OpenSSH 10.1/10.1p1 (2025-10-06)

OpenSSH 10.1 was released on 2025-10-06. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation warning
--------------------------

* A future release of OpenSSH will deprecate support for SHA1 SSHFP
records due to weaknesses in the SHA1 hash function. SHA1 SSHFP
DNS records will be ignored and ssh-keygen -r will generate only
SHA256 SSHFP records.

The SHA256 hash algorithm, which has no known weaknesses, has
been supported for SSHFP records since OpenSSH 6.1, released in
2012.

Potentially-incompatible changes
--------------------------------

* ssh(1): add a warning when the connection negotiates a non-post
quantum key agreement algorithm.

This warning has been added due to the risk of "store now, decrypt
later" attacks. More details at https://openssh.com/pq.html

This warning may be controlled via a new WarnWeakCrypto ssh_config
option, defaulting to on. This option is likely to control
additional weak crypto warnings in the future.

* ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS

In both client and server the default DSCP (a.k.a IPQoS) values
were revised and the way these values are used during runtime has
changed.

Interactive traffic is now assigned to the EF (Expedited
Forwarding) class by default. This provides more appropriate
packet prioritisation information for the intermediate network,
such as wireless media (cf. RFC 8325). Non-interactive traffic
will now use the operating system default DSCP marking. Both the
interactive and non-interactive DSCP values may be overridden via
the IPQoS keyword, described in ssh_config(5) and sshd_config(5).

The appropriate DSCP marking is now automatically selected and
updated as needed over the course of a connection's lifetime.
ssh(1) and sshd(8) will switch between the interactive and
non-interactive IPQoS values depending on the type of SSH
channels open at the time. For example, if an sftp session is
using the connection alongside a shell session, then the non-
interactive value will be used for the duration of the sftp. A
connection which contains only interactive sessions is marked EF.

* ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
keywords in the IPQoS configuration directive.

Type of Service (ToS) was deprecated in the late nineties and
replaced with the Differentiated Services architecture, which
has significant advantages for operators because it offers more
granularity.

OpenSSH switched its default IPQoS from ToS to DSCP values in
2018 (openssh-7.7).

IPQoS configurations with 'lowdelay', 'reliability', or
'throughput' will be ignored and will instead use the system
default QoS settings. Additionally, a debug message will be logged
about the deprecation with a suggestion to use DSCP QoS instead.

* ssh-add(1): when adding certificates to an agent, set the expiry
to the certificate expiry time plus a short (5 min) grace period.

This will cause the agent to automatically remove certificates
shortly after they expire. A new ssh-add -N option disables this
behaviour.

* All: remove experimental support for XMSS keys. This was never
enabled by default. We expect to implement a new post-quantum
signature scheme in the near future.

* ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
in sshd(8).

This ensures processes that have restricted filesystem access
that includes /tmp do not ambiently have the ability to use keys
in an agent.

Moving the default directory has the consequence that the OS will
no longer clean up stale agent sockets, so ssh-agent now gains
this ability.

To support $HOME on NFS, the socket path includes a truncated
hash of the hostname. ssh-agent will, by default, only clean up
sockets from the same hostname.

ssh-agent(1) gains some new flags: -U suppresses the automatic
cleanup of stale sockets when it starts. -u forces a cleanup
without keeping a running agent, -uu forces a cleanup that ignores
the hostname. -T makes ssh-agent put the socket back in /tmp.

Changes since OpenSSH 10.0
==========================

This release contains a minor security fix as well as a number of
feature improvements and bugfixes.

Security
========

* ssh(1): disallow control characters in usernames passed via the
commandline or expanded using %-sequences from the configuration
file, and disallow \0 characters in ssh:// URIs.

If an ssh(1) commandline was constructed using usernames or URIs
obtained from an untrusted source, and if a ProxyCommand that uses
the %u expansion was configured, then it may be possible for an
attacker to inject shell expressions that may be executed when the
proxy command is started.

We strongly recommend against using untrusted inputs to construct
ssh(1) commandlines.

This change also relaxes the validity checks in one small way:
usernames supplied via the configuration file as literals (i.e.
that have no % expansion characters) are not subject to these
validity checks. This allows usernames that contain arbitrary
characters to be used, but only via configuration files. This is
done on the basis that ssh's configuration is trusted.

This issue was reported by David Leadbeater.

New features
------------

* ssh(1), sshd(8): add SIGINFO handlers to log active channel and
session information.

* sshd(8): when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the
reason why it was being denied. Makes debugging certificate
authorisation problems a bit easier.

* ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11
tokens.

* ssh(1): add an ssh_config(5) RefuseConnection option that, when
encountered while processing an active section in a
configuration, terminates ssh(1) with an error message that
contains the argument to the option.

This may be useful for expressing reminders or warnings in config
files, for example:

Match host foo
RefuseConnection "foo is deprecated, use splork instead"

* sshd(8): make the X11 display number check relative to
X11DisplayOffset. This will allow people to use X11DisplayOffset
to configure much higher port ranges if they really want, while
not changing the default behaviour.

* unit tests: the unit test framework now includes some basic
benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes"
on OpenBSD or "make unit-bench" on Portable OpenSSH.

Bugfixes
--------

* sshd(8): fix mistracking of MaxStartups process exits in some
situations. At worst, this could cause all MaxStartups slots to
fill and sshd to refuse new connections.

* ssh(1): fix delay on X client startup when ObscureKeystrokeTiming
is enabled. bz#3820

* sshd(8): increase the maximum size of the supported configuration
from 256KB to 4MB, which ought to be enough for anybody. Fail
early and visibly when this limit is breached. bz3808

* sftp(1): during sftp uploads, avoid a condition where a failed
write could be ignored if a subsequent write succeeded. This is
unlikely but technically possible because sftp servers are
allowed to reorder requests.

* sshd(8): avoid a race condition when the sshd-auth process exits
that could cause a spurious error message to be logged.

* sshd(8): log at level INFO when PerSourcePenalties actually
blocks access to a source address range. Previously this was
logged at level VERBOSE, which hid enforcement actions under
default config settings.

* sshd(8): GssStrictAcceptor was missing from sshd -T output; fix

* sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
first-match-wins as advertised. bz3859

* ssh(1): fix an incorrect return value check in the local forward
cancellation path that would cause failed cancellations not to be
logged.

* sshd(8): make "Match !final" not trigger a second parsing pass
of ssh_config (unless hostname canonicalisation or a separate
"Match final" does). bz3843

* ssh(1): better debug diagnostics when loading keys. Will now list
key fingerprint and algorithm (not just algorithm number) as well
as making it explicit which keys didn't load.

* All: fix a number of memory leaks found by LeakSanitizer,
Coverity and manual inspection.

* sshd(8): Output the current name for PermitRootLogin's
"prohibit-password" in sshd -T instead of its deprecated alias
"without-password".  bz#3788

* ssh(1): make writing known_hosts lines more atomic by writing
the entire line in one operation and using unbuffered stdio.

Usually writes to this file are serialised on the "Are you sure
you want to continue connecting?" prompt, but if host key
checking is disabled and connections were being made with high
concurrency then interleaved writes might have been possible.

Portability
-----------

* sshd(8): check the username didn't change during the PAM
transactions.

PAM modules can change the user during their execution, but
this is not supported by sshd(8). If such a case was incorrectly
configured by the system administrator, then sshd(8) could end up
using a different username to the one authorised by PAM.

* sshd(8): don't log audit messages with UNKNOWN hostname to avoid
slow DNS lookups in the audit subsystem.

* All: when making a copy of struct passwd, ensure struct fields are
non-NULL. Android libc can return NULL pw_gecos, for example.

* All: Remove status bits from OpenSSL >=3 version check.

* sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise tun
forwarding from other OSes fails as soon as the first IPv6 message
is sent by the other side (which is usually a Router Solicitation
ICMPv6 message which is sent as soon as the interface is up).

* ssh(1), ssh-agent(8): check for nlist function presence before
attempting to use it instead of relying on the presence of the
nlist.h header.  Mac OS X, for example, has the header but not
the function in the 64bit libraries.

* All: fill in missing system header files.

Create replacement header files inside openbsd-compat for common
headers that are missing on a given platform. Usually these are
just empty, but in some cases they'll include the equivalent file.
This avoids having to wrap those includes in '#ifdef HAVE_FOO_H'
and reduces the diff between Portable OpenSSH and OpenBSD.

* sshd(8): handle futex_time64 properly in seccomp sandbox
Previously we only allowed __NR_futex, but some 32-bit systems
apparently support __NR_futex_time64. We had support for this
in the sandbox, but because of a macro error only __NR_futex was
allowlisted.

* Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.

* sshd(8): let ga_init() fail gracefully if getgrouplist does.
Apparently getgrouplist() can fail on OSX when passed a
non-existent group name. Other platforms seem to return a group
list consisting of the numeric gid passed to the function. bz3848

* ssh-agent(1): exit 0 from SIGTERM under systemd socket-activation,
preventing a graceful shutdown of an agent via systemd from
incorrectly marking the service as "failed".

