FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=main 2026-05-14T18:59:30Z 2026-05-14T18:59:30Z Ed Maste emaste@FreeBSD.org 2026-05-14T18:59:30Z urn:sha1:2574974648c68c738aec3ff96644d888d7913a37 Full release notes are available at https://www.openssh.com/txt/release-10.3 Selected highlights from the release notes: * ssh(1), sshd(8): remove bug compatibility for implementations that don't support rekeying. If such an implementation tries to interoperate with OpenSSH, it will now eventually fail when the transport needs rekeying. * ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new names is advertised via the EXT_INFO message. If a server offers support for the new names, then they are used preferentially. * ssh(1): add a ~I escape option that shows information about the current SSH connection. * sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is applied to login attempts for usernames that do not match real accounts. Defaults to 5s to match 'authfail' but allows administrators to block such attempts for longer if desired. * Support the ed25519 signature scheme via libcrypto. Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D56999 2026-05-12T20:24:10Z Ed Maste emaste@FreeBSD.org 2026-05-12T20:24:10Z urn:sha1:644b4646c7acab87dc20d4e5dd53d2d9da152989 Full release notes are available at https://www.openssh.com/txt/release-10.1 Selected highlights from the release notes: Potentially-incompatible changes * ssh(1): add a warning when the connection negotiates a non-post quantum key agreement algorithm. * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS) keywords in the IPQoS configuration directive. * ssh-add(1): when adding certificates to an agent, set the expiry to the certificate expiry time plus a short (5 min) grace period. * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8). Security * ssh(1): disallow control characters in usernames passed via the commandline or expanded using %-sequences from the configuration file, and disallow \0 characters in ssh:// URIs. New features * ssh(1), sshd(8): add SIGINFO handlers to log active channel and session information. Sponsored by: The FreeBSD Foundation 2022-10-19T14:27:11Z Ed Maste emaste@FreeBSD.org 2022-10-19T14:27:11Z urn:sha1:38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3 Release notes are available at https://www.openssh.com/txt/release-9.1 9.1 contains fixes for three minor memory safety problems; these have lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base system. Some highlights copied from the release notes: Potentially-incompatible changes -------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years. New features ------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429 MFC after: 2 weeks Relnotes: Yes Sponsored by: The FreeBSD Foundation 2021-09-08T01:05:51Z Ed Maste emaste@FreeBSD.org 2021-09-08T01:05:51Z urn:sha1:19261079b74319502c6ffa1249920079f0f69a72 Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985 2021-09-02T19:10:44Z Ed Maste emaste@FreeBSD.org 2021-09-02T17:38:30Z urn:sha1:6eac665c8126af387a457ee8a08303c6607a6769 Clean up whitespace and nonfunctional differences, and unused functions. 2021-09-01T19:53:09Z Ed Maste emaste@FreeBSD.org 2021-08-31T19:30:50Z urn:sha1:27ceebbc2402e4c98203c7eef9696f4bd3d326f8 Login class-based restrictions were introduced in 5b400a39b8ad. The code was adapted for sshd's Capsicum sandbox and received many changes over time, including at least fc3c19a9fcee, bd393de91cc3, and e8c56fba2926. During an attempt to upstream the work a much simpler approach was suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with future updates. Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub) Obtained from: https://github.com/openssh/openssh-portable/pull/262 Reviewed by: allanjude, kevans MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31760 2018-10-09T19:27:42Z Dag-Erling Smørgrav des@FreeBSD.org 2018-10-09T19:27:42Z urn:sha1:bd393de91cc39fc04033caa53ada48aa34df9607 - Wrap access to pw_change and pw_expire in the appropriate #ifdefs. - Wrap calls to login_cap(3) API in appropriate #ifdefs. - Add wrapper for transferring time_t, which is still only 32 bits wide on FreeBSD i386. - Use a temporary variable to deserialize size_t. Approved by: re (gjb) 2018-10-06T21:32:55Z Ed Maste emaste@FreeBSD.org 2018-10-06T21:32:55Z urn:sha1:fc3c19a9fceeea48a9259ac3833a125804342c0e * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in capability mode. * Cache timezone data via caph_cache_tzdata() as we cannot access the timezone file. * Reverse resolve hostname before entering capability mode. PR: 231172 Submitted by: naito.yuichiro@gmail.com Reviewed by: cem, des Approved by: re (rgrimes) MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D17128 2018-05-08T23:13:11Z Dag-Erling Smørgrav des@FreeBSD.org 2018-05-08T23:13:11Z urn:sha1:4f52dfbb8d6c4d446500c5b097e3806ec219fbd4 This completely removes client-side support for the SSH 1 protocol, which was already disabled in 12 but is still enabled in 11. For that reason, we will not be able to merge 7.6p1 or newer back to 11. 2017-03-02T00:11:32Z Dag-Erling Smørgrav des@FreeBSD.org 2017-03-02T00:11:32Z urn:sha1:076ad2f836d5f49dc1375f1677335a48fe0d4b82