en Copyright 2025 Java http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#a91a246563dffa876a52f53a98de4af9fa364c52 ssh: Update to OpenSSH 9.7p1This release contains mostly bugfixes.It also makes support for the DSA signature algorithm a compile-timeoption, with plans to disable it upstream later this year and removesupport entirely in 2025.Full release notes at https://www.openssh.com/txt/release-9.7Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Mon, 18 Mar 2024 14:00:57 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#069ac18495ad8fde2748bc94b0f80a50250bb01d ssh: Update to OpenSSH 9.6p1From the release notes,> This release contains a number of security fixes, some small features> and bugfixes.The most significant change in 9.6p1 is a set of fixes for a newly-discovered weakness in the SSH transport protocol. The fix was alreadymerged into FreeBSD and released as FreeBSD-SA-23:19.openssh.Full release notes at https://www.openssh.com/txt/release-9.6Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Fri, 05 Jan 2024 03:16:30 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#92f58c69a14c0afe910145f177c0e8aeaf9c7da4 Implement "strict key exchange" in ssh and sshd.This adds a protocol extension to improve the integrity of the SSHtransport protocol, particular in and around the initial key exchange(KEX) phase.Full details of the extension are in the PROTOCOL file.OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14Approved by: so (implicit)Obtained from: https://anongit.mindrot.org/openssh.git/patch/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5Security: CVE-2023-48795 List of files: /src/crypto/openssh/PROTOCOL Mon, 18 Dec 2023 16:22:22 +0000 Gordon Tetlow <gordon@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#edf8578117e8844e02c0121147f45e4609b30680 ssh: Update to OpenSSH 9.5p1Excerpts from the release notes:Potentially incompatible changes-------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments.New features------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks.Full release notes at https://www.openssh.com/txt/release-9.5Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Mon, 09 Oct 2023 17:28:17 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#f374ba41f55c1a127303d92d830dd58eef2f5243 ssh: update to OpenSSH 9.2p1Release notes are available at https://www.openssh.com/txt/release-9.2OpenSSH 9.2 contains fixes for two security problems and a memory safetyproblem. The memory safety problem is not believed to be exploitable.These fixes have already been committed to OpenSSH 9.1 in FreeBSD.Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499MFC after: 1 weekSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Mon, 06 Feb 2023 21:54:56 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3 ssh: update to OpenSSH 9.1p1Release notes are available at https://www.openssh.com/txt/release-9.19.1 contains fixes for three minor memory safety problems; these havelready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD basesystem.Some highlights copied from the release notes:Potentially-incompatible changes-------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.New features------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429MFC after: 2 weeksRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Wed, 19 Oct 2022 14:27:11 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#87c1498d1a7473ff983e5c0456f30608f3f1e601 ssh: update to OpenSSH v9.0p1Release notes are available at https://www.openssh.com/txt/release-9.0Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies.This commit excludes the scp(1) change to use the SFTP protocol bydefault; that change will immediately follow.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Fri, 15 Apr 2022 14:41:08 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#1323ec571215a77ddd21294f0871979d5ad6b992 ssh: update to OpenSSH v8.9p1Release notes are available at https://www.openssh.com/txt/release-8.9Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar.Future deprecation notice=========================A near-future release of OpenSSH will switch scp(1) from using thelegacy scp/rcp protocol to using SFTP by default.Legacy scp/rcp performs wildcard expansion of remote filenames (e.g."scp host:* .") through the remote shell. This has the side effect ofrequiring double quoting of shell meta-characters in file namesincluded on scp(1) command-lines, otherwise they could be interpretedas shell commands on the remote side.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Wed, 13 Apr 2022 20:00:56 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#19261079b74319502c6ffa1249920079f0f69a72 openssh: update to OpenSSH v8.7p1Some notable changes, from upstream's release notes:- sshd(8): Remove support for obsolete "host/port" syntax.- ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes".- ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm.- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures.- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one).- ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions.- scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default.- scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used.Additional integration work is needed to support FIDO/U2F in the basesystem.Deprecation Notice------------------OpenSSH will disable the ssh-rsa signature scheme by default in thenext release.Reviewed by: impMFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D29985 List of files: /src/crypto/openssh/PROTOCOL Wed, 08 Sep 2021 01:05:51 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#ef1c128c05a64dc96083697fdbf6f045262f7844 Merge ^/head r357921 through r357930. List of files: /src/crypto/openssh/PROTOCOL Fri, 14 Feb 2020 19:33:48 +0000 Dimitry Andric <dim@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#2f513db72b034fd5ef7f080b11be5c711c15186a Upgrade to OpenSSH 7.9p1.MFC after: 2 monthsSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Fri, 14 Feb 2020 19:06:59 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#3af64f03119a159ac15eb75b92d346705b490385 Merge ^/head r338392 through r338594. List of files: /src/crypto/openssh/PROTOCOL Tue, 11 Sep 2018 18:41:00 +0000 Dimitry Andric <dim@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#190cef3d52236565eb22e18b33e9e865ec634aa3 Upgrade to OpenSSH 7.8p1.Approved by: re (kib@) List of files: /src/crypto/openssh/PROTOCOL Mon, 10 Sep 2018 16:20:12 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#a91a246563dffa876a52f53a98de4af9fa364c52 ssh: Update to OpenSSH 9.7p1This release contains mostly bugfixes.It also makes support for the DSA signature algorithm a compile-timeoption, with plans to disable it upstream later this year and removesupport entirely in 2025.Full release notes at https://www.openssh.com/txt/release-9.7Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Mon, 18 Mar 2024 14:00:57 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#069ac18495ad8fde2748bc94b0f80a50250bb01d ssh: Update to OpenSSH 9.6p1From the release notes,> This release contains a number of security fixes, some small features> and bugfixes.The most significant change in 9.6p1 is a set of fixes for a newly-discovered weakness in the SSH transport protocol. The fix was alreadymerged into FreeBSD and released as FreeBSD-SA-23:19.openssh.Full release notes at https://www.openssh.com/txt/release-9.6Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Fri, 05 Jan 2024 03:16:30 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#92f58c69a14c0afe910145f177c0e8aeaf9c7da4 Implement "strict key exchange" in ssh and sshd.This adds a protocol extension to improve the integrity of the SSHtransport protocol, particular in and around the initial key exchange(KEX) phase.Full details of the extension are in the PROTOCOL file.OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14Approved by: so (implicit)Obtained from: https://anongit.mindrot.org/openssh.git/patch/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5Security: CVE-2023-48795 List of files: /src/crypto/openssh/PROTOCOL Mon, 18 Dec 2023 16:22:22 +0000 Gordon Tetlow <gordon@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#edf8578117e8844e02c0121147f45e4609b30680 ssh: Update to OpenSSH 9.5p1Excerpts from the release notes:Potentially incompatible changes-------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments.New features------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks.Full release notes at https://www.openssh.com/txt/release-9.5Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Mon, 09 Oct 2023 17:28:17 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#f374ba41f55c1a127303d92d830dd58eef2f5243 ssh: update to OpenSSH 9.2p1Release notes are available at https://www.openssh.com/txt/release-9.2OpenSSH 9.2 contains fixes for two security problems and a memory safetyproblem. The memory safety problem is not believed to be exploitable.These fixes have already been committed to OpenSSH 9.1 in FreeBSD.Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499MFC after: 1 weekSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Mon, 06 Feb 2023 21:54:56 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3 ssh: update to OpenSSH 9.1p1Release notes are available at https://www.openssh.com/txt/release-9.19.1 contains fixes for three minor memory safety problems; these havelready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD basesystem.Some highlights copied from the release notes:Potentially-incompatible changes-------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.New features------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429MFC after: 2 weeksRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Wed, 19 Oct 2022 14:27:11 +0000 Ed Maste <emaste@FreeBSD.org> http://opengrok.net:8080/history/src/crypto/openssh/PROTOCOL#87c1498d1a7473ff983e5c0456f30608f3f1e601 ssh: update to OpenSSH v9.0p1Release notes are available at https://www.openssh.com/txt/release-9.0Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies.This commit excludes the scp(1) change to use the SFTP protocol bydefault; that change will immediately follow.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /src/crypto/openssh/PROTOCOL Fri, 15 Apr 2022 14:41:08 +0000 Ed Maste <emaste@FreeBSD.org>