* build: wrap some autoconf macros in AC_CACHE_CHECK.

This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE and
OSSH_CHECK_CFLAG_LINK macros used to discover supported compiler
or linker flags. E.g.

$ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
[...]
checking if cc supports compile flag -fzero-call-used-regs=used
and linking succeeds... (cached) no

Checksums:
==========

SHA1 (openssh-10.1.tar.gz) = 8eef44a945a9a9a5a99213ab0d57e35b7ba60e75
SHA256 (openssh-10.1.tar.gz) = j9ymvhvdGMeAvh1oTI2YmOAwv7Ao70gbGPyPedgQsBU=

SHA1 (openssh-10.1p1.tar.gz) = 7fd17b99d1beffb47cd380d64079e920bb0bd91f
SHA256 (openssh-10.1p1.tar.gz) = ufx6K4JXlGem8vQ+SoHI4d/aYU3bT5slWq/XAgu/B1g=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com

OpenSSH 10.0/10.0p2 (2025-04-09)

OpenSSH 10.0 was released on 2025-04-09. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Potentially-incompatible changes
--------------------------------

* This release removes support for the weak DSA signature
algorithm, completing the deprecation process that began in
2015 (when DSA was disabled by default) and repeatedly warned
over the last 12 months.

* scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by
scp & sftp. This disables implicit session creation by these
tools when ControlMaster was set to yes/auto by configuration,
which some users found surprising. This change will not prevent
scp/sftp from using an existing multiplexing session if one had
already been created. GHPR557

* This release has the version number 10.0 and announces itself
as "SSH-2.0-OpenSSH_10.0". Software that naively matches
versions using patterns like "OpenSSH_1*" may be confused by
this.

* sshd(8): this release removes the code responsible for the
user authentication phase of the protocol from the per-
connection sshd-session binary to a new sshd-auth binary.
Splitting this code into a separate binary ensures that the
crucial pre-authentication attack surface has an entirely
disjoint address space from the code used for the rest of the
connection. It also yields a small runtime memory saving as the
authentication code will be unloaded after the authentication
phase completes. This change should be largely invisible to
users, though some log messages may now come from "sshd-auth"
instead of "sshd-session". Downstream distributors of OpenSSH
will need to package the sshd-auth binary.

* sshd(8): this release disables finite field (a.k.a modp)
Diffie-Hellman key exchange in sshd by default. Specifically,
this removes the "diffie-hellman-group*" and
"diffie-hellman-group-exchange-*" methods from the default
KEXAlgorithms list. The client is unchanged and continues to
support these methods by default. Finite field Diffie Hellman
is slow and computationally expensive for the same security
level as Elliptic Curve DH or PQ key agreement while offering
no redeeming advantages. ECDH has been specified for the SSH
protocol for 15 years and some form of ECDH has been the default
key exchange in OpenSSH for the last 14 years.

* sshd(8): this release removes the implicit fallback to compiled-
in groups for Diffie-Hellman Group Exchange KEX when the moduli
file exists but does not contain moduli within the client-
requested range.  The fallback behaviour remains for the case
where the moduli file does not exist at all. This allows
administrators more explicit control over which DH groups will
be selected, but can lead to connection failures if the moduli
file is edited incorrectly. bz#2793

Changes since OpenSSH 9.9
=========================

This release contains a minor security fix as well as a number of
feature improvements and bugfixes.

Security
========

* sshd(8): fix the DisableForwarding directive, which was failing
to disable X11 forwarding and agent forwarding as documented.
X11 forwarding is disabled by default in the server and agent
forwarding is off by default in the client.

New features
------------

* ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
is now used by default for key agreement. This algorithm is
considered to be safe against attack by quantum computers,
is guaranteed to be no less strong than the popular
curve25519-sha256 algorithm, has been standardised by NIST
and is considerably faster than the previous default.

* ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
for the connection. The default cipher preference list is now
Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
(128/192/256).

* ssh(1): add %-token and environment variable expansion to the
ssh_config SetEnv directive.

* ssh(1): allow %-token and environment variable expansion in
the ssh_config User directive, with the exception of %r and %C
which would be self-referential. bz#3477

* ssh(1), sshd(8): add "Match version" support to ssh_config and
sshd_config. Allows matching on the local version of OpenSSH,
e.g. "Match version OpenSSH_10.*".

