en Copyright 2025 Java http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#8e28d84935f2f0ee081d44f9803f3052b960e50b OpenSSH: Update to 10.0p2Full release notes are available athttps://www.openssh.com/txt/release-10.0Selected highlights from the release notes:Potentially-incompatible changes- This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.]- This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this.- sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary.Security- sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.]New features- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement.Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D51630 List of files: /src/crypto/openssh/INSTALL Tue, 26 Aug 2025 19:04:16 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#535af610a4fdace6d50960c0ad9be0597eea7a1b ssh: Update to OpenSSH 9.4p1Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567Full release notes at https://www.openssh.com/txt/release-9.4Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/INSTALL Fri, 11 Aug 2023 03:10:18 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#f374ba41f55c1a127303d92d830dd58eef2f5243 ssh: update to OpenSSH 9.2p1Release notes are available at https://www.openssh.com/txt/release-9.2OpenSSH 9.2 contains fixes for two security problems and a memory safetyproblem. The memory safety problem is not believed to be exploitable.These fixes have already been committed to OpenSSH 9.1 in FreeBSD.Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499MFC after: 1 weekSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/INSTALL Mon, 06 Feb 2023 21:54:56 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3 ssh: update to OpenSSH 9.1p1Release notes are available at https://www.openssh.com/txt/release-9.19.1 contains fixes for three minor memory safety problems; these havelready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD basesystem.Some highlights copied from the release notes:Potentially-incompatible changes-------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.New features------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429MFC after: 2 weeksRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/INSTALL Wed, 19 Oct 2022 14:27:11 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#1323ec571215a77ddd21294f0871979d5ad6b992 ssh: update to OpenSSH v8.9p1Release notes are available at https://www.openssh.com/txt/release-8.9Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar.Future deprecation notice=========================A near-future release of OpenSSH will switch scp(1) from using thelegacy scp/rcp protocol to using SFTP by default.Legacy scp/rcp performs wildcard expansion of remote filenames (e.g."scp host:* .") through the remote shell. This has the side effect ofrequiring double quoting of shell meta-characters in file namesincluded on scp(1) command-lines, otherwise they could be interpretedas shell commands on the remote side.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/INSTALL Wed, 13 Apr 2022 20:00:56 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#19261079b74319502c6ffa1249920079f0f69a72 openssh: update to OpenSSH v8.7p1Some notable changes, from upstream's release notes:- sshd(8): Remove support for obsolete "host/port" syntax.- ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes".- ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm.- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures.- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one).- ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions.- scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default.- scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used.Additional integration work is needed to support FIDO/U2F in the basesystem.Deprecation Notice------------------OpenSSH will disable the ssh-rsa signature scheme by default in thenext release.Reviewed by: impMFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D29985 List of files: /src/crypto/openssh/INSTALL Wed, 08 Sep 2021 01:05:51 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#3af64f03119a159ac15eb75b92d346705b490385 Merge ^/head r338392 through r338594. List of files: /src/crypto/openssh/INSTALL Tue, 11 Sep 2018 18:41:00 +0000 Dimitry Andric <dim@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#190cef3d52236565eb22e18b33e9e865ec634aa3 Upgrade to OpenSSH 7.8p1.Approved by: re (kib@) List of files: /src/crypto/openssh/INSTALL Mon, 10 Sep 2018 16:20:12 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#8e28d84935f2f0ee081d44f9803f3052b960e50b OpenSSH: Update to 10.0p2Full release notes are available athttps://www.openssh.com/txt/release-10.0Selected highlights from the release notes:Potentially-incompatible changes- This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.]- This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this.- sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary.Security- sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.]New features- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement.Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D51630 List of files: /src/crypto/openssh/INSTALL Tue, 26 Aug 2025 19:04:16 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#535af610a4fdace6d50960c0ad9be0597eea7a1b ssh: Update to OpenSSH 9.4p1Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567Full release notes at https://www.openssh.com/txt/release-9.4Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/INSTALL Fri, 11 Aug 2023 03:10:18 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#f374ba41f55c1a127303d92d830dd58eef2f5243 ssh: update to OpenSSH 9.2p1Release notes are available at https://www.openssh.com/txt/release-9.2OpenSSH 9.2 contains fixes for two security problems and a memory safetyproblem. The memory safety problem is not believed to be exploitable.These fixes have already been committed to OpenSSH 9.1 in FreeBSD.Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499MFC after: 1 weekSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/INSTALL Mon, 06 Feb 2023 21:54:56 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3 ssh: update to OpenSSH 9.1p1Release notes are available at https://www.openssh.com/txt/release-9.19.1 contains fixes for three minor memory safety problems; these havelready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD basesystem.Some highlights copied from the release notes:Potentially-incompatible changes-------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.New features------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429MFC after: 2 weeksRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/INSTALL Wed, 19 Oct 2022 14:27:11 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#1323ec571215a77ddd21294f0871979d5ad6b992 ssh: update to OpenSSH v8.9p1Release notes are available at https://www.openssh.com/txt/release-8.9Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar.Future deprecation notice=========================A near-future release of OpenSSH will switch scp(1) from using thelegacy scp/rcp protocol to using SFTP by default.Legacy scp/rcp performs wildcard expansion of remote filenames (e.g."scp host:* .") through the remote shell. This has the side effect ofrequiring double quoting of shell meta-characters in file namesincluded on scp(1) command-lines, otherwise they could be interpretedas shell commands on the remote side.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/INSTALL Wed, 13 Apr 2022 20:00:56 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#19261079b74319502c6ffa1249920079f0f69a72 openssh: update to OpenSSH v8.7p1Some notable changes, from upstream's release notes:- sshd(8): Remove support for obsolete "host/port" syntax.- ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes".- ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm.- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures.- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one).- ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions.- scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default.- scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used.Additional integration work is needed to support FIDO/U2F in the basesystem.Deprecation Notice------------------OpenSSH will disable the ssh-rsa signature scheme by default in thenext release.Reviewed by: impMFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D29985 List of files: /src/crypto/openssh/INSTALL Wed, 08 Sep 2021 01:05:51 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#3af64f03119a159ac15eb75b92d346705b490385 Merge ^/head r338392 through r338594. List of files: /src/crypto/openssh/INSTALL Tue, 11 Sep 2018 18:41:00 +0000 Dimitry Andric <dim@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#190cef3d52236565eb22e18b33e9e865ec634aa3 Upgrade to OpenSSH 7.8p1.Approved by: re (kib@) List of files: /src/crypto/openssh/INSTALL Mon, 10 Sep 2018 16:20:12 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#47dd1d1b619cc035b82b49a91a25544309ff95ae Upgrade to OpenSSH 7.7p1. List of files: /src/crypto/openssh/INSTALL Fri, 11 May 2018 13:22:43 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#4f52dfbb8d6c4d446500c5b097e3806ec219fbd4 Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.This completely removes client-side support for the SSH 1 protocol,which was already disabled in 12 but is still enabled in 11. For thatreason, we will not be able to merge 7.6p1 or newer back to 11. List of files: /src/crypto/openssh/INSTALL Tue, 08 May 2018 23:13:11 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#083c8ded054841f6b1a197acf6867e16fd044a7c MFhead@r322451 List of files: /src/crypto/openssh/INSTALL Sun, 13 Aug 2017 01:23:13 +0000 Enji Cooper <ngie@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/INSTALL#0275f9dbf73b01e9478dc7d6ab5fab4f8e077448 Merge ^/head r321383 through r322397. List of files: /src/crypto/openssh/INSTALL Fri, 11 Aug 2017 10:59:34 +0000 Hans Petter Selasky <hselasky@FreeBSD.org>