FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=main 2025-08-26T19:04:16Z 2025-08-26T19:04:16Z Ed Maste emaste@FreeBSD.org 2025-08-26T19:04:16Z urn:sha1:8e28d84935f2f0ee081d44f9803f3052b960e50b Full release notes are available at https://www.openssh.com/txt/release-10.0 Selected highlights from the release notes: Potentially-incompatible changes - This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.] - This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this. - sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary. Security - sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.] New features - ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement. Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D51630 2025-02-19T19:33:38Z Ed Maste emaste@FreeBSD.org 2025-02-19T19:33:38Z urn:sha1:0ae642c7dd0c2cfd965a22bf73876cd26cceadd2 This release exists primarily to fix two security bugs. The fixes have been independently imported into FreeBSD. This import serves to update the ssh and sshd version number. A few minor bug fixes are also included; see the upstream release notes for full details of the 9.9p2 release (https://www.openssh.com/releasenotes.html). Sponsored by: The FreeBSD Foundation 2025-02-19T19:08:59Z Ed Maste emaste@FreeBSD.org 2025-02-19T19:08:59Z urn:sha1:3d9fd9fcb432750f3716b28f6ccb0104cd9d351a Highlights from the release notes are reproduced below. Bug fixes and improvements that were previously merged into FreeBSD have been elided. See the upstream release notes for full details of the 9.9p1 release (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * ssh(1): remove support for pre-authentication compression. * ssh(1), sshd(8): processing of the arguments to the "Match" configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and \-escaped characters. New features ------------ * ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm "mlkem768x25519-sha256" is available by default. * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. This feature is supported on OpenBSD, Linux and FreeBSD. * All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA. Bugfixes -------- * sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. Requested in GHPR503 * ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. * ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g "rsa") in user-interface code and require full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725 * ssh-keygen(1): clarify that ed25519 is the default key type generated and clarify that rsa-sha2-512 is the default signature scheme when RSA is in use. GHPR505 --- Reviewed by: jlduran (build infrastructure) Reviewed by: cy (build infrastructure) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48947 2025-02-19T17:20:44Z Ed Maste emaste@FreeBSD.org 2025-02-19T17:20:44Z urn:sha1:0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 2024-03-18T14:00:57Z Ed Maste emaste@FreeBSD.org 2024-03-18T14:00:57Z urn:sha1:a91a246563dffa876a52f53a98de4af9fa364c52 This release contains mostly bugfixes. It also makes support for the DSA signature algorithm a compile-time option, with plans to disable it upstream later this year and remove support entirely in 2025. Full release notes at https://www.openssh.com/txt/release-9.7 Relnotes: Yes Sponsored by: The FreeBSD Foundation 2024-01-05T03:16:30Z Ed Maste emaste@FreeBSD.org 2024-01-05T03:16:30Z urn:sha1:069ac18495ad8fde2748bc94b0f80a50250bb01d From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation 2023-10-09T17:28:17Z Ed Maste emaste@FreeBSD.org 2023-10-09T17:28:17Z urn:sha1:edf8578117e8844e02c0121147f45e4609b30680 Excerpts from the release notes: Potentially incompatible changes -------------------------------- * ssh-keygen(1): generate Ed25519 keys by default. [NOTE: This change was already merged into FreeBSD.] * sshd(8): the Subsystem directive now accurately preserves quoting of subsystem commands and arguments. New features ------------ * ssh(1): add keystroke timing obfuscation to the client. * ssh(1), sshd(8): Introduce a transport-level ping facility. * sshd(8): allow override of Sybsystem directives in sshd Match blocks. Full release notes at https://www.openssh.com/txt/release-9.5 Relnotes: Yes Sponsored by: The FreeBSD Foundation 2023-08-11T03:10:18Z Ed Maste emaste@FreeBSD.org 2023-08-11T03:10:18Z urn:sha1:535af610a4fdace6d50960c0ad9be0597eea7a1b Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567 Full release notes at https://www.openssh.com/txt/release-9.4 Relnotes: Yes Sponsored by: The FreeBSD Foundation 2023-07-19T17:02:33Z Ed Maste emaste@FreeBSD.org 2023-07-19T17:02:33Z urn:sha1:66fd12cf4896eb08ad8e7a2627537f84ead84dd3 From the release notes: Changes since OpenSSH 9.3 ========================= This release fixes a security bug. Security ======== Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes -------------------------------- * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction. CVE: CVE-2023-38408 Sponsored by: The FreeBSD Foundation 2023-03-16T14:29:55Z Ed Maste emaste@FreeBSD.org 2023-03-16T14:29:55Z urn:sha1:4d3fc8b0570b29fb0d6ee9525f104d52176ff0d4 This release fixes a number of security bugs and has minor new features and bug fixes. Security fixes, from the release notes (https://www.openssh.com/txt/release-9.3): This release contains fixes for a security problem and a memory safety problem. The memory safety problem is not believed to be exploitable, but we report most network-reachable memory faults as security bugs. * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. Sponsored by: The FreeBSD Foundation