* ssh(1): add support for "Match sessiontype" to ssh_config.
Allows matching on the type of session initially requested,
either "shell" for interactive sessions, "exec" for command
execution sessions, "subsystem" for subsystem requests, such as
sftp, or "none" for transport/forwarding-only sessions.

* ssh(1): add support for "Match command ..." support to
ssh_config, allowing matching on the remote command as specified
on the command-line.

* ssh(1): allow 'Match tagged ""' and 'Match command ""' to match
empty tag and command values respectively.

* sshd(8): allow glob(3) patterns to be used in sshd_config
AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
bz2755

* sshd(1): support the VersionAddendum in the client, mirroring
the option of the same name in the server; bz2745

* ssh-agent(1): the agent will now delete all loaded keys when
signaled with SIGUSR1. This allows deletion of keys without
having access to $SSH_AUTH_SOCK.

* Portable OpenSSH, ssh-agent(1): support systemd-style socket
activation in ssh-agent using the LISTEN_PID/LISTEN_FDS
mechanism. Activated when these environment variables are set,
the agent is started with the -d or -D option and no socket path
is set. GHPR502

* ssh-keygen(1): support FIDO tokens that return no attestation
data, e.g. recent WinHello. GHPR542

* ssh-agent(1): add a "-Owebsafe-allow=..." option to allow the
default FIDO application ID allow-list to be overridden.

* Add a work-in-progress tool to verify FIDO attestation blobs
that ssh-keygen can optionally write when enrolling FIDO keys.
This tool is available under regress/misc/ssh-verify-attestation
for experimentation but is not installed by "make install".

* ssh-keygen(1): allow "-" as output file for moduli screening.
GHPR393

Bugfixes
--------

* sshd(8): remove assumption that the sshd_config and any configs
it includes can fit in a (possibly enlarged) socket buffer.
Previously it was possible to create a sufficiently large
configuration that could cause sshd to fail to accept any
connection. sshd(8) will now actively manage sending its config
to the sshd-session sub-process.

* ssh(1): don't start the ObscureKeystrokeTiming mitigations if
there has been traffic on a X11 forwarding channel recently.
Should fix X11 forwarding performance problems when this setting
is enabled. bz3655

* ssh(1): prohibit the comma character in hostnames accepted, but
allow an underscore as the first character in a hostname.

* sftp(1): set high-water when resuming a "put". Prevents bogus
"server reordered acks" debug message.

* ssh(1), sshd(8): fix regression in openssh-9.8, which would fail
to accept "Match criteria=argument" as well as the documented
"Match criteria argument" syntax in ssh_config and sshd_config.
bz3739

* sftp(1), ssh(1): fix a number possible NULL dereference bugs,
including Coverity CIDs 405019 and 477813.

* sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty
when LoginGraceTime was exceeded. bz3797

* sshd(8): fix "Match invalid-user" from incorrectly being
activated in initial configuration pass when no other predicates
were present on the match line

* sshd(8): fix debug logging of user specific delay. GHPR#552

* sshd(8): improve debug logging across sub-process boundaries.
Previously some log messages were lost early in the sshd-auth and
sshd-session processes' life.

* ssh(1): require control-escape character sequences passed via
the '-e ^x' command-line to be exactly two characters long. Avoids
one byte out-of-bounds read if ssh is invoked as "ssh -e^ ..."
GHPR368

* ssh(1), sshd(8): prevent integer overflow in x11 port handling.
These are theoretically possible if the admin misconfigured
X11DisplayOffset or the user misconfigures their own $DISPLAY,
but don't happen in normal operation. bz#3730

* ssh-keygen(1): don't mess up ssh-keygen -l output when the file
contains CR characters; GHPR236 bz3385.

* sshd(8): add rate limits to logging of connections dropped by
PerSourcePenalties. Previously these could be noisy in logs.

* ssh(1): fix argument of "Compression" directive in ssh -G config
dump, which regressed in openssh-9.8.

* sshd(8): fix a corner-case triggered by UpdateHostKeys when sshd
refuses to accept the signature returned by an agent holding host
keys during the hostkey rotation sub-protocol. This situation
could occur in situations where a PKCS#11 smartcard that lacked
support for particular signature algorithms was used to store
host keys.

* ssh-keygen(1): when using RSA keys to sign messages with
"ssh-keygen -Y", select the signature algorithm based on the
requested hash algorithm ("-Ohashalg=xxx"). This allows using
something other than the default of rsa-sha2-512, which may not
be supported on all signing backends, e.g. some smartcards only
support SHA256.

