[DH-GEX]]
 +
 
 +
* [[OpenSSH]] 8.5 03 March 2021 https://www.openssh.com/txt/release-8.5
 +
** SECURITY: <code>[[ssh-agent]]</code>: fixed a [[double-free memory corruption]] that was introduced in OpenSSH 8.2 (Feb 2020)
 +
** Update/replace the experimental [[post-quantum]] hybrid [[key exchange method]]
 +
** FEATURE: new <code>[[LogVerbose]]</code> configuration directive in <code>[[ssh]]</code> and </code>[[sshd]]</code> for that allows forcing maximum debug logging by file/function/line pattern-lists.
 +
 
 +
== 2020 ==
 +
* [[OpenSSH]] 8.4 Sep 2020 https://www.openssh.com/txt/release-8.4
 +
** FEATURE: <code>[[ssh-keygen]]</code>: Enable [[FIDO]] 2.1
 +
** <code>ssh</code>, <code>sshd</code> add a new <code>[[LogVerbose]]</code> configuration directive
 +
 
 +
* [[OpenSSH]] 8.3, May 2020 https://www.openssh.com/txt/release-8.3
 +
** [[sshd]]: <code>[[IgnoreRhosts]]</code> has a new option: <code>shosts-only</code>. 3 options in total: <code>yes|no|shosts-only</code>
 +
** [[scp]] security bug fix, see [[Scp#Security]]
 +
* [[OpenSSH]] 8.2, February 2020 <ref> https://www.openssh.com/txt/release-8.2</ref>. Included in [[Ubuntu 20.04 LTS]]
 +
** FEATURE: [[FIDO]]/[[U2F]] Support for [[MFA]]
 +
 
 +
== 2019 ==
 +
* [[OpenSSH]] 8.1<ref>https://www.openssh.com/txt/release-8.1</ref><ref>https://www.openssh.com/releasenotes.html#8.1</ref>, released in October 2019
 
** <code>[[ssh]]</code>, <code>[[sshd]]</code>, <code>[[ssh-agent]]</code>: add protection for [[private keys]] at rest in [[RAM]] against speculation and memory [[side-channel attacks]] like [[Spectre]], [[Meltdown]] and [[Rambleed]].
 
** <code>[[ssh]]</code>, <code>[[sshd]]</code>, <code>[[ssh-agent]]</code>: add protection for [[private keys]] at rest in [[RAM]] against speculation and memory [[side-channel attacks]] like [[Spectre]], [[Meltdown]] and [[Rambleed]].
 
* OpenSSH 8.0<ref>http://www.openssh.com/txt/release-8.0</ref><ref>https://www.openssh.com/releasenotes.html#8.0</ref>, released in April 2019
 
* OpenSSH 8.0<ref>http://www.openssh.com/txt/release-8.0</ref><ref>https://www.openssh.com/releasenotes.html#8.0</ref>, released in April 2019
** SECURITY: CVE-2019-6111<ref>https://nvd.nist.gov/vuln/detail/CVE-2019-6111</ref> related to <code>[[scp]]</code> tool and protocol allowing to overwrite arbitrary files in the scp client target directory
+
** SECURITY: [[CVE]]-2019-6111<ref>https://nvd.nist.gov/vuln/detail/CVE-2019-6111</ref> related to <code>[[scp]]</code> tool and protocol allowing to overwrite arbitrary files in the scp client target directory
 +
 
 +
== [[2018]] ==
 
* OpenSSH 7.9<ref>http://www.openssh.com/txt/release-7.9</ref>, released in October 2018
 
* OpenSSH 7.9<ref>http://www.openssh.com/txt/release-7.9</ref>, released in October 2018
 
** allow [[key revocation lists]] (KRLs) to revoke keys specified by SHA256 hash
 
** allow [[key revocation lists]] (KRLs) to revoke keys specified by SHA256 hash
 
* OpenSSH 7.8<ref>http://www.openssh.com/txt/release-7.8</ref>, released in August 2018
 
* OpenSSH 7.8<ref>http://www.openssh.com/txt/release-7.8</ref>, released in August 2018
** Incompatible changes: [[ssh-keygen]] write OpenSSH format private keys by default instead of using OpenSSL's PEM format.
+
** Incompatible changes: <code>[[ssh-keygen]]</code> write OpenSSH format private keys by default instead of using [[OpenSSL]]'s [[PEM]] format.
 
