en Copyright 2015 Java http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#2574974648c68c738aec3ff96644d888d7913a37 OpenSSH: Update to 10.3p1Full release notes are available athttps://www.openssh.com/txt/release-10.3Selected highlights from the release notes: * ssh(1), sshd(8): remove bug compatibility for implementations that don't support rekeying. If such an implementation tries to interoperate with OpenSSH, it will now eventually fail when the transport needs rekeying. * ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new names is advertised via the EXT_INFO message. If a server offers support for the new names, then they are used preferentially. * ssh(1): add a ~I escape option that shows information about the current SSH connection. * sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is applied to login attempts for usernames that do not match real accounts. Defaults to 5s to match 'authfail' but allows administrators to block such attempts for longer if desired. * Support the ed25519 signature scheme via libcrypto.Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D56999 List of files: /freebsd/crypto/openssh/INSTALL Thu, 14 May 2026 20:59:30 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#644b4646c7acab87dc20d4e5dd53d2d9da152989 OpenSSH: Update to 10.1p1Full release notes are available athttps://www.openssh.com/txt/release-10.1Selected highlights from the release notes:Potentially-incompatible changes * ssh(1): add a warning when the connection negotiates a non-post quantum key agreement algorithm. * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS) keywords in the IPQoS configuration directive. * ssh-add(1): when adding certificates to an agent, set the expiry to the certificate expiry time plus a short (5 min) grace period. * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets in sshd(8).Security * ssh(1): disallow control characters in usernames passed via the commandline or expanded using %-sequences from the configuration file, and disallow \0 characters in ssh:// URIs.New features * ssh(1), sshd(8): add SIGINFO handlers to log active channel and session information.Sponsored by: The FreeBSD Foundation List of files: /freebsd/crypto/openssh/INSTALL Tue, 12 May 2026 22:24:10 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#8e28d84935f2f0ee081d44f9803f3052b960e50b OpenSSH: Update to 10.0p2Full release notes are available athttps://www.openssh.com/txt/release-10.0Selected highlights from the release notes:Potentially-incompatible changes- This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.]- This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this.- sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary.Security- sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.]New features- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement.Sponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D51630 List of files: /freebsd/crypto/openssh/INSTALL Tue, 26 Aug 2025 21:04:16 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#535af610a4fdace6d50960c0ad9be0597eea7a1b ssh: Update to OpenSSH 9.4p1Excerpts from the release notes: * ssh-agent(1): PKCS#11 modules must now be specified by their full paths. Previously dlopen(3) could search for them in system library directories. * ssh(1): allow forwarding Unix Domain sockets via ssh -W. * ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name. * ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location. * ssh-agent(1): improve isolation between loaded PKCS#11 modules by running separate ssh-pkcs11-helpers for each loaded provider. * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11 modules being loaded by checking that the requested module contains the required symbol before loading it. * ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567Full release notes at https://www.openssh.com/txt/release-9.4Relnotes: YesSponsored by: The FreeBSD Foundation List of files: /freebsd/crypto/openssh/INSTALL Fri, 11 Aug 2023 05:10:18 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#f374ba41f55c1a127303d92d830dd58eef2f5243 ssh: update to OpenSSH 9.2p1Release notes are available at https://www.openssh.com/txt/release-9.2OpenSSH 9.2 contains fixes for two security problems and a memory safetyproblem. The memory safety problem is not believed to be exploitable.These fixes have already been committed to OpenSSH 9.1 in FreeBSD.Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499MFC after: 1 weekSponsored by: The FreeBSD Foundation List of files: /freebsd/crypto/openssh/INSTALL Mon, 06 Feb 2023 22:54:56 +0100 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3 ssh: update to OpenSSH 9.1p1Release notes are available at https://www.openssh.com/txt/release-9.19.1 contains fixes for three minor memory safety problems; these havelready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD basesystem.Some highlights copied from the release notes:Potentially-incompatible changes-------------------------------- * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438 * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.New features------------ * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8). * sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids. * sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings. * sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it. * ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character. Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3" * ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429MFC after: 2 weeksRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /freebsd/crypto/openssh/INSTALL Wed, 19 Oct 2022 16:27:11 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#1323ec571215a77ddd21294f0871979d5ad6b992 ssh: update to OpenSSH v8.9p1Release notes are available at https://www.openssh.com/txt/release-8.9Some highlights: * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). The next release of OpenSSH is likely to make this key exchange the default method. * sshd(8), portable OpenSSH only: this release removes in-built support for MD5-hashed passwords. If you require these on your system then we recommend linking against libxcrypt or similar.Future deprecation notice=========================A near-future release of OpenSSH will switch scp(1) from using thelegacy scp/rcp protocol to using SFTP by default.Legacy scp/rcp performs wildcard expansion of remote filenames (e.g."scp host:* .") through the remote shell. This has the side effect ofrequiring double quoting of shell meta-characters in file namesincluded on scp(1) command-lines, otherwise they could be interpretedas shell commands on the remote side.MFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD Foundation List of files: /freebsd/crypto/openssh/INSTALL Wed, 13 Apr 2022 22:00:56 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#19261079b74319502c6ffa1249920079f0f69a72 openssh: update to OpenSSH v8.7p1Some notable changes, from upstream's release notes:- sshd(8): Remove support for obsolete "host/port" syntax.- ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes".- ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm.- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures.- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one).- ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions.- scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default.- scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used.Additional integration work is needed to support FIDO/U2F in the basesystem.Deprecation Notice------------------OpenSSH will disable the ssh-rsa signature scheme by default in thenext release.Reviewed by: impMFC after: 1 monthRelnotes: YesSponsored by: The FreeBSD FoundationDifferential Revision: https://reviews.freebsd.org/D29985 List of files: /freebsd/crypto/openssh/INSTALL Wed, 08 Sep 2021 03:05:51 +0200 Ed Maste <emaste@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#3af64f03119a159ac15eb75b92d346705b490385 Merge ^/head r338392 through r338594. List of files: /freebsd/crypto/openssh/INSTALL Tue, 11 Sep 2018 20:41:00 +0200 Dimitry Andric <dim@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#190cef3d52236565eb22e18b33e9e865ec634aa3 Upgrade to OpenSSH 7.8p1.Approved by: re (kib@) List of files: /freebsd/crypto/openssh/INSTALL Mon, 10 Sep 2018 18:20:12 +0200 Dag-Erling Smørgrav <des@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#47dd1d1b619cc035b82b49a91a25544309ff95ae Upgrade to OpenSSH 7.7p1. List of files: /freebsd/crypto/openssh/INSTALL Fri, 11 May 2018 15:22:43 +0200 Dag-Erling Smørgrav <des@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#4f52dfbb8d6c4d446500c5b097e3806ec219fbd4 Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.This completely removes client-side support for the SSH 1 protocol,which was already disabled in 12 but is still enabled in 11. For thatreason, we will not be able to merge 7.6p1 or newer back to 11. List of files: /freebsd/crypto/openssh/INSTALL Wed, 09 May 2018 01:13:11 +0200 Dag-Erling Smørgrav <des@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#083c8ded054841f6b1a197acf6867e16fd044a7c MFhead@r322451 List of files: /freebsd/crypto/openssh/INSTALL Sun, 13 Aug 2017 03:23:13 +0200 Enji Cooper <ngie@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#0275f9dbf73b01e9478dc7d6ab5fab4f8e077448 Merge ^/head r321383 through r322397. List of files: /freebsd/crypto/openssh/INSTALL Fri, 11 Aug 2017 12:59:34 +0200 Hans Petter Selasky <hselasky@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#79210755878ca1ad93078a8d3f95ffc211be3cef MFhead@r322057 List of files: /freebsd/crypto/openssh/INSTALL Fri, 04 Aug 2017 19:41:49 +0200 Enji Cooper <ngie@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#d93a896ef95946b0bf1219866fcb324b78543444 Upgrade to OpenSSH 7.5p1. List of files: /freebsd/crypto/openssh/INSTALL Fri, 04 Aug 2017 14:57:24 +0200 Dag-Erling Smørgrav <des@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#ca86bcf2531c7b149c95244a67853d44323e7855 Upgrade to OpenSSH 7.4p1. List of files: /freebsd/crypto/openssh/INSTALL Mon, 06 Mar 2017 02:37:05 +0100 Dag-Erling Smørgrav <des@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#076ad2f836d5f49dc1375f1677335a48fe0d4b82 Upgrade to OpenSSH 7.3p1. List of files: /freebsd/crypto/openssh/INSTALL Thu, 02 Mar 2017 01:11:32 +0100 Dag-Erling Smørgrav <des@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#d9b9dae1a954c5a277eada994d268f88eb5f3f20 Merge ^/head r294169 through r294598. List of files: /freebsd/crypto/openssh/INSTALL Fri, 22 Jan 2016 21:41:56 +0100 Dimitry Andric <dim@FreeBSD.org> http://kernelsources.org:8080/source/history/freebsd/crypto/openssh/INSTALL#009e81b16465ea457c0e63fd49fe77f47cc27a5a MFH @r294567 List of files: /freebsd/crypto/openssh/INSTALL Fri, 22 Jan 2016 16:11:40 +0100 Bjoern A. Zeeb <bz@FreeBSD.org>