Difference between revisions of "OpenSSH changelog"
Jump to navigation
Jump to search
(→2016) |
|||
(161 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | Source: https://www.openssh.com/releasenotes.html | + | * Source: https://www.openssh.com/releasenotes.html |
+ | * <code>[[git clone]] https://github.com/openssh/openssh-portable.git</code> | ||
+ | * <code>[[ssh -V]]</code> | ||
+ | __NOTOC__ | ||
− | === | + | == 2023 == |
+ | * [[OpenSSH 9.6]] https://www.openssh.com/txt/release-9.6 | ||
+ | ** ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in [[PEM PKCS8]] format. Previously only the OpenSSH private key format was supported. | ||
+ | * [[OpenSSH 9.5]] https://www.openssh.com/txt/release-9.5 | ||
+ | ** ssh(1), sshd(8): Introduce a transport-level [[ping]] facility | ||
+ | * [[OpenSSH 9.4]] https://www.openssh.com/txt/release-9.4 | ||
+ | ** ssh: allow forwarding [[Unix Domain sockets]] via <code>[[ssh -W]]</code> | ||
+ | * [[OpenSSH 9.3]] https://www.openssh.com/txt/release-9.3 | ||
+ | * [[OpenSSH 9.2]] Feb 2023 https://www.openssh.com/txt/release-9.2 | ||
+ | ** [[ssh-keyscan]]: allow scanning of complete CIDR address ranges: <code>ssh-keyscan 192.168.0.0/24</code> | ||
+ | |||
+ | == 2022 == | ||
+ | * [[OpenSSH]] 9.1 Oct 2022 https://www.openssh.com/txt/release-9.1 | ||
+ | ** <code>[[RequiredRSASize]]</code> | ||
+ | ** <code>[[sftp -D]] "/usr/libexec/[[sftp-server]] -el debug3"</code> | ||
+ | |||
+ | * [[OpenSSH]] 9.0 Aug 2022 https://www.openssh.com/txt/release-9.0 | ||
+ | ** This release switches [[scp]] from using the legacy scp/rcp protocol to using the [[SFTP]] protocol by default | ||
+ | ** Use the hybrid Streamlined [[NTRU]] Prime + [[x25519]] [[key exchange]] method by default | ||
+ | ** [[sftp-server]]: support the "[[copy-data]]" extension to allow server-side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00 | ||
+ | ** [[sftp]]: add a "<code>[[cp]]</code>" command to allow the [[sftp client]] to perform [[server-side file copies]]. | ||
+ | |||
+ | * [[OpenSSH]] 8.9 Feb 2022 https://www.openssh.com/txt/release-8.9 | ||
+ | ** SECURITY [[integer overflow]] in the user authentication path | ||
+ | ** [[Trust on first use (TOFU)]]: [[ssh-keygen -Y match-principals]] | ||
+ | |||
+ | == 2021 == | ||
+ | * [[OpenSSH]] 8.8 September 2021 https://www.openssh.com/txt/release-8.8 | ||
+ | ** Disables [[RSA]] signatures using the [[SHA-1]] [[hash algorithm]] by default. It can be enabled for specific hosts using [[HostkeyAlgorithms]] directive. | ||
+ | ** SECURITY: Potential privilege escalation on <code>[[AuthorizedKeysCommand]]</code> or <code>[[AuthorizedPrincipalsCommand]]</code> | ||
+ | ** FEATURE: ssh(1): allow the [[ssh_config]](5) [[CanonicalizePermittedCNAMEs]] directive to accept a "none" argument to specify the default behaviour | ||
+ | * [[OpenSSH]] 8.7 August 2021 https://www.openssh.com/txt/release-8.7 | ||
+ | ** [[scp]] (1): experimental support for transfers using the [[SFTP protocol]] | ||
+ | ** ssh <code>[[ForkAfterAuthentication]]</code> | ||
+ | |||
+ | * [[OpenSSH]] 8.6 19 April 2021 https://www.openssh.com/txt/release-8.6 | ||
+ | ** SECURITY: <code>[[LogVerbose]]</code> keyword vulnerability fixed | ||
+ | ** FEATURE: Add <code>[[ModuliFile]]</code> keyword to [[sshd_config]] to specify the location of the "[[moduli]]" file containing the groups for [[DH-GEX]] | ||
+ | |||
+ | * [[OpenSSH]] 8.5 03 March 2021 https://www.openssh.com/txt/release-8.5 | ||
+ | ** SECURITY: <code>[[ssh-agent]]</code>: fixed a [[double-free memory corruption]] that was introduced in OpenSSH 8.2 (Feb 2020) | ||
+ | ** Update/replace the experimental [[post-quantum]] hybrid [[key exchange method]] | ||
+ | ** FEATURE: new <code>[[LogVerbose]]</code> configuration directive in <code>[[ssh]]</code> and </code>[[sshd]]</code> for that allows forcing maximum debug logging by file/function/line pattern-lists. | ||
+ | |||
+ | == 2020 == | ||
+ | * [[OpenSSH]] 8.4 Sep 2020 https://www.openssh.com/txt/release-8.4 | ||
+ | ** FEATURE: <code>[[ssh-keygen]]</code>: Enable [[FIDO]] 2.1 | ||
+ | ** <code>ssh</code>, <code>sshd</code> add a new <code>[[LogVerbose]]</code> configuration directive | ||
+ | |||
+ | * [[OpenSSH]] 8.3, May 2020 https://www.openssh.com/txt/release-8.3 | ||
+ | ** [[sshd]]: <code>[[IgnoreRhosts]]</code> has a new option: <code>shosts-only</code>. 3 options in total: <code>yes|no|shosts-only</code> | ||
+ | ** [[scp]] security bug fix, see [[Scp#Security]] | ||
+ | * [[OpenSSH]] 8.2, February 2020 <ref> https://www.openssh.com/txt/release-8.2</ref>. Included in [[Ubuntu 20.04 LTS]] | ||
+ | ** FEATURE: [[FIDO]]/[[U2F]] Support for [[MFA]] | ||
+ | |||
+ | == 2019 == | ||
* [[OpenSSH]] 8.1<ref>https://www.openssh.com/txt/release-8.1</ref><ref>https://www.openssh.com/releasenotes.html#8.1</ref>, released in October 2019 | * [[OpenSSH]] 8.1<ref>https://www.openssh.com/txt/release-8.1</ref><ref>https://www.openssh.com/releasenotes.html#8.1</ref>, released in October 2019 | ||
** <code>[[ssh]]</code>, <code>[[sshd]]</code>, <code>[[ssh-agent]]</code>: add protection for [[private keys]] at rest in [[RAM]] against speculation and memory [[side-channel attacks]] like [[Spectre]], [[Meltdown]] and [[Rambleed]]. | ** <code>[[ssh]]</code>, <code>[[sshd]]</code>, <code>[[ssh-agent]]</code>: add protection for [[private keys]] at rest in [[RAM]] against speculation and memory [[side-channel attacks]] like [[Spectre]], [[Meltdown]] and [[Rambleed]]. | ||
Line 7: | Line 65: | ||
** SECURITY: [[CVE]]-2019-6111<ref>https://nvd.nist.gov/vuln/detail/CVE-2019-6111</ref> related to <code>[[scp]]</code> tool and protocol allowing to overwrite arbitrary files in the scp client target directory | ** SECURITY: [[CVE]]-2019-6111<ref>https://nvd.nist.gov/vuln/detail/CVE-2019-6111</ref> related to <code>[[scp]]</code> tool and protocol allowing to overwrite arbitrary files in the scp client target directory | ||
− | == | + | == [[2018]] == |
* OpenSSH 7.9<ref>http://www.openssh.com/txt/release-7.9</ref>, released in October 2018 | * OpenSSH 7.9<ref>http://www.openssh.com/txt/release-7.9</ref>, released in October 2018 | ||
** allow [[key revocation lists]] (KRLs) to revoke keys specified by SHA256 hash | ** allow [[key revocation lists]] (KRLs) to revoke keys specified by SHA256 hash | ||
* OpenSSH 7.8<ref>http://www.openssh.com/txt/release-7.8</ref>, released in August 2018 | * OpenSSH 7.8<ref>http://www.openssh.com/txt/release-7.8</ref>, released in August 2018 | ||
− | ** Incompatible changes: <code>[[ssh-keygen]]</code> write OpenSSH format private keys by default instead of using OpenSSL's PEM format. | + | ** Incompatible changes: <code>[[ssh-keygen]]</code> write OpenSSH format private keys by default instead of using [[OpenSSL]]'s [[PEM]] format. |
* OpenSSH 7.7<ref>http://www.openssh.com/txt/release-7.7</ref>, released in February 2018 | * OpenSSH 7.7<ref>http://www.openssh.com/txt/release-7.7</ref>, released in February 2018 | ||
− | ** FEATURE: Add | + | ** FEATURE: Add <code>"[[expiry-time]]"</code> option in sshd for <code>[[authorized_keys]]</code> files to allow for expiring keys. |
− | * OpenSSH 7.6<ref>http://www.openssh.com/txt/release-7.6</ref>, released in October 2017 | + | |
− | ** FEATURE: Add <code>RemoteCommand</code> option | + | == 2017 == |
− | ** FEATURE: Add <code>SyslogFacility</code> option to ssh matching the equivalent option in sshd | + | * OpenSSH 7.6<ref>http://www.openssh.com/txt/release-7.6</ref>, released in October 2017. Included in [[Ubuntu 18.04.4 LTS]] |
− | ** FEATURE: ssh client reverse dynamic forwarding <code>-R</code> | + | ** FEATURE: Add <code>[[RemoteCommand]]</code> option |
+ | ** FEATURE: Add <code>[[SyslogFacility]]</code> option to ssh matching the equivalent option in sshd | ||
+ | ** FEATURE: [[ssh client]] [[reverse dynamic forwarding]] <code>-R</code> | ||
* OpenSSH 7.5<ref>http://www.openssh.com/txt/release-7.5</ref>, released in March 2017 | * OpenSSH 7.5<ref>http://www.openssh.com/txt/release-7.5</ref>, released in March 2017 | ||
** BUGFIX: This is a mainly a bugfix release. | ** BUGFIX: This is a mainly a bugfix release. | ||
− | * OpenSSH 7.4<ref>http://www.openssh.com/txt/release-7.4</ref>, released in December 2016 | + | ** [[ssh]] <code>accept-new</code> new option for <code>[[StrictHostKeyChecking]]</code> |
− | ** sshd(8): Add a sshd_config <code>DisableForwarding</code> option | + | ** Refuse [[RSA]] [[keys]] <1024 bits in length and improve reporting for keys that do not meet this requirement. |
− | * OpenSSH 7.3<ref>http://www.openssh.com/txt/release-7.3</ref>, released August 01, 2016 | + | |
+ | == 2016 == | ||
+ | * OpenSSH 7.4 <ref>http://www.openssh.com/txt/release-7.4</ref>, released in December 2016 | ||
+ | ** sshd(8): Add a <code>[[sshd_config]]</code> <code>DisableForwarding</code> option | ||
+ | * OpenSSH 7.3 <ref>http://www.openssh.com/txt/release-7.3</ref>, released August 01, 2016 | ||
** FEATURE: Adds <code>[[ProxyJump]]</code> option (<code>-J</code>) | ** FEATURE: Adds <code>[[ProxyJump]]</code> option (<code>-J</code>) | ||
− | ** FEATURE: Add an <code> | + | ** FEATURE: Add an <code>[[include]]</code> directive for <code>[[ssh_config]]</code> files |
+ | ** FEATURE: <code>ssh</code> add an <code>[[include]]</code> directive for <code>[[ssh_config]]</code> files. | ||
+ | * OpenSSH 7.2 <ref>https://www.openssh.com/txt/release-7.2</ref> Feb 2016 | ||
+ | |||
+ | == 2015 == | ||
* OpenSSH 7.1: August 20, 2015<ref name="7.1-released">{{cite web | * OpenSSH 7.1: August 20, 2015<ref name="7.1-released">{{cite web | ||
| url = http://www.openssh.com/txt/release-7.1 | | url = http://www.openssh.com/txt/release-7.1 | ||
Line 31: | Line 99: | ||
| website = openssh.com | | website = openssh.com | ||
}}</ref> | }}</ref> | ||
− | ** This is a bugfix release. | + | ** Bugfix: This is a bugfix release. |
* OpenSSH 7.0: August 11, 2015<ref>{{cite web | * OpenSSH 7.0: August 11, 2015<ref>{{cite web | ||
| url = http://www.openssh.com/txt/release-7.0 | | url = http://www.openssh.com/txt/release-7.0 | ||
Line 38: | Line 106: | ||
| website = openssh.com | | website = openssh.com | ||
}}</ref> | }}</ref> | ||
− | ** The focus of this release is primarily to deprecate weak, legacy and unsafe cryptography. | + | ** The focus of this release is primarily to deprecate weak, legacy and unsafe [[cryptography]]. |
* OpenSSH 6.9: July 1, 2015<ref>{{cite web | * OpenSSH 6.9: July 1, 2015<ref>{{cite web | ||
| url = http://www.openssh.com/txt/release-6.9 | | url = http://www.openssh.com/txt/release-6.9 | ||
Line 45: | Line 113: | ||
| website = openssh.com | | website = openssh.com | ||
}}</ref> | }}</ref> | ||
− | ** | + | ** Bugfix: This is primarily a bugfix release. |
* OpenSSH 6.8: March 18, 2015 | * OpenSSH 6.8: March 18, 2015 | ||
** Added new <kbd>[email protected]</kbd> extension to facilitate public key discovery and rotation for trusted hosts (for transition from [[Digital Signature Algorithm|DSA]] to [[Ed25519]] public host keys)<ref>{{cite web |url=http://it.slashdot.org/story/15/02/01/0533208/openssh-will-feature-key-discovery-and-rotation-for-easier-switching-to-ed25519 |title= OpenSSH Will Feature Key Discovery and Rotation For Easier Switching To Ed25519 |first=Constantine A. |last=Murenin |editor=Soulskill |date=2015-02-01 |accessdate=2015-02-01 |publisher=[[Slashdot]]}}</ref> | ** Added new <kbd>[email protected]</kbd> extension to facilitate public key discovery and rotation for trusted hosts (for transition from [[Digital Signature Algorithm|DSA]] to [[Ed25519]] public host keys)<ref>{{cite web |url=http://it.slashdot.org/story/15/02/01/0533208/openssh-will-feature-key-discovery-and-rotation-for-easier-switching-to-ed25519 |title= OpenSSH Will Feature Key Discovery and Rotation For Easier Switching To Ed25519 |first=Constantine A. |last=Murenin |editor=Soulskill |date=2015-02-01 |accessdate=2015-02-01 |publisher=[[Slashdot]]}}</ref> | ||
− | ** <code>AuthenticationMethods=publickey,publickey</code> to require that users authenticate using two different public keys<ref>https://lwn.net/Article | + | ** <code>AuthenticationMethods=publickey,publickey</code> to require that users authenticate using two different [[public keys]]<ref>https://lwn.net/Article |
s/637147/</ref> | s/637147/</ref> | ||
+ | |||
+ | == 2014 == | ||
* OpenSSH 6.7: October 6, 2014 | * OpenSSH 6.7: October 6, 2014 | ||
** The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, [[Cipher Block Chaining|CBC]] ciphers and arcfour* are disabled by default. | ** The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, [[Cipher Block Chaining|CBC]] ciphers and arcfour* are disabled by default. | ||
Line 60: | Line 130: | ||
* OpenSSH 6.5<ref>http://www.openssh.com/txt/release-6.5</ref><ref>https://www.openssh.com/releasenotes.html#6.5</ref>: January 30, 2014 | * OpenSSH 6.5<ref>http://www.openssh.com/txt/release-6.5</ref><ref>https://www.openssh.com/releasenotes.html#6.5</ref>: January 30, 2014 | ||
** Added<!-- on 2013/12/06 --> new <kbd>ssh-[[ed25519]]</kbd> and <kbd>[email protected]</kbd> public key types (available since 2005 but more popular since some suspicious that NSA had chosen values that gave them an advantage in factoring public-keys)<ref>https://en.wikipedia.org/wiki/Curve25519#Popularity</ref> | ** Added<!-- on 2013/12/06 --> new <kbd>ssh-[[ed25519]]</kbd> and <kbd>[email protected]</kbd> public key types (available since 2005 but more popular since some suspicious that NSA had chosen values that gave them an advantage in factoring public-keys)<ref>https://en.wikipedia.org/wiki/Curve25519#Popularity</ref> | ||
− | |||
** Added new <kbd>[[ChaCha20|chacha20]]-[[poly1305]]@openssh.com</kbd> transport cipher<ref>{{cite web |url=http://bxr.su/OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305 |title=ssh/PROTOCOL.chacha20poly1305 |first=Damien |last=Miller |website=BSD Cross Reference, OpenBSD src/usr.bin/ |date=2013-12-02 |accessdate=2014-12-26 }}</ref><ref>{{cite web |url=http://it.slashdot.org/story/13/12/11/173213/openssh-has-a-new-cipher-chacha20-poly1305-from-dj-bernstein |title= OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein |first=Constantine A. |last=Murenin |editor=Unknown Lamer |date=2013-12-11 |accessdate=2014-12-26 |publisher=[[Slashdot]]}}</ref> | ** Added new <kbd>[[ChaCha20|chacha20]]-[[poly1305]]@openssh.com</kbd> transport cipher<ref>{{cite web |url=http://bxr.su/OpenBSD/usr.bin/ssh/PROTOCOL.chacha20poly1305 |title=ssh/PROTOCOL.chacha20poly1305 |first=Damien |last=Miller |website=BSD Cross Reference, OpenBSD src/usr.bin/ |date=2013-12-02 |accessdate=2014-12-26 }}</ref><ref>{{cite web |url=http://it.slashdot.org/story/13/12/11/173213/openssh-has-a-new-cipher-chacha20-poly1305-from-dj-bernstein |title= OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein |first=Constantine A. |last=Murenin |editor=Unknown Lamer |date=2013-12-11 |accessdate=2014-12-26 |publisher=[[Slashdot]]}}</ref> | ||
** Added<!-- on 2013/11/02 --> <kbd>[[curve25519]]-[[sha256]]@libssh.org</kbd> [[key exchange]] | ** Added<!-- on 2013/11/02 --> <kbd>[[curve25519]]-[[sha256]]@libssh.org</kbd> [[key exchange]] | ||
Line 67: | Line 136: | ||
** Add a new private key format that uses a [[bcrypt]] KDF | ** Add a new private key format that uses a [[bcrypt]] KDF | ||
+ | == 2013 == | ||
* OpenSSH 6.4: November 8, 2013 <ref>https://www.openssh.com/txt/release-6.4</ref> | * OpenSSH 6.4: November 8, 2013 <ref>https://www.openssh.com/txt/release-6.4</ref> | ||
** This release fixes a security bug with AES-GCM | ** This release fixes a security bug with AES-GCM | ||
Line 77: | Line 147: | ||
** Added support for encrypt-then-mac MAC modes | ** Added support for encrypt-then-mac MAC modes | ||
** Added support for multiple required authentication methods | ** Added support for multiple required authentication methods | ||
− | ** Added support for Key Revocation Lists (KRL) | + | ** Added support for [[Key Revocation Lists]] (KRL) |
+ | == 2012 == | ||
* OpenSSH 6.1: August 29, 2012 | * OpenSSH 6.1: August 29, 2012 | ||
** This is primarily a bugfix release. | ** This is primarily a bugfix release. | ||
** Enables pre-auth sandboxing by default | ** Enables pre-auth sandboxing by default | ||
− | ** Finds ECDSA keys in <code>ssh-keyscan</code> and SSHFP DNS records by default now | + | ** Finds [[ECDSA]] keys in <code>[[ssh-keyscan]]</code> and SSHFP DNS records by default now |
* OpenSSH 6.0: April 22, 2012 | * OpenSSH 6.0: April 22, 2012 | ||
** This is primarily a bugfix release. | ** This is primarily a bugfix release. | ||
+ | == 2011 == | ||
* OpenSSH 5.9: September 6, 2011 | * OpenSSH 5.9: September 6, 2011 | ||
** Introduce [[Sandbox (computer security)|sandboxing]] of the pre-auth [[privilege separation|privilege separated]] child | ** Introduce [[Sandbox (computer security)|sandboxing]] of the pre-auth [[privilege separation|privilege separated]] child | ||
Line 92: | Line 164: | ||
* OpenSSH 5.7: January 24, 2011 | * OpenSSH 5.7: January 24, 2011 | ||
** Added support for elliptic curve cryptography for [[Elliptic curve Diffie–Hellman|key exchange]] as well as [[Elliptic Curve DSA|host/user keys]], per {{RFC|5656}} | ** Added support for elliptic curve cryptography for [[Elliptic curve Diffie–Hellman|key exchange]] as well as [[Elliptic Curve DSA|host/user keys]], per {{RFC|5656}} | ||
+ | |||
+ | == 2010 == | ||
* OpenSSH 5.6: August 23, 2010 | * OpenSSH 5.6: August 23, 2010 | ||
− | ** Added a <code>ControlPersist</code >option to ssh_config | + | ** Added a <code>[[ControlPersist]]</code >option to [[ssh_config]] |
+ | ** Add a new [[-3]] option to [[scp]]: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. | ||
* OpenSSH 5.5: April 16, 2010 | * OpenSSH 5.5: April 16, 2010 | ||
* OpenSSH 5.4: March 8, 2010 | * OpenSSH 5.4: March 8, 2010 | ||
Line 101: | Line 176: | ||
** Added "[[Netcat]] mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1) <code>ProxyCommand</code> to route connections via intermediate servers, without the need for [[Netcat|nc(1)]] on the server machine. | ** Added "[[Netcat]] mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1) <code>ProxyCommand</code> to route connections via intermediate servers, without the need for [[Netcat|nc(1)]] on the server machine. | ||
** Added the ability to revoke [[Public-key cryptography|public keys]] in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used. | ** Added the ability to revoke [[Public-key cryptography|public keys]] in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used. | ||
+ | |||
+ | == 2009 == | ||
* OpenSSH 5.3: October 1, 2009 | * OpenSSH 5.3: October 1, 2009 | ||
* OpenSSH 5.2: February 23, 2009 | * OpenSSH 5.2: February 23, 2009 | ||
− | * OpenSSH 5.1: July 21, 2008 | + | |
− | ** Added a <code>MaxSessions</code> option to sshd_config | + | == 2008 == |
− | * OpenSSH 5.0: April 3, 2008 | + | * OpenSSH 5.1: July 21, 2008<ref>http://www.openssh.com/txt/release-5.1</ref> |
− | * OpenSSH 4.9: March 30, 2008 | + | ** Added a <code>MaxSessions</code> option to <code>[[sshd_config]]</code> to control the number of [[multiplexed sessions]] |
− | ** Added [[chroot]] support for sshd | + | ** Added <code>[[sshd -T]]</code>, an extended [[test mode]] |
− | ** Create an internal [[ | + | * OpenSSH 5.0: April 3, 2008 <ref>http://www.openssh.com/txt/release-5.0</ref> |
+ | * OpenSSH 4.9: March 30, 2008 <ref>http://www.openssh.com/txt/release-4.9</ref> | ||
+ | ** Added [[chroot]] support for <code>[[sshd]]</code> | ||
+ | ** Create an internal [[SFTP]] (<code>[[internal-sftp]]</code> directive) server for easier use of the [[chroot]] functionality | ||
+ | |||
+ | == 2007 == | ||
* OpenSSH 4.7: September 4, 2007 | * OpenSSH 4.7: September 4, 2007 | ||
+ | :Added [[chroot]](2) support for sshd(8), controlled by a new option "<code>[[ChrootDirectory]]</code>". Please refer to sshd_config(5) for details, and please use this feature carefully. (bz#177 bz#1352) | ||
* OpenSSH 4.6: March 9, 2007 | * OpenSSH 4.6: March 9, 2007 | ||
+ | |||
+ | == 2006 == | ||
* OpenSSH 4.5: November 7, 2006 | * OpenSSH 4.5: November 7, 2006 | ||
* OpenSSH 4.4: September 27, 2006 | * OpenSSH 4.4: September 27, 2006 | ||
* OpenSSH 4.3: February 1, 2006 | * OpenSSH 4.3: February 1, 2006 | ||
** Added [[Open Systems Interconnection|OSI]] layer 2/3 [[TUN/TAP|tun]]-based [[VPN]] (-w option on ssh(1)) | ** Added [[Open Systems Interconnection|OSI]] layer 2/3 [[TUN/TAP|tun]]-based [[VPN]] (-w option on ssh(1)) | ||
− | * OpenSSH 4.2: September 1, 2005 | + | |
+ | == 2005 == | ||
+ | * OpenSSH 4.2: September 1, 2005 https://www.openssh.com/txt/release-4.2 | ||
+ | ** Increase the default size of new [[RSA]]/[[DSA]] keys generated by <code>[[ssh-keygen]]</code> from 1024 to 2048 bits. | ||
+ | ** Added <code>[[ControlMaster]]=auto/autoask</code> options to support opportunistic multiplexing (see the ssh_config(5) manpage for details). | ||
+ | |||
* OpenSSH 4.1: May 26, 2005 | * OpenSSH 4.1: May 26, 2005 | ||
* OpenSSH 4.0: March 9, 2005 | * OpenSSH 4.0: March 9, 2005 | ||
+ | |||
+ | == 2004 == | ||
* OpenSSH 3.9<ref>https://www.openssh.com/txt/release-3.9</ref>: August 18, 2004 | * OpenSSH 3.9<ref>https://www.openssh.com/txt/release-3.9</ref>: August 18, 2004 | ||
− | ** Implement [[ | + | ** Implement [[session multiplexing]]. <code>[[ControlMaster]]</code> option |
** Added a <code>MaxAuthTries</code> option to sshd, allowing control over the maximum number of authentication attempts permitted per connection | ** Added a <code>MaxAuthTries</code> option to sshd, allowing control over the maximum number of authentication attempts permitted per connection | ||
** Added <code>IdentitiesOnly</code> option to <code>ssh</code> which specifies that it should use keys specified in ssh_config, rather than any keys in [[ssh-agent]] | ** Added <code>IdentitiesOnly</code> option to <code>ssh</code> which specifies that it should use keys specified in ssh_config, rather than any keys in [[ssh-agent]] | ||
** Re-introduce support for [[PAM]] password authentication | ** Re-introduce support for [[PAM]] password authentication | ||
* OpenSSH 3.8: February 24, 2004 | * OpenSSH 3.8: February 24, 2004 | ||
+ | |||
+ | == 2003 == | ||
* OpenSSH 3.7.1: September 16, 2003 | * OpenSSH 3.7.1: September 16, 2003 | ||
* OpenSSH 3.7: September 16, 2003 | * OpenSSH 3.7: September 16, 2003 | ||
Line 129: | Line 223: | ||
* OpenSSH 3.6.1: April 1, 2003 | * OpenSSH 3.6.1: April 1, 2003 | ||
* OpenSSH 3.6: March 31, 2003 | * OpenSSH 3.6: March 31, 2003 | ||
+ | |||
+ | == 2002 == | ||
* OpenSSH 3.5: October 14, 2002 | * OpenSSH 3.5: October 14, 2002 | ||
* OpenSSH 3.4: June 26, 2002 | * OpenSSH 3.4: June 26, 2002 | ||
Line 134: | Line 230: | ||
** Improved [[Kerberos]] support in protocol v1 (KerbIV and KerbV) | ** Improved [[Kerberos]] support in protocol v1 (KerbIV and KerbV) | ||
* OpenSSH 2.9.9: <ref>https://www.openssh.com/txt/release-2.9.9</ref> | * OpenSSH 2.9.9: <ref>https://www.openssh.com/txt/release-2.9.9</ref> | ||
+ | |||
+ | == 2001 == | ||
* OpenSSH 2.5.1p1: February 19, 2001<ref>https://www.openssh.com/txt/release-2.5.1p1</ref> | * OpenSSH 2.5.1p1: February 19, 2001<ref>https://www.openssh.com/txt/release-2.5.1p1</ref> | ||
− | ** [[Skey]]Authentication absoleted, use ChallengeResponseAuthentication instead. | + | ** [[Skey]]Authentication absoleted, use <code>[[ChallengeResponseAuthentication]]</code> instead. |
+ | == 2000 == | ||
* OpenSSH 1.2.2p1<ref>https://www.openssh.com/txt/release-1.2.2p1</ref>: March 5, 2000 | * OpenSSH 1.2.2p1<ref>https://www.openssh.com/txt/release-1.2.2p1</ref>: March 5, 2000 | ||
+ | |||
+ | |||
+ | == 1995 == | ||
+ | * Added client configuration option <code>[[StrictHostKeyChecking]]</code><ref>http://web.mit.edu/Crypto/src/ssh-1.2.26/ChangeLog</ref> | ||
== See also == | == See also == | ||
+ | * {{sha}} | ||
* {{OpenSSH}} | * {{OpenSSH}} | ||
* {{changelogs}} | * {{changelogs}} |
Latest revision as of 14:19, 4 April 2024
- Source: https://www.openssh.com/releasenotes.html
git clone https://github.com/openssh/openssh-portable.git
ssh -V
2023[edit]
- OpenSSH 9.6 https://www.openssh.com/txt/release-9.6
- ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported.
- OpenSSH 9.5 https://www.openssh.com/txt/release-9.5
- ssh(1), sshd(8): Introduce a transport-level ping facility
- OpenSSH 9.4 https://www.openssh.com/txt/release-9.4
- ssh: allow forwarding Unix Domain sockets via
ssh -W
- ssh: allow forwarding Unix Domain sockets via
- OpenSSH 9.3 https://www.openssh.com/txt/release-9.3
- OpenSSH 9.2 Feb 2023 https://www.openssh.com/txt/release-9.2
- ssh-keyscan: allow scanning of complete CIDR address ranges:
ssh-keyscan 192.168.0.0/24
- ssh-keyscan: allow scanning of complete CIDR address ranges:
2022[edit]
- OpenSSH 9.1 Oct 2022 https://www.openssh.com/txt/release-9.1
RequiredRSASize
sftp -D "/usr/libexec/sftp-server -el debug3"
- OpenSSH 9.0 Aug 2022 https://www.openssh.com/txt/release-9.0
- This release switches scp from using the legacy scp/rcp protocol to using the SFTP protocol by default
- Use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default
- sftp-server: support the "copy-data" extension to allow server-side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00
- sftp: add a "
cp
" command to allow the sftp client to perform server-side file copies.
- OpenSSH 8.9 Feb 2022 https://www.openssh.com/txt/release-8.9
- SECURITY integer overflow in the user authentication path
- Trust on first use (TOFU): ssh-keygen -Y match-principals
2021[edit]
- OpenSSH 8.8 September 2021 https://www.openssh.com/txt/release-8.8
- Disables RSA signatures using the SHA-1 hash algorithm by default. It can be enabled for specific hosts using HostkeyAlgorithms directive.
- SECURITY: Potential privilege escalation on
AuthorizedKeysCommand
orAuthorizedPrincipalsCommand
- FEATURE: ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs directive to accept a "none" argument to specify the default behaviour
- OpenSSH 8.7 August 2021 https://www.openssh.com/txt/release-8.7
- scp (1): experimental support for transfers using the SFTP protocol
- ssh
ForkAfterAuthentication
- OpenSSH 8.6 19 April 2021 https://www.openssh.com/txt/release-8.6
- SECURITY:
LogVerbose
keyword vulnerability fixed - FEATURE: Add
ModuliFile
keyword to sshd_config to specify the location of the "moduli" file containing the groups for DH-GEX
- SECURITY:
- OpenSSH 8.5 03 March 2021 https://www.openssh.com/txt/release-8.5
- SECURITY:
ssh-agent
: fixed a double-free memory corruption that was introduced in OpenSSH 8.2 (Feb 2020) - Update/replace the experimental post-quantum hybrid key exchange method
- FEATURE: new
LogVerbose
configuration directive inssh
and sshd for that allows forcing maximum debug logging by file/function/line pattern-lists.
- SECURITY:
2020[edit]
- OpenSSH 8.4 Sep 2020 https://www.openssh.com/txt/release-8.4
- FEATURE:
ssh-keygen
: Enable FIDO 2.1 ssh
,sshd
add a newLogVerbose
configuration directive
- FEATURE:
- OpenSSH 8.3, May 2020 https://www.openssh.com/txt/release-8.3
- sshd:
IgnoreRhosts
has a new option:shosts-only
. 3 options in total:yes|no|shosts-only
- scp security bug fix, see Scp#Security
- sshd:
- OpenSSH 8.2, February 2020 [1]. Included in Ubuntu 20.04 LTS
2019[edit]
- OpenSSH 8.1[2][3], released in October 2019
ssh
,sshd
,ssh-agent
: add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed.
- OpenSSH 8.0[4][5], released in April 2019
2018[edit]
- OpenSSH 7.9[7], released in October 2018
- allow key revocation lists (KRLs) to revoke keys specified by SHA256 hash
- OpenSSH 7.8[8], released in August 2018
- Incompatible changes:
ssh-keygen
write OpenSSH format private keys by default instead of using OpenSSL's PEM format.
- Incompatible changes:
- OpenSSH 7.7[9], released in February 2018
- FEATURE: Add
"expiry-time"
option in sshd forauthorized_keys
files to allow for expiring keys.
- FEATURE: Add
2017[edit]
- OpenSSH 7.6[10], released in October 2017. Included in Ubuntu 18.04.4 LTS
- FEATURE: Add
RemoteCommand
option - FEATURE: Add
SyslogFacility
option to ssh matching the equivalent option in sshd - FEATURE: ssh client reverse dynamic forwarding
-R
- FEATURE: Add
- OpenSSH 7.5[11], released in March 2017
- BUGFIX: This is a mainly a bugfix release.
- ssh
accept-new
new option forStrictHostKeyChecking
- Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement.
2016[edit]
- OpenSSH 7.4 [12], released in December 2016
- sshd(8): Add a
sshd_config
DisableForwarding
option
- sshd(8): Add a
- OpenSSH 7.3 [13], released August 01, 2016
- FEATURE: Adds
ProxyJump
option (-J
) - FEATURE: Add an
include
directive forssh_config
files - FEATURE:
ssh
add aninclude
directive forssh_config
files.
- FEATURE: Adds
- OpenSSH 7.2 [14] Feb 2016
2015[edit]
- OpenSSH 7.1: August 20, 2015[15]
- Bugfix: This is a bugfix release.
- OpenSSH 7.0: August 11, 2015[16]
- The focus of this release is primarily to deprecate weak, legacy and unsafe cryptography.
- OpenSSH 6.9: July 1, 2015[17]
- Bugfix: This is primarily a bugfix release.
- OpenSSH 6.8: March 18, 2015
- Added new [email protected] extension to facilitate public key discovery and rotation for trusted hosts (for transition from DSA to Ed25519 public host keys)[18]
AuthenticationMethods=publickey,publickey
to require that users authenticate using two different public keys[19]
2014[edit]
- OpenSSH 6.7: October 6, 2014
- OpenSSH 6.6: March 16, 2014
- This is primarily a bugfix release.
- OpenSSH 6.5[21][22]: January 30, 2014
- Added new ssh-ed25519 and [email protected] public key types (available since 2005 but more popular since some suspicious that NSA had chosen values that gave them an advantage in factoring public-keys)[23]
- Added new chacha20-poly1305@openssh.com transport cipher[24][25]
- Added curve25519-sha256@libssh.org key exchange
- FEATURE: ssh, added Match keyword for ssh_config that allows conditional configuration to be applied [26]
- FEATURE: client-side hostname canonicalisation:
CanonicalDomains, CanonicalizeFallbackLocal, CanonicalizeHostname, CanonicalizeMaxDots and CanonicalizePermittedCNAMEs
.[27][28] - Add a new private key format that uses a bcrypt KDF
2013[edit]
- OpenSSH 6.4: November 8, 2013 [29]
- This release fixes a security bug with AES-GCM
- OpenSSH 6.3: September 13, 2013
- This release is predominantly a bugfix release
- OpenSSH 6.2: March 22, 2013
- Add a GCM-mode for the AES cipher, similar to RFC, RFI
- Added support for encrypt-then-mac MAC modes
- Added support for multiple required authentication methods
- Added support for Key Revocation Lists (KRL)
2012[edit]
- OpenSSH 6.1: August 29, 2012
- This is primarily a bugfix release.
- Enables pre-auth sandboxing by default
- Finds ECDSA keys in
ssh-keyscan
and SSHFP DNS records by default now
- OpenSSH 6.0: April 22, 2012
- This is primarily a bugfix release.
2011[edit]
- OpenSSH 5.9: September 6, 2011
- Introduce sandboxing of the pre-auth privilege separated child
- OpenSSH 5.8: February 4, 2011
- OpenSSH 5.7: January 24, 2011
- Added support for elliptic curve cryptography for key exchange as well as host/user keys, per RFC, RFI
2010[edit]
- OpenSSH 5.6: August 23, 2010
- Added a
ControlPersist
option to ssh_config - Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts.
- Added a
- OpenSSH 5.5: April 16, 2010
- OpenSSH 5.4: March 8, 2010
- Disabled SSH protocol 1 default support. Clients and servers must now explicitly enable it.
- Added PKCS11 authentication support for ssh(1) (-I pkcs11)
- Added Certificate based authentication
- Added "Netcat mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1)
ProxyCommand
to route connections via intermediate servers, without the need for nc(1) on the server machine. - Added the ability to revoke public keys in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used.
2009[edit]
- OpenSSH 5.3: October 1, 2009
- OpenSSH 5.2: February 23, 2009
2008[edit]
- OpenSSH 5.1: July 21, 2008[30]
- Added a
MaxSessions
option tosshd_config
to control the number of multiplexed sessions - Added
sshd -T
, an extended test mode
- Added a
- OpenSSH 5.0: April 3, 2008 [31]
- OpenSSH 4.9: March 30, 2008 [32]
- Added chroot support for
sshd
- Create an internal SFTP (
internal-sftp
directive) server for easier use of the chroot functionality
- Added chroot support for
2007[edit]
- OpenSSH 4.7: September 4, 2007
- Added chroot(2) support for sshd(8), controlled by a new option "
ChrootDirectory
". Please refer to sshd_config(5) for details, and please use this feature carefully. (bz#177 bz#1352)
- OpenSSH 4.6: March 9, 2007
2006[edit]
- OpenSSH 4.5: November 7, 2006
- OpenSSH 4.4: September 27, 2006
- OpenSSH 4.3: February 1, 2006
2005[edit]
- OpenSSH 4.2: September 1, 2005 https://www.openssh.com/txt/release-4.2
- Increase the default size of new RSA/DSA keys generated by
ssh-keygen
from 1024 to 2048 bits. - Added
ControlMaster=auto/autoask
options to support opportunistic multiplexing (see the ssh_config(5) manpage for details).
- Increase the default size of new RSA/DSA keys generated by
- OpenSSH 4.1: May 26, 2005
- OpenSSH 4.0: March 9, 2005
2004[edit]
- OpenSSH 3.9[33]: August 18, 2004
- Implement session multiplexing.
ControlMaster
option - Added a
MaxAuthTries
option to sshd, allowing control over the maximum number of authentication attempts permitted per connection - Added
IdentitiesOnly
option tossh
which specifies that it should use keys specified in ssh_config, rather than any keys in ssh-agent - Re-introduce support for PAM password authentication
- Implement session multiplexing.
- OpenSSH 3.8: February 24, 2004
2003[edit]
- OpenSSH 3.7.1: September 16, 2003
- OpenSSH 3.7: September 16, 2003
- OpenSSH 3.6.1: April 1, 2003
- OpenSSH 3.6: March 31, 2003
2002[edit]
- OpenSSH 3.5: October 14, 2002
- OpenSSH 3.4: June 26, 2002
- OpenSSH 3.0: [34]
- Improved Kerberos support in protocol v1 (KerbIV and KerbV)
- OpenSSH 2.9.9: [35]
2001[edit]
- OpenSSH 2.5.1p1: February 19, 2001[36]
- SkeyAuthentication absoleted, use
ChallengeResponseAuthentication
instead.
- SkeyAuthentication absoleted, use
2000[edit]
- OpenSSH 1.2.2p1[37]: March 5, 2000
1995[edit]
- Added client configuration option
StrictHostKeyChecking
[38]
See also[edit]
- SHA, SHA-0, SHA-1, SHA-2, SHA-3, SHA-256,
shasum, sha1sum, sha256sum, sha512sum
- OpenSSH (changelog):
/etc/ssh/sshd_config
|/etc/ssh/ssh_config
|~/.ssh/
|openSSL | sshd logs
|sftp
|scp
|authorized_keys
|ssh-keygen
|ssh-keyscan
|ssh-add
|ssh-agent
|ssh
|Ssh -O stop
|ssh-copy-id
|CheckHostIP
|UseKeychain
, OpenSSF, ~/.ssh/authorized_keys - Software changelogs,
git log
, GA, EoL, EOS, release cycle,apt changelog
,docker-compose changelog
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy.
Source: Wikiversity
- ↑ https://www.openssh.com/txt/release-8.2
- ↑ https://www.openssh.com/txt/release-8.1
- ↑ https://www.openssh.com/releasenotes.html#8.1
- ↑ http://www.openssh.com/txt/release-8.0
- ↑ https://www.openssh.com/releasenotes.html#8.0
- ↑ https://nvd.nist.gov/vuln/detail/CVE-2019-6111
- ↑ http://www.openssh.com/txt/release-7.9
- ↑ http://www.openssh.com/txt/release-7.8
- ↑ http://www.openssh.com/txt/release-7.7
- ↑ http://www.openssh.com/txt/release-7.6
- ↑ http://www.openssh.com/txt/release-7.5
- ↑ http://www.openssh.com/txt/release-7.4
- ↑ http://www.openssh.com/txt/release-7.3
- ↑ https://www.openssh.com/txt/release-7.2
- ↑ "OpenSSH 7.1 Release Notes". openssh.com. 2015-08-20. Retrieved 2015-09-01.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ "OpenSSH 7.0 Release Notes". openssh.com. 2015-08-11. Retrieved 2015-08-18.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ "OpenSSH 6.9 Release Notes". openssh.com. 2015-07-01. Retrieved 2015-08-12.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ Murenin, Constantine A. (2015-02-01). Soulskill (ed.). "OpenSSH Will Feature Key Discovery and Rotation For Easier Switching To Ed25519". Slashdot. Retrieved 2015-02-01.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ https://lwn.net/Article s/637147/
- ↑ Murenin, Constantine A. (2014-04-30). Soulskill (ed.). "OpenSSH No Longer Has To Depend On OpenSSL". Slashdot. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ http://www.openssh.com/txt/release-6.5
- ↑ https://www.openssh.com/releasenotes.html#6.5
- ↑ https://en.wikipedia.org/wiki/Curve25519#Popularity
- ↑ Miller, Damien (2013-12-02). "ssh/PROTOCOL.chacha20poly1305". BSD Cross Reference, OpenBSD src/usr.bin/. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ Murenin, Constantine A. (2013-12-11). Unknown Lamer (ed.). "OpenSSH Has a New Cipher — Chacha20-poly1305 — from D.J. Bernstein". Slashdot. Retrieved 2014-12-26.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
- ↑ https://www.openssh.com/txt/release-6.5
- ↑ http://blog.djm.net.au/2014/01/hostname-canonicalisation-in-openssh.html
- ↑ https://github.com/openssh/openssh-portable/commit/0faf747e2f77f0f7083bcd59cbed30c4b5448444
- ↑ https://www.openssh.com/txt/release-6.4
- ↑ http://www.openssh.com/txt/release-5.1
- ↑ http://www.openssh.com/txt/release-5.0
- ↑ http://www.openssh.com/txt/release-4.9
- ↑ https://www.openssh.com/txt/release-3.9
- ↑ https://www.openssh.com/txt/release-3.0
- ↑ https://www.openssh.com/txt/release-2.9.9
- ↑ https://www.openssh.com/txt/release-2.5.1p1
- ↑ https://www.openssh.com/txt/release-1.2.2p1
- ↑ http://web.mit.edu/Crypto/src/ssh-1.2.26/ChangeLog
Advertising: