FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=main 2025-02-19T17:20:44Z 2025-02-19T17:20:44Z Ed Maste emaste@FreeBSD.org 2025-02-19T17:20:44Z urn:sha1:0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 2022-04-15T14:41:08Z Ed Maste emaste@FreeBSD.org 2022-04-15T14:41:08Z urn:sha1:87c1498d1a7473ff983e5c0456f30608f3f1e601 Release notes are available at https://www.openssh.com/txt/release-9.0 Some highlights: * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. * sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948 * sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. This commit excludes the scp(1) change to use the SFTP protocol by default; that change will immediately follow. MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation 2021-09-08T01:05:51Z Ed Maste emaste@FreeBSD.org 2021-09-08T01:05:51Z urn:sha1:19261079b74319502c6ffa1249920079f0f69a72 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985 2018-09-10T16:20:12Z Dag-Erling Smørgrav des@FreeBSD.org 2018-09-10T16:20:12Z urn:sha1:190cef3d52236565eb22e18b33e9e865ec634aa3 Approved by: re (kib@) 2018-05-08T23:13:11Z Dag-Erling Smørgrav des@FreeBSD.org 2018-05-08T23:13:11Z urn:sha1:4f52dfbb8d6c4d446500c5b097e3806ec219fbd4 This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11. 2017-03-06T01:37:05Z Dag-Erling Smørgrav des@FreeBSD.org 2017-03-06T01:37:05Z urn:sha1:ca86bcf2531c7b149c95244a67853d44323e7855 2017-03-02T00:11:32Z Dag-Erling Smørgrav des@FreeBSD.org 2017-03-02T00:11:32Z urn:sha1:076ad2f836d5f49dc1375f1677335a48fe0d4b82 2016-01-19T16:18:26Z Dag-Erling Smørgrav des@FreeBSD.org 2016-01-19T16:18:26Z urn:sha1:a0ee8cc636cd5c2374ec44ca71226564ea0bca95 upstream) and a number of security fixes which we had already backported. MFC after: 1 week 2014-01-31T13:12:02Z Dag-Erling Smørgrav des@FreeBSD.org 2014-01-31T13:12:02Z urn:sha1:f7167e0ea0bf5aaabff9490453b3b71b3f1b4d51 2013-03-22T17:55:38Z Dag-Erling Smørgrav des@FreeBSD.org 2013-03-22T17:55:38Z urn:sha1:6888a9be566d79246a948dcc4c0a914b1bee0c32 for a key revocation list and more fine-grained authentication control.