* ssh(1), sshd(8), ssh-keyscan(1): fix ML-KEM768x25519 KEX on
big-endian systems.

* Many regression and interop test improvements.

Portability
-----------

* All: add support for AWS-LC (AWS libcrypto). bz3784

* sshd(8): add wtmpdb support as a Y2038 safe wtmp replacement.

* sshd(8): add support for locking sshd into memory, enabled with
the --with-linux-memlock-onfault configure flag.

* Add support for building a standalone sk-libfido2 library,
enabled by --with-security-key-standalone

* ssh(1), sshd(8), ssh-keyscan(1): include __builtin_popcount
replacement function. for compilers that lack it.

* All: Check for and replace le32toh, le64toh, htole64 separately.
It appears that at least some versions of endian.h in glibc do
not have the latter two. bz#3794

* Remove ancient RHL 6.x config in RPM spec.

Checksums:
==========

- SHA1 (openssh-10.0.tar.gz) = 933f4fded0497ef6a588381257276e156a70f9c3
- SHA256 (openssh-10.0.tar.gz) = oaJ+cXLCVoCZAz9W5W1vF7ko4GJW6iq7JmblrPUA34Q=

- SHA1 (openssh-10.0p2.tar.gz) = ac4205e827aea383bf316a33a0e2d5b66b85fcf8
- SHA256 (openssh-10.0p2.tar.gz) = AhoucJoO30JQsSVr1anlAEEakN3avqgw7VnO+Q652Fw=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com

OpenSSH 9.9p2 (2025-02-18)

OpenSSH 9.9p2 was released on 2025-02-18. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Changes since OpenSSH 9.9p1
===========================

This release fixes two security bugs.

Security
========

* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
(inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by default.

* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service related
to the handling of SSH2_MSG_PING packets. This condition may be
mitigated using the existing PerSourcePenalties feature.

Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH.

For OpenBSD, fixes to these problems are available as errata; refer
to https://www.openbsd.org/errata.html

Bugfixes
========

* ssh(1), sshd(8): fix regression in Match directive that caused
failures when predicates and their arguments were separated by '='
characters instead of whitespace (bz3739).

* sshd(8): fix the "Match invalid-user" predicate, which was matching
incorrectly in the initial pass of config evaluation.

* ssh(1), sshd(8), ssh-keyscan(1): fix mlkem768x25519-sha256 key
exchange on big-endian systems.

* Fix a number of build problems on particular operating systems /
configurations.

Checksums:
==========

- SHA1 (openssh-9.9p2.tar.gz) = edefe960645780dee78059c444d4261667ad3056
- SHA256 (openssh-9.9p2.tar.gz) = karbYD4IzChe3fll4RmdAlhfqU2ZTWyuW0Hhch4hVnM=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com

OpenSSH 9.9/9.9p1 (2024-09-19)

OpenSSH 9.9 was released on 2024-09-19. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025. This release disables DSA by default at compile time.

DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.

OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs, mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.

This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA
in OpenSSH to be justified and hope that removing it from OpenSSH
can accelerate its wider deprecation in supporting cryptography
libraries.

Currently DSA is disabled at compile time. The final step of
removing DSA support entirely is planned for the first OpenSSH
release of 2025.

DSA support may be re-enabled on OpenBSD by setting "DSAKEY=yes"
in Makefile.inc. To enable DSA support in portable OpenSSH, pass
the "--enable-dsa-keys" option to configure.

Potentially-incompatible changes
--------------------------------

* ssh(1): remove support for pre-authentication compression.
OpenSSH has only supported post-authentication compression in
the server for some years. Compression before authentication
significantly increases the attack surface of SSH servers and risks
creating oracles that reveal information about information sent
during authentication.

* ssh(1), sshd(8): processing of the arguments to the "Match"
configuration directive now follows more shell-like rules for
quoted strings, including allowing nested quotes and \-escaped
characters. If configurations contained workarounds for the
previous simplistic quote handling then they may need to be
adjusted. If this is the case, it's most likely to be in the
arguments to a "Match exec" confition. In this case, moving the
command to be evaluated from the Match line to an external shell
script is easiest way to preserve compatibility with both the old
and new versions.

Changes since OpenSSH 9.8
=========================

This release contains a number of new features and bugfixes.

New features
------------

* ssh(1), sshd(8): add support for a new hybrid post-quantum key
exchange based on the FIPS 203 Module-Lattice Key Enapsulation
mechanism (ML-KEM) combined with X25519 ECDH as described by
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This algorithm "mlkem768x25519-sha256" is available by default.

* ssh(1): the ssh_config "Include" directive can now expand
environment as well as the same set of %-tokens "Match Exec"
supports.

* sshd(8): add a sshd_config "RefuseConnection" option that, if set
will terminate the connection at the first authentication request.

* sshd(8): add a "refuseconnection" penalty class to sshd_config
PerSourcePenalties that is applied when a connection is dropped by
the new RefuseConnection keyword.

* sshd(8): add a "Match invalid-user" predicate to sshd_config Match
options that matches when the target username is not valid on the
server.

* ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
substantially faster implementation.

* ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key
exchange algorithm now has an IANA-assigned name in addition to
the "@openssh.com" vendor extension name. This algorithm is now
also available under this name "sntrup761x25519-sha512"

* ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.

* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.

* sshd(8): add a random amount of jitter (up to 4 seconds) to the
grace login time to make its expiry unpredictable.

Bugfixes
--------

* sshd(8): relax absolute path requirement back to what it was prior
to OpenSSH 9.8, which incorrectly required that sshd was started
with an absolute path in inetd mode. bz3717

* sshd(8): fix regression introduced in openssh-9.8 that swapped the
order of source and destination addresses in some sshd log messages.

* sshd(8): do not apply authorized_keys options when signature
verification fails. Prevents more restrictive key options being
incorrectly applied to subsequent keys in authorized_keys. bz3733

* ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
prompts. Helps the user know what's going on when ssh-keygen is
invoked via other tools. Requested in GHPR503

* ssh(1), ssh-add(1): make parsing user@host consistently look for
the last '@' in the string rather than the first. This makes it
possible to more consistently use usernames that contain '@'
characters.

* ssh(1), sshd(8): be more strict in parsing key type names. Only
allow short names (e.g "rsa") in user-interface code and require
full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725

* regress: many performance and correctness improvements to the
re-keying regression test.

* ssh-keygen(1): clarify that ed25519 is the default key type
generated and clarify that rsa-sha2-512 is the default signature
scheme when RSA is in use. GHPR505

* sshd(8): fix minor memory leak in Subsystem option parsing; GHPR515

* All: additional hardening and consistency checks for the sshbuf
code.

* sshd(8): reduce default logingrace penalty to ensure that a single
forgotton login that times out will be below the penalty threshold.

* ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started with
ControlPersist then later has a forwarding added using mux proxy
connection and the forwarding was used, then when the mux proxy
session terminated, the mux master process would issue a bad message
that terminated the connection.

Portability
-----------

* sync contrib/ssh-copy-id to the latest upstream version.

* regress: improve portablility for some awk(1) usage (e.g. Solaris)

* In the contrib/redhat RPM spec file, without_openssl was previously
incorrectly enabled unconditionally.

* sshd(8) restore audit call before exit that regressed in openssh-9.8
Fixes an issue where the SSH_CONNECTION_ABANDON event was not
recorded.

* sshd(8): add support for class-imposed loging restrictions on FreeBSD.
Allowing auth_hostok(3) and auth_timeok(3) to control logins.

* Build fixes for Musl libc.

* Fix detection of setres*id on GNU/Hurd

Checksums:
==========

- SHA1 (openssh-9.9.tar.gz) = 080acf6ff0b862e8faa3baa3920a079536d28e85
- SHA256 (openssh-9.9.tar.gz) = h1xwa7CVcJfN7I9MgxxPBpUELzo+tnmLy+6slYHTUtw=

- SHA1 (openssh-9.9p1.tar.gz) = 5ded7eb0add0b02b5d1a1c4bf5cb2c89d2117b53
- SHA256 (openssh-9.9p1.tar.gz) = s0P7zb/4fxWxmG5uFdbU/Jp9NgZr5rf7UHCHuo+WbAI=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com

OpenSSH 9.8/9.8p1 (2024-07-01)

OpenSSH 9.8 was released on 2024-07-01. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Security
========

This release contains fixes for two security problems, one critical
and one minor.

1) Race condition in sshd(8)

A critical vulnerability in sshd(8) was present in Portable OpenSSH
versions between 8.5p1 and 9.7p1 (inclusive) that may allow arbitrary
code execution with root privileges.

Successful exploitation has been demonstrated on 32-bit Linux/glibc
systems with ASLR. Under lab conditions, the attack requires on
average 6-8 hours of continuous connections up to the maximum the
server will accept. Exploitation on 64-bit systems is believed to be
possible but has not been demonstrated at this time. It's likely that
these attacks will be improved upon.

Exploitation on non-glibc systems is conceivable but has not been
examined. Systems that lack ASLR or users of downstream Linux
distributions that have modified OpenSSH to disable per-connection
ASLR re-randomisation (yes - this is a thing, no - we don't
understand why) may potentially have an easier path to exploitation.
OpenBSD is not vulnerable.

We thank the Qualys Security Advisory Team for discovering, reporting
and demonstrating exploitability of this problem, and for providing
detailed feedback on additional mitigation measures.

2) Logic error in ssh(1) ObscureKeystrokeTiming

In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an
OpenSSH server version 9.5 or later, a logic error in the ssh(1)
ObscureKeystrokeTiming feature (on by default) rendered this feature
ineffective - a passive observer could still detect which network
packets contained real keystrokes when the countermeasure was active
because both fake and real keystroke packets were being sent
unconditionally.

This bug was found by Philippos Giavridis and also independently by
Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the
University of Cambridge Computer Lab.

Worse, the unconditional sending of both fake and real keystroke
packets broke another long-standing timing attack mitigation. Since
OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for
traffic received on TTYs in echo-off mode, such as when entering a
password into su(8) or sudo(8). This bug rendered these fake
keystroke echoes ineffective and could allow a passive observer of
a SSH session to once again detect when echo was off and obtain
fairly limited timing information about keystrokes in this situation
(20ms granularity by default).

This additional implication of the bug was identified by Jacky Wei
En Kung, Daniel Hugenroth and Alastair Beresford and we thank them
for their detailed analysis.

This bug does not affect connections when ObscureKeystrokeTiming
was disabled or sessions where no TTY was requested.

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025. This release disables DSA by default at compile time.

DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.

OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs, mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.

This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA
in OpenSSH to be justified and hope that removing it from OpenSSH
can accelerate its wider deprecation in supporting cryptography
libraries.

This release, and its deactivation of DSA by default at compile-time,
marks the second step in our timeline to finally deprecate DSA. The
final step of removing DSA support entirely is planned for the first
OpenSSH release of 2025.

DSA support may be re-enabled in OpenBSD by setting "DSAKEY=yes"
in Makefile.inc. To enable DSA support in portable OpenSSH, pass
the "--enable-dsa-keys" option to configure.

Potentially-incompatible changes
--------------------------------

* all: as mentioned above, the DSA signature algorithm is now
disabled at compile time.

* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.

* sshd(8): the server has been split into a listener binary, sshd(8),
and a per-session binary "sshd-session". This allows for a much
smaller listener binary, as it no longer needs to support the SSH
protocol. As part of this work, support for disabling privilege
separation (which previously required code changes to disable) and
disabling re-execution of sshd(8) has been removed. Further
separation of sshd-session into additional, minimal binaries is
planned for the future.

* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".

* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard error.
This release now emits them to standard output, but adds a new
"-q" flag to silence them altogether.

* sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
as the PAM service name. A new "PAMServiceName" sshd_config(5)
directive allows selecting the service name at runtime. This
defaults to "sshd". bz2101

* (portable OpenSSH only) Automatically-generated files, such as
configure, config.h.in, etc will now be checked in to the portable
OpenSSH git release branch (e.g. V_9_8). This should ensure that
the contents of the signed release branch exactly match the
contents of the signed release tarball.

Changes since OpenSSH 9.7
=========================

This release contains mostly bugfixes.

New features
------------

* sshd(8): as described above, sshd(8) will now penalise client
addresses that, for various reasons, do not successfully complete
authentication. This feature is controlled by a new sshd_config(5)
PerSourcePenalties option and is on by default.

sshd(8) will now identify situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly
indicating an attack against one or more accounts, e.g. password
guessing), or when client behaviour caused sshd to crash (possibly
indicating attempts to exploit bugs in sshd).

When such a condition is observed, sshd will record a penalty of
some duration (e.g. 30 seconds) against the client's address. If
this time is above a minimum configurable threshold, then all
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range) until the
penalty expire.

Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. Address ranges may be
fully exempted from penalties, e.g. to guarantee access from a set
of trusted management addresses, using the new sshd_config(5)
PerSourcePenaltyExemptList option.

We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself. This option is enabled by default.

* ssh(8): allow the HostkeyAlgorithms directive to disable the
implicit fallback from certificate host key to plain host keys.

Bugfixes
--------

* misc: fix a number of inaccuracies in the PROTOCOL.*
documentation files. GHPR430 GHPR487

* all: switch to strtonum(3) for more robust integer parsing in most
places.

* ssh(1), sshd(8): correctly restore sigprocmask around ppoll()

* ssh-keysign(8): stricter validation of messaging socket fd GHPR492

* sftp(1): flush stdout after writing "sftp>" prompt when not using
editline. GHPR480

* sftp-server(8): fix home-directory extension implementation, it
previously always returned the current user's home directory
contrary to the spec. GHPR477

* ssh-keyscan(1): do not close stdin to prevent error messages when
stdin is read multiple times. E.g.
echo localhost | ssh-keyscan -f - -f -

* regression tests: fix rekey test that was testing the same KEX
algorithm repeatedly instead of testing all of them. bz3692

* ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive
documentation, especially around what is supported vs available.
bz3701.

Portability
-----------

* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
unconditionally. The previous behaviour was to expose it only when
particular authentication methods were in use.

* build: fix OpenSSL ED25519 support detection. An incorrect function
signature in configure.ac previously prevented enabling the recently
added support for ED25519 private keys in PEM PKCS8 format.

* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
environment variable to enable SSH_ASKPASS, similarly to the X11
DISPLAY environment variable. GHPR479

* build: improve detection of the -fzero-call-used-regs compiler
flag. bz3673.

* build: relax OpenSSL version check to accept all OpenSSL 3.x
versions.

* sshd(8): add support for notifying systemd on server listen and
reload, using a standalone implementation that doesn't depend on
libsystemd. bz2641

Checksums:
==========

- SHA1 (openssh-9.8.tar.gz) = bc45cedae7f70b41e9922ef4c9f56e74b9a659b7
- SHA256 (openssh-9.8.tar.gz) = Dnc69VLWFBFdiaz8wySPlvHjb7wZfh/kblQ8ISuQr1Y=

- SHA1 (openssh-9.8p1.tar.gz) = a0bb501b11349f5c5c33a269351be091dc2c2727
- SHA256 (openssh-9.8p1.tar.gz) = 3YvQAqN5tdSZ37BQ3R+pr4Ap6ARh9LtsUjxJlz9aOfM=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com

OpenSSH 9.7/9.7p1 (2024-03-11)

OpenSSH 9.7 was released on 2024-03-11. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025 and compile-time disable it later this year.

DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.

OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs[3], mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.

This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA in
OpenSSH to be justified and hope that removing it from OpenSSH can
accelerate its wider deprecation in supporting cryptography
libraries.

This release makes DSA support in OpenSSH compile-time optional,
defaulting to on. We intend the next release to change the default
to disable DSA at compile time. The first OpenSSH release of 2025
will remove DSA support entirely.

Changes since OpenSSH 9.6
=========================

This release contains mostly bugfixes.

New features
------------

* ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
all open channels and will close all open channels if there is no
traffic on any of them for the specified interval. This is in
addition to the existing per-channel timeouts added recently.

This supports situations like having both session and x11
forwarding channels open where one may be idle for an extended
period but the other is actively used. The global timeout could
close both channels when both have been idle for too long.

* All: make DSA key support compile-time optional, defaulting to on.

Bugfixes
--------

* sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)

* ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (GHPR#463)

* ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).

* ssh-agent(1): fix potential spin in signal handler (bz3670)

* Many fixes to manual pages and other documentation, including
GHPR#462, GHPR#454, GHPR#442 and GHPR#441.

* Greatly improve interop testing against PuTTY.

Portability
-----------

* Improve the error message when the autoconf OpenSSL header check
fails (bz#3668)

* Improve detection of broken toolchain -fzero-call-used-regs support
(bz3645).

* Fix regress/misc/fuzz-harness fuzzers and make them compile without
warnings when using clang16

Checksums:
==========

- SHA1 (openssh-9.7.tar.gz) = 163272058edc20a8fde81661734a6684c9b4db11
- SHA256 (openssh-9.7.tar.gz) = gXDWrF4wN2UWyPjyjvVhpjjKd7D2qI6LyZiIYhbJQVg=

- SHA1 (openssh-9.7p1.tar.gz) = ce8985ea0ea2f16a5917fd982ade0972848373cc
- SHA256 (openssh-9.7p1.tar.gz) = SQQm92bYKidj/KzY2D6j1weYdQx70q/y5X3FZg93P/0=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com

OpenSSH 9.6/9.6p1 (2023-12-18)

OpenSSH 9.6 was released on 2023-12-18. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their