* OpenSSH 7.7<ref>http://www.openssh.com/txt/release-7.7</ref>, released in February 2018
 
* OpenSSH 7.7<ref>http://www.openssh.com/txt/release-7.7</ref>, released in February 2018
** FEATURE:  Add "<code>expiry-time</code>" option in sshd for authorized_keys files to allow for expiring keys.
+
** FEATURE:  Add <code>"[[expiry-time]]"</code> option in sshd for <code>[[authorized_keys]]</code> files to allow for expiring keys.
* OpenSSH 7.6<ref>http://www.openssh.com/txt/release-7.6</ref>, released in October 2017
+
 
** FEATURE: Add <code>RemoteCommand</code> option
+
== 2017 ==
** FEATURE: Add <code>SyslogFacility</code> option to ssh matching the equivalent option in sshd
+
* OpenSSH 7.6<ref>http://www.openssh.com/txt/release-7.6</ref>, released in October 2017. Included in [[Ubuntu 18.04.4 LTS]]
** FEATURE: ssh client reverse dynamic forwarding <code>-R</code>
+
** FEATURE: Add <code>[[RemoteCommand]]</code> option
 +
** FEATURE: Add <code>[[SyslogFacility]]</code> option to ssh matching the equivalent option in sshd
 +
** FEATURE: [[ssh client]] [[reverse dynamic forwarding]] <code>-R</code>
 
* OpenSSH 7.5<ref>http://www.openssh.com/txt/release-7.5</ref>, released in March 2017  
 
* OpenSSH 7.5<ref>http://www.openssh.com/txt/release-7.5</ref>, released in March 2017  
 
** BUGFIX: This is a mainly a bugfix release.
 
** BUGFIX: This is a mainly a bugfix release.
* OpenSSH 7.4<ref>http://www.openssh.com/txt/release-7.4</ref>, released in December 2016  
+
** [[ssh]] <code>accept-new</code> new option for <code>[[StrictHostKeyChecking]]</code>
** sshd(8): Add a sshd_config <code>DisableForwarding</code> option
+
** Refuse [[RSA]] [[keys]] <1024 bits in length and improve reporting for keys that do not meet this requirement.
* OpenSSH 7.3<ref>http://www.openssh.com/txt/release-7.3</ref>, released August 01, 2016
+
 
** FEATURE: Adds <code>ProxyJump</code> option (-J)  
+
== 2016 ==
** FEATURE: Add an <code>Include</code> directive for ssh_config(5) files
+
* OpenSSH 7.4 <ref>http://www.openssh.com/txt/release-7.4</ref>, released in December 2016  
 +
** sshd(8): Add a <code>[[sshd_config]]</code> <code>DisableForwarding</code> option
 +
* OpenSSH 7.3 <ref>http://www.openssh.com/txt/release-7.3</ref>, released August 01, 2016
 +
** FEATURE: Adds <code>[[ProxyJump]]</code> option (<code>-J</code>)  
 +
** FEATURE: Add an <code>[[include]]</code> directive for <code>[[ssh_config]]</code> files
 +
** FEATURE: <code>ssh</code> add an <code>[[include]]</code> directive for <code>[[ssh_config]]</code> files.
 +
* OpenSSH 7.2 <ref>https://www.openssh.com/txt/release-7.2</ref> Feb 2016
 +
 
 +
== 2015 ==
 
* OpenSSH 7.1: August 20, 2015<ref name="7.1-released">{{cite web
 
* OpenSSH 7.1: August 20, 2015<ref name="7.1-released">{{cite web
 
  | url = http://www.openssh.com/txt/release-7.1
 
  | url = http://www.openssh.com/txt/release-7.1
Line 28: Line 99:
 
  | website = openssh.com
 
  | website = openssh.com
 
}}</ref>
 
}}</ref>
** This is a bugfix release.
+
** Bugfix: This is a bugfix release.
 
* OpenSSH 7.0: August 11, 2015<ref>{{cite web
 
* OpenSSH 7.0: August 11, 2015<ref>{{cite web
 
  | url = http://www.openssh.com/txt/release-7.0
 
  | url = http://www.openssh.com/txt/release-7.0
Line 35: Line 106:
 
  | website = openssh.com
 
  | website = openssh.com
 
}}</ref>
 
}}</ref>
** The focus of this release is primarily to deprecate weak, legacy and unsafe cryptography.
+
** The focus of this release is primarily to deprecate weak, legacy and unsafe [[cryptography]].
 
* OpenSSH 6.9: July 1, 2015<ref>{{cite web
 
* OpenSSH 6.9: July 1, 2015<ref>{{cite web
 
  | url = http://www.openssh.com/txt/release-6.9
 
  | url = http://www.openssh.com/txt/release-6.9
Line 42: Line 113:
 
  | website = openssh.com
 
  | website = openssh.com
 
}}</ref>
 
}}</ref>
** BUGFIX: This is primarily a bugfix release.
+
** Bugfix: This is primarily a bugfix release.
 
* OpenSSH 6.8: March 18, 2015
 
* OpenSSH 6.8: March 18, 2015
 
** Added new <kbd>hostkeys@openssh.com</kbd> extension to facilitate public key discovery and rotation for trusted hosts (for transition from [[Digital Signature Algorithm|DSA]] to [[Ed25519]] public host keys)<ref>{{cite web |url=http://it.slashdot.org/story/15/02/01/0533208/openssh-will-feature-key-discovery-and-rotation-for-easier-switching-to-ed25519 |title= OpenSSH Will Feature Key Discovery and Rotation For Easier Switching To Ed25519 |first=Constantine A. |last=Murenin |editor=Soulskill |date=2015-02-01 |accessdate=2015-02-01 |publisher=[[Slashdot]]}}</ref>
 
** Added new <kbd>hostkeys@openssh.com</kbd> extension to facilitate public key discovery and rotation for trusted hosts (for transition from [[Digital Signature Algorithm|DSA]] to [[Ed25519]] public host keys)<ref>{{cite web |url=http://it.slashdot.org/story/15/02/01/0533208/openssh-will-feature-key-discovery-and-rotation-for-easier-switching-to-ed25519 |title= OpenSSH Will Feature Key Discovery and Rotation For Easier Switching To Ed25519 |first=Constantine A. |last=Murenin |editor=Soulskill |date=2015-02-01 |accessdate=2015-02-01 |publisher=[[Slashdot]]}}</ref>
** <code>AuthenticationMethods=publickey,publickey</code> to require that users authenticate using two different public keys<ref>https://lwn.net/Article
+
** <code>AuthenticationMethods=publickey,publickey</code> to require that users authenticate using two different [[public keys]]<ref>https://lwn.net/Article
 
s/637147/</ref>
 
s/637147/</ref>
 +
 +
== 2014 ==
 
* OpenSSH 6.7: October 6, 2014
 
* OpenSSH 6.7: October 6, 2014
 
** The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, [[Cipher Block Chaining|CBC]] ciphers and arcfour* are disabled by default.
 
** The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, [[Cipher Block Chaining|CBC]] ciphers and arcfour* are disabled by default.
Line 57: Line 130:
 
* OpenSSH 6.5<ref>http://www.openssh.com/txt/release-6.5</ref><ref>https://www.openssh.com/releasenotes.html#6.5</ref>: January 30, 2014
 
* OpenSSH 6.5<ref>http://www.openssh.com/txt/release-6.5</ref><ref>https://www.openssh.com/releasenotes.html#6.5</ref>: January 30, 2014
 
** Added<!-- on 2013/12/06 --> new <kbd>ssh-[[ed25519]]</kbd> and <kbd>ssh-ed25519-cert-v01@openssh.com</kbd> public key types (available since 2005 but more popular since some suspicious that NSA had chosen values that gave them an advantage in factoring public-keys)<ref>https://en.wikipedia.org/wiki/Curve25519#Popularity</ref>
 
** Added<!-- on 2013/12/06 --> new <kbd>ssh-[[ed25519]]</kbd> and <kbd>ssh-ed25519-cert-v01@openssh.com</kbd> public key types (available since 2005 but more popular since some suspicious that NSA had chosen values that gave them an advantage in factoring public-keys)<ref>https://en.wikipedia.org/wiki/Curve25519#Popularity</ref>
 
 
** Added new <kbd>[[ChaCha20|chacha20]]-[[poly1305]]@openssh.com</kbd> transport cipher<ref>{{cite web |url=http://bxr.su/OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305 |title=ssh/PROTOCOL.chacha20poly1305 |first=Damien |last=Miller |website=BSD Cross Reference, OpenBSD src/usr.bin/ |date=2013-12-02 |accessdate=2014-12-26 }}</ref><ref>{{cite web |url=http://it.slashdot.org/story/13/12/11/173213/openssh-has-a-new-cipher-chacha20-poly1305-from-dj-bernstein |title= OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein |first=Constantine A. |last=Murenin |editor=Unknown Lamer |date=2013-12-11 |accessdate=2014-12-26 |publisher=[[Slashdot]]}}</ref>
 
** Added new <kbd>[[ChaCha20|chacha20]]-[[poly1305]]@openssh.com</kbd> transport cipher<ref>{{cite web |url=http://bxr.su/OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305 |title=ssh/PROTOCOL.chacha20poly1305 |first=Damien |last=Miller |website=BSD Cross Reference, OpenBSD src/usr.bin/ |date=2013-12-02 |accessdate=2014-12-26 }}</ref><ref>{{cite web |url=http://it.slashdot.org/story/13/12/11/173213/openssh-has-a-new-cipher-chacha20-poly1305-from-dj-bernstein |title= OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein |first=Constantine A. |last=Murenin |editor=Unknown Lamer |date=2013-12-11 |accessdate=2014-12-26 |publisher=[[Slashdot]]}}</ref>
 
** Added<!-- on 2013/11/02 --> <kbd>[[curve25519]]-[[sha256]]@libssh.org</kbd> [[key exchange]]
 
** Added<!-- on 2013/11/02 --> <kbd>[[curve25519]]-[[sha256]]@libssh.org</kbd> [[key exchange]]
Line 64: Line 136:
 
** Add a new private key format that uses a [[bcrypt]] KDF
 
** Add a new private key format that uses a [[bcrypt]] KDF
  
 +
== 2013 ==
 
* OpenSSH 6.4: November 8, 2013 <ref>https://www.openssh.com/txt/release-6.4</ref>
 
* OpenSSH 6.4: November 8, 2013 <ref>https://www.openssh.com/txt/release-6.4</ref>
 
** This release fixes a security bug with AES-GCM
 
** This release fixes a security bug with AES-GCM
Line 74: Line 147:
 
** Added support for encrypt-then-mac MAC modes
 
** Added support for encrypt-then-mac MAC modes
 
** Added support for multiple required authentication methods
 
** Added support for multiple required authentication methods
** Added support for Key Revocation Lists (KRL)
+
** Added support for [[Key Revocation Lists]] (KRL)
  
 +
== 2012 ==
 
* OpenSSH 6.1: August 29, 2012
 
* OpenSSH 6.1: August 29, 2012
 
** This is primarily a bugfix release.
 
** This is primarily a bugfix release.
 
** Enables pre-auth sandboxing by default  
 
** Enables pre-auth sandboxing by default  
** Finds ECDSA keys in <code>ssh-keyscan</code> and SSHFP DNS records by default now
+
** Finds [[ECDSA]] keys in <code>[[ssh-keyscan]]</code> and SSHFP DNS records by default now
  
 
* OpenSSH 6.0: April 22, 2012
 
* OpenSSH 6.0: April 22, 2012
 
** This is primarily a bugfix release.
 
** This is primarily a bugfix release.
  
 +
== 2011 ==
 
* OpenSSH 5.9: September 6, 2011
 
* OpenSSH 5.9: September 6, 2011
 
** Introduce [[Sandbox (computer security)|sandboxing]] of the pre-auth [[privilege separation|privilege separated]] child
 
** Introduce [[Sandbox (computer security)|sandboxing]] of the pre-auth [[privilege separation|privilege separated]] child
Line 89: Line 164:
 
* OpenSSH 5.7: January 24, 2011
 
* OpenSSH 5.7: January 24, 2011
 
** Added support for elliptic curve cryptography for [[Elliptic curve Diffie–Hellman|key exchange]] as well as [[Elliptic Curve DSA|host/user keys]], per {{RFC|5656}}
 
** Added support for elliptic curve cryptography for [[Elliptic curve Diffie–Hellman|key exchange]] as well as [[Elliptic Curve DSA|host/user keys]], per {{RFC|5656}}
 +
 +
== 2010 ==
 
* OpenSSH 5.6: August 23, 2010
 
* OpenSSH 5.6: August 23, 2010
** Added a <code>ControlPersist</code >option to ssh_config
+
** Added a <code>[[ControlPersist]]</code >option to [[ssh_config]]
 +
** Add a new [[-3]] option to [[scp]]: Copies between two remote hosts are transferred through the local host.  Without this option the data is copied directly between the two remote hosts.
 
* OpenSSH 5.5: April 16, 2010
 
* OpenSSH 5.5: April 16, 2010
 
* OpenSSH 5.4: March 8, 2010
 
* OpenSSH 5.4: March 8, 2010
Line 98: Line 176:
 
** Added "[[Netcat]] mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1) <code>ProxyCommand</code> to route connections via intermediate servers, without the need for [[Netcat|nc(1)]] on the server machine.
 
** Added "[[Netcat]] mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1) <code>ProxyCommand</code> to route connections via intermediate servers, without the need for [[Netcat|nc(1)]] on the server machine.
 
** Added the ability to revoke [[Public-key cryptography|public keys]] in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used.
 
** Added the ability to revoke [[Public-key cryptography|public keys]] in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used.
 +
 +
== 2009 ==
 
* OpenSSH 5.3: October 1, 2009
 
* OpenSSH 5.3: October 1, 2009
 
* OpenSSH 5.2: February 23, 2009
 
* OpenSSH 5.2: February 23, 2009
* OpenSSH 5.1: July 21, 2008
+
 
** Added a <code>MaxSessions</code> option to sshd_config
+
== 2008 ==
* OpenSSH 5.0: April 3, 2008
+
* OpenSSH 5.1: July 21, 2008<ref>http://www.openssh.com/txt/release-5.1</ref>
* OpenSSH 4.9: March 30, 2008
+
** Added a <code>MaxSessions</code> option to <code>[[sshd_config]]</code> to control the number of [[multiplexed sessions]]
** Added [[chroot]] support for sshd(8)
+
** Added <code>[[sshd -T]]</code>, an extended [[test mode]]
** Create an internal [[SSH File Transfer Protocol|SFTP]] server for easier use of the chroot functionality
+
* OpenSSH 5.0: April 3, 2008 <ref>http://www.openssh.com/txt/release-5.0</ref>
 +
* OpenSSH 4.9: March 30, 2008 <ref>http://www.openssh.com/txt/release-4.9</ref>
 +
** Added [[chroot]] support for <code>[[sshd]]</code>
 +
** Create an internal [[SFTP]] (<code>[[internal-sftp]]</code> directive) server for easier use of the [[chroot]] functionality
 +
 
 +
== 2007 ==
 
* OpenSSH 4.7: September 4, 2007
 
* OpenSSH 4.7: September 4, 2007
 +
:Added [[chroot]](2) support for sshd(8), controlled by a new option "<code>[[ChrootDirectory]]</code>". Please refer to sshd_config(5) for details, and please use this feature carefully. (bz#177 bz#1352)
 
* OpenSSH 4.6: March 9, 2007
 
* OpenSSH 4.6: March 9, 2007
 +
 +
== 2006 ==
 
* OpenSSH 4.5: November 7, 2006
 
* OpenSSH 4.5: November 7, 2006
 
* OpenSSH 4.4: September 27, 2006
 
* OpenSSH 4.4: September 27, 2006
 
* OpenSSH 4.3: February 1, 2006
 
* OpenSSH 4.3: February 1, 2006
 
** Added [[Open Systems Interconnection|OSI]] layer 2/3 [[TUN/TAP|tun]]-based [[VPN]] (-w option on ssh(1))
 
** Added [[Open Systems Interconnection|OSI]] layer 2/3 [[TUN/TAP|tun]]-based [[VPN]] (-w option on ssh(1))
* OpenSSH 4.2: September 1, 2005
+
 
 +
== 2005 ==
 +
* OpenSSH 4.2: September 1, 2005 https://www.openssh.com/txt/release-4.2
 +
** Increase the default size of new [[RSA]]/[[DSA]] keys generated by <code>[[ssh-keygen]]</code> from 1024 to 2048 bits.
 +
** Added <code>[[ControlMaster]]=auto/autoask</code> options to support opportunistic multiplexing (see the ssh_config(5) manpage for details).
 +
 
 
* OpenSSH 4.1: May 26, 2005
 
* OpenSSH 4.1: May 26, 2005
 
* OpenSSH 4.0: March 9, 2005
 
* OpenSSH 4.0: March 9, 2005
 +
 +
== 2004 ==
 
* OpenSSH 3.9<ref>https://www.openssh.com/txt/release-3.9</ref>: August 18, 2004
 
* OpenSSH 3.9<ref>https://www.openssh.com/txt/release-3.9</ref>: August 18, 2004
** Implement [[OpenSSH session multiplexing|session multiplexing]]. <code>ControlMaster</code> option
+
** Implement [[session multiplexing]]. <code>[[ControlMaster]]</code> option
 
** Added a <code>MaxAuthTries</code> option to sshd, allowing control over the maximum number of authentication attempts permitted per connection
 
** Added a <code>MaxAuthTries</code> option to sshd, allowing control over the maximum number of authentication attempts permitted per connection
 
** Added <code>IdentitiesOnly</code> option to <code>ssh</code> which specifies that it should use keys specified in ssh_config, rather than any keys in [[ssh-agent]]
 
** Added <code>IdentitiesOnly</code> option to <code>ssh</code> which specifies that it should use keys specified in ssh_config, rather than any keys in [[ssh-agent]]
 
** Re-introduce support for [[PAM]] password authentication
 
** Re-introduce support for [[PAM]] password authentication
 
* OpenSSH 3.8: February 24, 2004
 
* OpenSSH 3.8: February 24, 2004
 +
 +
== 2003 ==
 
* OpenSSH 3.7.1: September 16, 2003
 
* OpenSSH 3.7.1: September 16, 2003
 
* OpenSSH 3.7: September 16, 2003
 
* OpenSSH 3.7: September 16, 2003
Line 126: Line 223:
 
* OpenSSH 3.6.1: April 1, 2003
 
* OpenSSH 3.6.1: April 1, 2003
 
* OpenSSH 3.6: March 31, 2003
 
* OpenSSH 3.6: March 31, 2003
 +
 +
== 2002 ==
 
* OpenSSH 3.5: October 14, 2002
 
* OpenSSH 3.5: October 14, 2002
 
* OpenSSH 3.4: June 26, 2002
 
* OpenSSH 3.4: June 26, 2002
Line 131: Line 230:
 
** Improved [[Kerberos]] support in protocol v1 (KerbIV and KerbV)
 
** Improved [[Kerberos]] support in protocol v1 (KerbIV and KerbV)
 
* OpenSSH 2.9.9: <ref>https://www.openssh.com/txt/release-2.9.9</ref>
 
* OpenSSH 2.9.9: <ref>https://www.openssh.com/txt/release-2.9.9</ref>
 +
 +
== 2001 ==
 
* OpenSSH 2.5.1p1: February 19, 2001<ref>https://www.openssh.com/txt/release-2.5.1p1</ref>  
 
* OpenSSH 2.5.1p1: February 19, 2001<ref>https://www.openssh.com/txt/release-2.5.1p1</ref>  
** [[Skey]]Authentication absoleted, use ChallengeResponseAuthentication instead.
+
** [[Skey]]Authentication absoleted, use <code>[[ChallengeResponseAuthentication]]</code> instead.
 +
 
 +
== 2000 ==
 +
* OpenSSH 1.2.2p1<ref>https://www.openssh.com/txt/release-1.2.2p1</ref>: March 5, 2000
  
* OpenSSH 1.2.2p1<ref>https://www.openssh.com/txt/release-1.2.2p1</ref>: March 5, 2000
 
  
 +
== 1995 ==
 +
* Added client configuration option <code>[[StrictHostKeyChecking]]</code><ref>http://web.mit.edu/Crypto/src/ssh-1.2.26/ChangeLog</ref>
  
 
== See also ==
 
== See also ==
 +
* {{sha}}
 
* {{OpenSSH}}
 
* {{OpenSSH}}
 
* {{changelogs}}
 
* {{changelogs}}

Latest revision as of 14:19, 4 April 2024


2023[edit]

2022[edit]

2021[edit]

2020[edit]

2019[edit]

2018[edit]

  • OpenSSH 7.9[7], released in October 2018
  • OpenSSH 7.8[8], released in August 2018
    • Incompatible changes: ssh-keygen write OpenSSH format private keys by default instead of using OpenSSL's PEM format.
  • OpenSSH 7.7[9], released in February 2018

2017[edit]

2016[edit]

2015[edit]

  • OpenSSH 7.1: August 20, 2015[15]
    • Bugfix: This is a bugfix release.
  • OpenSSH 7.0: August 11, 2015[16]
    • The focus of this release is primarily to deprecate weak, legacy and unsafe cryptography.
  • OpenSSH 6.9: July 1, 2015[17]
    • Bugfix: This is primarily a bugfix release.
  • OpenSSH 6.8: March 18, 2015
    • Added new hostkeys@openssh.com extension to facilitate public key discovery and rotation for trusted hosts (for transition from DSA to Ed25519 public host keys)[18]
    • AuthenticationMethods=publickey,publickey to require that users authenticate using two different public keys[19]

2014[edit]

  • OpenSSH 6.7: October 6, 2014
    • The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default.
    • Compile-time option to not depend on OpenSSL[20]
    • Add support for Unix domain socket forwarding
  • OpenSSH 6.6: March 16, 2014
    • This is primarily a bugfix release.
  • OpenSSH 6.5[21][22]: January 30, 2014
    • Added new ssh-ed25519 and ssh-ed25519-cert-v01@openssh.com public key types (available since 2005 but more popular since some suspicious that NSA had chosen values that gave them an advantage in factoring public-keys)[23]
    • Added new chacha20-poly1305@openssh.com transport cipher[24][25]
    • Added curve25519-sha256@libssh.org key exchange
    • FEATURE: ssh, added Match keyword for ssh_config that allows conditional configuration to be applied [26]
    • FEATURE: client-side hostname canonicalisation: CanonicalDomains, CanonicalizeFallbackLocal, CanonicalizeHostname, CanonicalizeMaxDots and CanonicalizePermittedCNAMEs.[27][28]
    • Add a new private key format that uses a bcrypt KDF

2013[edit]

  • OpenSSH 6.4: November 8, 2013 [29]
    • This release fixes a security bug with AES-GCM
  • OpenSSH 6.3: September 13, 2013
    • This release is predominantly a bugfix release
  • OpenSSH 6.2: March 22, 2013
    • Add a GCM-mode for the AES cipher, similar to RFC, RFI
    • Added support for encrypt-then-mac MAC modes
    • Added support for multiple required authentication methods
    • Added support for Key Revocation Lists (KRL)

2012[edit]

  • OpenSSH 6.1: August 29, 2012
    • This is primarily a bugfix release.
    • Enables pre-auth sandboxing by default
    • Finds ECDSA keys in ssh-keyscan and SSHFP DNS records by default now
  • OpenSSH 6.0: April 22, 2012
    • This is primarily a bugfix release.

2011[edit]

2010[edit]

  • OpenSSH 5.6: August 23, 2010
    • Added a ControlPersistoption to ssh_config
    • Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts.
  • OpenSSH 5.5: April 16, 2010
  • OpenSSH 5.4: March 8, 2010
    • Disabled SSH protocol 1 default support. Clients and servers must now explicitly enable it.
    • Added PKCS11 authentication support for ssh(1) (-I pkcs11)
    • Added Certificate based authentication
    • Added "Netcat mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1) ProxyCommand to route connections via intermediate servers, without the need for nc(1) on the server machine.
    • Added the ability to revoke public keys in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used.

2009[edit]

  • OpenSSH 5.3: October 1, 2009
  • OpenSSH 5.2: February 23, 2009

2008[edit]

2007[edit]

  • OpenSSH 4.7: September 4, 2007
Added chroot(2) support for sshd(8), controlled by a new option "ChrootDirectory". Please refer to sshd_config(5) for details, and please use this feature carefully. (bz#177 bz#1352)
  • OpenSSH 4.6: March 9, 2007

2006[edit]

  • OpenSSH 4.5: November 7, 2006
  • OpenSSH 4.4: September 27, 2006
  • OpenSSH 4.3: February 1, 2006
    • Added OSI layer 2/3 tun-based VPN (-w option on ssh(1))

2005[edit]

  • OpenSSH 4.1: May 26, 2005
  • OpenSSH 4.0: March 9, 2005

2004[edit]

  • OpenSSH 3.9[33]: August 18, 2004
    • Implement session multiplexing. ControlMaster option
    • Added a MaxAuthTries option to sshd, allowing control over the maximum number of authentication attempts permitted per connection
    • Added IdentitiesOnly option to ssh which specifies that it should use keys specified in ssh_config, rather than any keys in ssh-agent
    • Re-introduce support for PAM password authentication
  • OpenSSH 3.8: February 24, 2004

2003[edit]

  • OpenSSH 3.7.1: September 16, 2003
  • OpenSSH 3.7: September 16, 2003
  • OpenSSH 3.6.1: April 1, 2003
  • OpenSSH 3.6: March 31, 2003

2002[edit]

  • OpenSSH 3.5: October 14, 2002
  • OpenSSH 3.4: June 26, 2002
  • OpenSSH 3.0: [34]
    • Improved Kerberos support in protocol v1 (KerbIV and KerbV)
  • OpenSSH 2.9.9: [35]

2001[edit]

2000[edit]

  • OpenSSH 1.2.2p1[37]: March 5, 2000


1995[edit]

See also[edit]


Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy.

Source: Wikiversity

  1. https://www.openssh.com/txt/release-8.2
  2. https://www.openssh.com/txt/release-8.1
  3. https://www.openssh.com/releasenotes.html#8.1
  4. http://www.openssh.com/txt/release-8.0
  5. https://www.openssh.com/releasenotes.html#8.0
  6. https://nvd.nist.gov/vuln/detail/CVE-2019-6111
  7. http://www.openssh.com/txt/release-7.9
  8. http://www.openssh.com/txt/release-7.8
  9. http://www.openssh.com/txt/release-7.7
  10. http://www.openssh.com/txt/release-7.6
  11. http://www.openssh.com/txt/release-7.5
  12. http://www.openssh.com/txt/release-7.4
  13. http://www.openssh.com/txt/release-7.3
  14. https://www.openssh.com/txt/release-7.2
  15. "OpenSSH 7.1 Release Notes". openssh.com. 2015-08-20. Retrieved 2015-09-01.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  16. "OpenSSH 7.0 Release Notes". openssh.com. 2015-08-11. Retrieved 2015-08-18.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  17. "OpenSSH 6.9 Release Notes". openssh.com. 2015-07-01. Retrieved 2015-08-12.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  18. Murenin, Constantine A. (2015-02-01). Soulskill (ed.). "OpenSSH Will Feature Key Discovery and Rotation For Easier Switching To Ed25519". Slashdot. Retrieved 2015-02-01.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  19. https://lwn.net/Article s/637147/
  20. Murenin, Constantine A. (2014-04-30). Soulskill (ed.). "OpenSSH No Longer Has To Depend On OpenSSL". Slashdot. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  21. http://www.openssh.com/txt/release-6.5
  22. https://www.openssh.com/releasenotes.html#6.5
  23. https://en.wikipedia.org/wiki/Curve25519#Popularity
  24. Miller, Damien (2013-12-02). "ssh/PROTOCOL.chacha20poly1305". BSD Cross Reference, OpenBSD src/usr.bin/. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  25. Murenin, Constantine A. (2013-12-11). Unknown Lamer (ed.). "OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein". Slashdot. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  26. https://www.openssh.com/txt/release-6.5
  27. http://blog.djm.net.au/2014/01/hostname-canonicalisation-in-openssh.html
  28. https://github.com/openssh/openssh-portable/commit/0faf747e2f77f0f7083bcd59cbed30c4b5448444
  29. https://www.openssh.com/txt/release-6.4
  30. http://www.openssh.com/txt/release-5.1
  31. http://www.openssh.com/txt/release-5.0
  32. http://www.openssh.com/txt/release-4.9
  33. https://www.openssh.com/txt/release-3.9
  34. https://www.openssh.com/txt/release-3.0
  35. https://www.openssh.com/txt/release-2.9.9
  36. https://www.openssh.com/txt/release-2.5.1p1
  37. https://www.openssh.com/txt/release-1.2.2p1
  38. http://web.mit.edu/Crypto/src/ssh-1.2.26/ChangeLog

Advertising: