Hi all.
OpenSSH 10.0p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is primarily a bugfix
release, although one notable change is the introduction of the sshd-auth
binary (see below).
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable
Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:
$ ./configure && make tests
Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev at mindrot.org. Security bugs should be reported
directly to openssh at openssh.com.
Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.
Thanks to the many people who contributed to this release.
Potentially-incompatible changes
--------------------------------
* This release removes support for the weak DSA signature
algorithm, completing the deprecation process that began in
2015 (when DSA was disabled by default) and repeatedly warned
over the the last 12 months.
* This release has the version number 10.0 and announces itself
as "SSH-2.0-OpenSSH_10.0". Software that naively matches
versions using patterns like "OpenSSH_1*" may be confused by
this.
* sshd(8): this release removes the code responsible for the
user authentication phase of the protocol from the per-
connection sshd-session binary to a new sshd-auth binary.
Splitting this code into a separate binary ensures that the
crucial pre-authentication attack surface has an entirely
disjoint address space from the code used for the rest of the
connection. It also yields a small runtime memory saving as the
authentication code will be unloaded after the authentication
phase completes. This change should be largely invisible to
users, though some log messages may now come from "sshd-auth"
instead of "sshd-session". Downstream distributors of OpenSSH
will need to package the sshd-auth binary.
* sshd(8): this release disables finite field (a.k.a modp)
Diffie-Hellman key exchange in sshd by default. Specifically,
this removes the "diffie-hellman-group*" and
"diffie-hellman-group-exchange-*" methods from the default
KEXAlgorithms list. The client is unchanged and continues to
support these methods by default. Finite field Diffie Hellman
is slow and computationally expensive for the same security
level as Elliptic Curve DH or PQ key agreement while offering
no redeeming advantages. ECDH has been specified for the SSH
protocol for 15 years and some form of ECDH has been the default
key exchange in OpenSSH for the last 14 years.
* sshd(8): this release removes the implicit fallback to compiled-
in groups for Diffie-Hellman Group Exchange KEX when the moduli
file exists but does not contain moduli within the client-
requested range. The fallback behaviour remains for the case
where the moduli file does not exist at all. This allows
administrators more explicit control over which DH groups will
be selected, but can lead to connection failures if the moduli
file is edited incorrectly. bz#2793
* sftp(1) and scp(1) will now explicitly not create a ControlMaster mux
connection, since doing so would potentially create one with
options more restrictive than those specified in the config file.
This could lead to later confusion, particularly when used with
ControlMaster=auto. sftp(1) and scp(1) can still use a mux connection,
so ssh(1) can be used to establish one, after which they can use it
as per usual.
Changes since OpenSSH 9.9
========================
New features
------------
* ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
is now used by default for key agreement. This algorithm is
considered to be safe against attack by quantum computers,
is guaranteed to be no less strong than the popular
curve25519-sha256 algorithm, has been standardised by NIST
and is considerably faster than the previous default.
* ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
for the connection. The default cipher preference list is now
Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
(128/192/256).
* ssh(1): add %-token and environment variable expansion to the
ssh_config SetEnv directive.
* ssh(1): allow %-token and environment variable expansion in
the ssh_config User directive, with the exception of %r and %C
which would be self-referential. bz#3477
* ssh(1), sshd(8): add "Match version" support to ssh_config and
sshd_config. Allows matching on the local version of OpenSSH,
e.g. "Match version OpenSSH_10.*".
* ssh(1): add support for "Match sessiontype" to ssh_config.
Allows matching on the type of session initially requested,
either "shell" for interactive sessions, "exec" for
command
execution sessions, "subsystem" for subsystem requests, such as
sftp, or "none" for transport/forwarding-only sessions.
* ssh(1): add support for "Match command ..." support to
ssh_config, allowing matching on the remote command as specified
on the command-line.
* ssh(1): allow 'Match tagged ""' and 'Match command
""' to match
empty tag and command values respectively.
* sshd(8): allow glob(3) patterns to be used in sshd_config
AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
bz2755
* sshd(1): support the VersionAddendum in the client, mirroring
the option of the same name in the server; bz2745
* ssh-agent(1): the agent will now delete all loaded keys when
signaled with SIGUSR1. This allows deletion of keys without
having access to $SSH_AUTH_SOCK.
* Portable OpenSSH, ssh-agent(1): support systemd-style socket
activation in ssh-agent using the LISTEN_PID/LISTEN_FDS
mechanism. Activated when these environment variables are set,
the agent is started with the -d or -D option and no socket path
is set. GHPR502
* ssh-keygen(1): support FIDO tokens that return no attestation
data, e.g. recent WinHello. GHPR542
* ssh-agent(1): add a "-Owebsafe-allow=..." option to allow the
default FIDO application ID allow-list to be overridden.
* Add a work-in-progress tool to verify FIDO attestation blobs
that ssh-keygen can optionally write when enrolling FIDO keys.
This tool is available under regress/misc/ssh-verify-attestation
for experimentation but is not installed by "make install".
* ssh-keygen(1): allow "-" as output file for moduli screening.
GHPR393
Bugfixes
--------
* sshd(8): remove assumption that the sshd_config and any configs
it includes can fit in a (possibly enlarged) socket buffer.
Previously it was possible to create a sufficiently large
configuration that could cause sshd to fail to accept any
connection. sshd(8) will now actively manage sending its config
to the sshd-session sub-process.
* ssh(1): don't start the ObscureKeystrokeTiming mitigations if
there has been traffic on a X11 forwarding channel recently.
Should fix X11 forwarding performance problems when this setting
is enabled. bz3655
* ssh(1): prohibit the comma character in hostnames accepted, but
allow an underscore as the first character in a hostname.
* sftp(1): set high-water when resuming a "put". Prevents bogus
"server reordered acks" debug message.
* ssh(1), sshd(8): fix regression in openssh-9.8, which would fail
to accept "Match criteria=argument" as well as the documented
"Match criteria argument" syntax in ssh_config and sshd_config.
bz3739
* scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by
scp & sftp. This disables implicit session creation by these
tools when ControlMaster was set to yes/auto by configuration,
which some users found surprising. This change will not prevent
scp/sftp from using an existing multiplexing session if one had
already been created. GHPR557
* sftp(1), ssh(1): fix a number possible NULL dereference bugs,
including Coverity CIDs 405019 and 477813.
* sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty
when LoginGraceTime was exceeded. bz3797
* sshd(8): fix "Match invalid-user" from incorrectly being
activated in initial configuration pass when no other predicates
were present on the match line
* sshd(8): fix debug logging of user specific delay. GHPR#552
* sshd(8): improve debug logging across sub-process boundaries.
Previously some log messages were lost early in the sshd-auth and
sshd-session processes' life.
* ssh(1): require control-escape character sequences passed via
the '-e ^x' command-line to be exactly two characters long. Avoids
one byte out-of-bounds read if ssh is invoked as "ssh -e^ ..."
GHPR368
* ssh(1), sshd(8): prevent integer overflow in x11 port handling.
These are theoretically possible if the admin misconfigured
X11DisplayOffset or the user misconfigures their own $DISPLAY,
but don't happen in normal operation. bz#3730
* ssh-keygen(1): don't mess up ssh-keygen -l output when the file
contains CR characters; GHPR236 bz3385.
* sshd(8): add rate limits to logging of connections dropped by
PerSourcePenalties. Previously these could be noisy in logs.
* ssh(1): fix argument of "Compression" directive in ssh -G config
dump, which regressed in openssh-9.8.
* sshd(8): fix a corner-case triggered by UpdateHostKeys when sshd
refuses to accept the signature returned by an agent holding host
keys during the hostkey rotation sub-protocol. This situation
could occur in situations where a PKCS#11 smartcard that lacked
support for particular signature algorithms was used to store
host keys.
* ssh-keygen(1): when using RSA keys to sign messages with
"ssh-keygen -Y", select the signature algorithm based on the
requested hash algorithm ("-Ohashalg=xxx"). This allows using
something other than the default of rsa-sha2-512, which may not
be supported on all signing backends, e.g. some smartcards only
support SHA256.
* ssh(1), sshd(8), ssh-keyscan(1): fix ML-KEM768x25519 KEX on
big-endian systems.
* Many regression and interop test improvements.
Portability
-----------
* All: add support for AWS-LC (AWS libcrypto). bz3784
* sshd(8): add wtmpdb support as a Y2038 safe wtmp replacement.
* sshd(8): add support for locking sshd into memory, enabled with
the --with-linux-memlock-onfault configure flag.
* Add support for building a standalone sk-libfido2 library,
enabled by --with-security-key-standalone
* ssh(1), sshd(8), ssh-keyscan(1): include __builtin_popcount
replacement function. for compilers that lack it.
* All: Check for and replace le32toh, le64toh, htole64 separately.
It appears that at least some versions of endian.h in glibc do
not have the latter two. bz#3794
* Remove ancient RHL 6.x config in RPM spec.
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Hi Darren,> OpenSSH 10.0p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible.Thanks, it all looks good to me on Gentoo and Void Linux, including live operations along with `make tests`. ~ Tim
On 4/1/25 15:19, Darren Tucker wrote:> Hi all. > > OpenSSH 10.0p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible.?* Mint 22 / gcc 13.3.0 / OpenSSL 3.0.13 / all tests passed ?* Debian 12.10 / gcc 12.2.0-14 / OpenSSL 3.0.15 / all tests passed -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at GMail.com> */
On 2025-04-02 00:19, Darren Tucker wrote:> OpenSSH 10.0p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible.Compiles fine on OpenIndiana (Illumos) - using custom OpenSSl installation, GCC 13 (all seems fine): :; ssh -V OpenSSH_9.9p2-snap20250402, OpenSSL 3.4.1 11 Feb 2025 Best regards -- Predrag Ze?evi?
I tested building the openSUSE Tumbleweed package locally with the 20250403 snapshot and doing a live test and it works fine. I then also did try "make tests" on the vanilla snapshot sources and at first they failed to even build but after a quick fix that I've submitted at https://bugzilla.mindrot.org/show_bug.cgi?id=3806 the tests run fine too. Thanks! El mi?, 2 abr 2025 a las 0:22, Darren Tucker (<dtucker at dtucker.net>) escribi?:> Hi all. > > OpenSSH 10.0p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is primarily a bugfix > release, although one notable change is the introduction of the sshd-auth > binary (see below). > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Potentially-incompatible changes > -------------------------------- > > * This release removes support for the weak DSA signature > algorithm, completing the deprecation process that began in > 2015 (when DSA was disabled by default) and repeatedly warned > over the the last 12 months. > > * This release has the version number 10.0 and announces itself > as "SSH-2.0-OpenSSH_10.0". Software that naively matches > versions using patterns like "OpenSSH_1*" may be confused by > this. > > * sshd(8): this release removes the code responsible for the > user authentication phase of the protocol from the per- > connection sshd-session binary to a new sshd-auth binary. > Splitting this code into a separate binary ensures that the > crucial pre-authentication attack surface has an entirely > disjoint address space from the code used for the rest of the > connection. It also yields a small runtime memory saving as the > authentication code will be unloaded after the authentication > phase completes. This change should be largely invisible to > users, though some log messages may now come from "sshd-auth" > instead of "sshd-session". Downstream distributors of OpenSSH > will need to package the sshd-auth binary. > > * sshd(8): this release disables finite field (a.k.a modp) > Diffie-Hellman key exchange in sshd by default. Specifically, > this removes the "diffie-hellman-group*" and > "diffie-hellman-group-exchange-*" methods from the default > KEXAlgorithms list. The client is unchanged and continues to > support these methods by default. Finite field Diffie Hellman > is slow and computationally expensive for the same security > level as Elliptic Curve DH or PQ key agreement while offering > no redeeming advantages. ECDH has been specified for the SSH > protocol for 15 years and some form of ECDH has been the default > key exchange in OpenSSH for the last 14 years. > > * sshd(8): this release removes the implicit fallback to compiled- > in groups for Diffie-Hellman Group Exchange KEX when the moduli > file exists but does not contain moduli within the client- > requested range. The fallback behaviour remains for the case > where the moduli file does not exist at all. This allows > administrators more explicit control over which DH groups will > be selected, but can lead to connection failures if the moduli > file is edited incorrectly. bz#2793 > > * sftp(1) and scp(1) will now explicitly not create a ControlMaster mux > connection, since doing so would potentially create one with > options more restrictive than those specified in the config file. > This could lead to later confusion, particularly when used with > ControlMaster=auto. sftp(1) and scp(1) can still use a mux connection, > so ssh(1) can be used to establish one, after which they can use it > as per usual. > > Changes since OpenSSH 9.9 > ========================> > New features > ------------ > > * ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 > is now used by default for key agreement. This algorithm is > considered to be safe against attack by quantum computers, > is guaranteed to be no less strong than the popular > curve25519-sha256 algorithm, has been standardised by NIST > and is considerably faster than the previous default. > > * ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher > for the connection. The default cipher preference list is now > Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR > (128/192/256). > > * ssh(1): add %-token and environment variable expansion to the > ssh_config SetEnv directive. > > * ssh(1): allow %-token and environment variable expansion in > the ssh_config User directive, with the exception of %r and %C > which would be self-referential. bz#3477 > > * ssh(1), sshd(8): add "Match version" support to ssh_config and > sshd_config. Allows matching on the local version of OpenSSH, > e.g. "Match version OpenSSH_10.*". > > * ssh(1): add support for "Match sessiontype" to ssh_config. > Allows matching on the type of session initially requested, > either "shell" for interactive sessions, "exec" for command > execution sessions, "subsystem" for subsystem requests, such as > sftp, or "none" for transport/forwarding-only sessions. > > * ssh(1): add support for "Match command ..." support to > ssh_config, allowing matching on the remote command as specified > on the command-line. > > * ssh(1): allow 'Match tagged ""' and 'Match command ""' to match > empty tag and command values respectively. > > * sshd(8): allow glob(3) patterns to be used in sshd_config > AuthorizedKeysFile and AuthorizedPrincipalsFile directives. > bz2755 > > * sshd(1): support the VersionAddendum in the client, mirroring > the option of the same name in the server; bz2745 > > * ssh-agent(1): the agent will now delete all loaded keys when > signaled with SIGUSR1. This allows deletion of keys without > having access to $SSH_AUTH_SOCK. > > * Portable OpenSSH, ssh-agent(1): support systemd-style socket > activation in ssh-agent using the LISTEN_PID/LISTEN_FDS > mechanism. Activated when these environment variables are set, > the agent is started with the -d or -D option and no socket path > is set. GHPR502 > > * ssh-keygen(1): support FIDO tokens that return no attestation > data, e.g. recent WinHello. GHPR542 > > * ssh-agent(1): add a "-Owebsafe-allow=..." option to allow the > default FIDO application ID allow-list to be overridden. > > * Add a work-in-progress tool to verify FIDO attestation blobs > that ssh-keygen can optionally write when enrolling FIDO keys. > This tool is available under regress/misc/ssh-verify-attestation > for experimentation but is not installed by "make install". > > * ssh-keygen(1): allow "-" as output file for moduli screening. > GHPR393 > > Bugfixes > -------- > > * sshd(8): remove assumption that the sshd_config and any configs > it includes can fit in a (possibly enlarged) socket buffer. > Previously it was possible to create a sufficiently large > configuration that could cause sshd to fail to accept any > connection. sshd(8) will now actively manage sending its config > to the sshd-session sub-process. > > * ssh(1): don't start the ObscureKeystrokeTiming mitigations if > there has been traffic on a X11 forwarding channel recently. > Should fix X11 forwarding performance problems when this setting > is enabled. bz3655 > > * ssh(1): prohibit the comma character in hostnames accepted, but > allow an underscore as the first character in a hostname. > > * sftp(1): set high-water when resuming a "put". Prevents bogus > "server reordered acks" debug message. > > * ssh(1), sshd(8): fix regression in openssh-9.8, which would fail > to accept "Match criteria=argument" as well as the documented > "Match criteria argument" syntax in ssh_config and sshd_config. > bz3739 > > * scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by > scp & sftp. This disables implicit session creation by these > tools when ControlMaster was set to yes/auto by configuration, > which some users found surprising. This change will not prevent > scp/sftp from using an existing multiplexing session if one had > already been created. GHPR557 > > * sftp(1), ssh(1): fix a number possible NULL dereference bugs, > including Coverity CIDs 405019 and 477813. > > * sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty > when LoginGraceTime was exceeded. bz3797 > > * sshd(8): fix "Match invalid-user" from incorrectly being > activated in initial configuration pass when no other predicates > were present on the match line > > * sshd(8): fix debug logging of user specific delay. GHPR#552 > > * sshd(8): improve debug logging across sub-process boundaries. > Previously some log messages were lost early in the sshd-auth and > sshd-session processes' life. > > * ssh(1): require control-escape character sequences passed via > the '-e ^x' command-line to be exactly two characters long. Avoids > one byte out-of-bounds read if ssh is invoked as "ssh -e^ ..." > GHPR368 > > * ssh(1), sshd(8): prevent integer overflow in x11 port handling. > These are theoretically possible if the admin misconfigured > X11DisplayOffset or the user misconfigures their own $DISPLAY, > but don't happen in normal operation. bz#3730 > > * ssh-keygen(1): don't mess up ssh-keygen -l output when the file > contains CR characters; GHPR236 bz3385. > > * sshd(8): add rate limits to logging of connections dropped by > PerSourcePenalties. Previously these could be noisy in logs. > > * ssh(1): fix argument of "Compression" directive in ssh -G config > dump, which regressed in openssh-9.8. > > * sshd(8): fix a corner-case triggered by UpdateHostKeys when sshd > refuses to accept the signature returned by an agent holding host > keys during the hostkey rotation sub-protocol. This situation > could occur in situations where a PKCS#11 smartcard that lacked > support for particular signature algorithms was used to store > host keys. > > * ssh-keygen(1): when using RSA keys to sign messages with > "ssh-keygen -Y", select the signature algorithm based on the > requested hash algorithm ("-Ohashalg=xxx"). This allows using > something other than the default of rsa-sha2-512, which may not > be supported on all signing backends, e.g. some smartcards only > support SHA256. > > * ssh(1), sshd(8), ssh-keyscan(1): fix ML-KEM768x25519 KEX on > big-endian systems. > > * Many regression and interop test improvements. > > Portability > ----------- > > * All: add support for AWS-LC (AWS libcrypto). bz3784 > > * sshd(8): add wtmpdb support as a Y2038 safe wtmp replacement. > > * sshd(8): add support for locking sshd into memory, enabled with > the --with-linux-memlock-onfault configure flag. > > * Add support for building a standalone sk-libfido2 library, > enabled by --with-security-key-standalone > > * ssh(1), sshd(8), ssh-keyscan(1): include __builtin_popcount > replacement function. for compilers that lack it. > > * All: Check for and replace le32toh, le64toh, htole64 separately. > It appears that at least some versions of endian.h in glibc do > not have the latter two. bz#3794 > > * Remove ancient RHL 6.x config in RPM spec. > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > -- > Darren Tucker (dtucker at dtucker.net) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Hi Darren, On Apr 2 09:19, Darren Tucker wrote:> Hi all. > > OpenSSH 10.0p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is primarily a bugfix > release, although one notable change is the introduction of the sshd-auth > binary (see below).Builds out of the box from git master, testsuite passes on current Cygwin 3.6.0. Thanks, Corinna
Fedora 41, successfully built from github master. To avoid problems with sha1 signatures (forbidden on RHEL systems), you need to specify OPENSSL_CONF=/dev/null to make test passes. We have several downstream patches providing run-time detection of sha1 signatures, are they of any interest for you? On Wed, Apr 2, 2025 at 12:22?AM Darren Tucker <dtucker at dtucker.net> wrote:> Hi all. > > OpenSSH 10.0p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is primarily a bugfix > release, although one notable change is the introduction of the sshd-auth > binary (see below). > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Potentially-incompatible changes > -------------------------------- > > * This release removes support for the weak DSA signature > algorithm, completing the deprecation process that began in > 2015 (when DSA was disabled by default) and repeatedly warned > over the the last 12 months. > > * This release has the version number 10.0 and announces itself > as "SSH-2.0-OpenSSH_10.0". Software that naively matches > versions using patterns like "OpenSSH_1*" may be confused by > this. > > * sshd(8): this release removes the code responsible for the > user authentication phase of the protocol from the per- > connection sshd-session binary to a new sshd-auth binary. > Splitting this code into a separate binary ensures that the > crucial pre-authentication attack surface has an entirely > disjoint address space from the code used for the rest of the > connection. It also yields a small runtime memory saving as the > authentication code will be unloaded after the authentication > phase completes. This change should be largely invisible to > users, though some log messages may now come from "sshd-auth" > instead of "sshd-session". Downstream distributors of OpenSSH > will need to package the sshd-auth binary. > > * sshd(8): this release disables finite field (a.k.a modp) > Diffie-Hellman key exchange in sshd by default. Specifically, > this removes the "diffie-hellman-group*" and > "diffie-hellman-group-exchange-*" methods from the default > KEXAlgorithms list. The client is unchanged and continues to > support these methods by default. Finite field Diffie Hellman > is slow and computationally expensive for the same security > level as Elliptic Curve DH or PQ key agreement while offering > no redeeming advantages. ECDH has been specified for the SSH > protocol for 15 years and some form of ECDH has been the default > key exchange in OpenSSH for the last 14 years. > > * sshd(8): this release removes the implicit fallback to compiled- > in groups for Diffie-Hellman Group Exchange KEX when the moduli > file exists but does not contain moduli within the client- > requested range. The fallback behaviour remains for the case > where the moduli file does not exist at all. This allows > administrators more explicit control over which DH groups will > be selected, but can lead to connection failures if the moduli > file is edited incorrectly. bz#2793 > > * sftp(1) and scp(1) will now explicitly not create a ControlMaster mux > connection, since doing so would potentially create one with > options more restrictive than those specified in the config file. > This could lead to later confusion, particularly when used with > ControlMaster=auto. sftp(1) and scp(1) can still use a mux connection, > so ssh(1) can be used to establish one, after which they can use it > as per usual. > > Changes since OpenSSH 9.9 > ========================> > New features > ------------ > > * ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 > is now used by default for key agreement. This algorithm is > considered to be safe against attack by quantum computers, > is guaranteed to be no less strong than the popular > curve25519-sha256 algorithm, has been standardised by NIST > and is considerably faster than the previous default. > > * ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher > for the connection. The default cipher preference list is now > Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR > (128/192/256). > > * ssh(1): add %-token and environment variable expansion to the > ssh_config SetEnv directive. > > * ssh(1): allow %-token and environment variable expansion in > the ssh_config User directive, with the exception of %r and %C > which would be self-referential. bz#3477 > > * ssh(1), sshd(8): add "Match version" support to ssh_config and > sshd_config. Allows matching on the local version of OpenSSH, > e.g. "Match version OpenSSH_10.*". > > * ssh(1): add support for "Match sessiontype" to ssh_config. > Allows matching on the type of session initially requested, > either "shell" for interactive sessions, "exec" for command > execution sessions, "subsystem" for subsystem requests, such as > sftp, or "none" for transport/forwarding-only sessions. > > * ssh(1): add support for "Match command ..." support to > ssh_config, allowing matching on the remote command as specified > on the command-line. > > * ssh(1): allow 'Match tagged ""' and 'Match command ""' to match > empty tag and command values respectively. > > * sshd(8): allow glob(3) patterns to be used in sshd_config > AuthorizedKeysFile and AuthorizedPrincipalsFile directives. > bz2755 > > * sshd(1): support the VersionAddendum in the client, mirroring > the option of the same name in the server; bz2745 > > * ssh-agent(1): the agent will now delete all loaded keys when > signaled with SIGUSR1. This allows deletion of keys without > having access to $SSH_AUTH_SOCK. > > * Portable OpenSSH, ssh-agent(1): support systemd-style socket > activation in ssh-agent using the LISTEN_PID/LISTEN_FDS > mechanism. Activated when these environment variables are set, > the agent is started with the -d or -D option and no socket path > is set. GHPR502 > > * ssh-keygen(1): support FIDO tokens that return no attestation > data, e.g. recent WinHello. GHPR542 > > * ssh-agent(1): add a "-Owebsafe-allow=..." option to allow the > default FIDO application ID allow-list to be overridden. > > * Add a work-in-progress tool to verify FIDO attestation blobs > that ssh-keygen can optionally write when enrolling FIDO keys. > This tool is available under regress/misc/ssh-verify-attestation > for experimentation but is not installed by "make install". > > * ssh-keygen(1): allow "-" as output file for moduli screening. > GHPR393 > > Bugfixes > -------- > > * sshd(8): remove assumption that the sshd_config and any configs > it includes can fit in a (possibly enlarged) socket buffer. > Previously it was possible to create a sufficiently large > configuration that could cause sshd to fail to accept any > connection. sshd(8) will now actively manage sending its config > to the sshd-session sub-process. > > * ssh(1): don't start the ObscureKeystrokeTiming mitigations if > there has been traffic on a X11 forwarding channel recently. > Should fix X11 forwarding performance problems when this setting > is enabled. bz3655 > > * ssh(1): prohibit the comma character in hostnames accepted, but > allow an underscore as the first character in a hostname. > > * sftp(1): set high-water when resuming a "put". Prevents bogus > "server reordered acks" debug message. > > * ssh(1), sshd(8): fix regression in openssh-9.8, which would fail > to accept "Match criteria=argument" as well as the documented > "Match criteria argument" syntax in ssh_config and sshd_config. > bz3739 > > * scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by > scp & sftp. This disables implicit session creation by these > tools when ControlMaster was set to yes/auto by configuration, > which some users found surprising. This change will not prevent > scp/sftp from using an existing multiplexing session if one had > already been created. GHPR557 > > * sftp(1), ssh(1): fix a number possible NULL dereference bugs, > including Coverity CIDs 405019 and 477813. > > * sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty > when LoginGraceTime was exceeded. bz3797 > > * sshd(8): fix "Match invalid-user" from incorrectly being > activated in initial configuration pass when no other predicates > were present on the match line > > * sshd(8): fix debug logging of user specific delay. GHPR#552 > > * sshd(8): improve debug logging across sub-process boundaries. > Previously some log messages were lost early in the sshd-auth and > sshd-session processes' life. > > * ssh(1): require control-escape character sequences passed via > the '-e ^x' command-line to be exactly two characters long. Avoids > one byte out-of-bounds read if ssh is invoked as "ssh -e^ ..." > GHPR368 > > * ssh(1), sshd(8): prevent integer overflow in x11 port handling. > These are theoretically possible if the admin misconfigured > X11DisplayOffset or the user misconfigures their own $DISPLAY, > but don't happen in normal operation. bz#3730 > > * ssh-keygen(1): don't mess up ssh-keygen -l output when the file > contains CR characters; GHPR236 bz3385. > > * sshd(8): add rate limits to logging of connections dropped by > PerSourcePenalties. Previously these could be noisy in logs. > > * ssh(1): fix argument of "Compression" directive in ssh -G config > dump, which regressed in openssh-9.8. > > * sshd(8): fix a corner-case triggered by UpdateHostKeys when sshd > refuses to accept the signature returned by an agent holding host > keys during the hostkey rotation sub-protocol. This situation > could occur in situations where a PKCS#11 smartcard that lacked > support for particular signature algorithms was used to store > host keys. > > * ssh-keygen(1): when using RSA keys to sign messages with > "ssh-keygen -Y", select the signature algorithm based on the > requested hash algorithm ("-Ohashalg=xxx"). This allows using > something other than the default of rsa-sha2-512, which may not > be supported on all signing backends, e.g. some smartcards only > support SHA256. > > * ssh(1), sshd(8), ssh-keyscan(1): fix ML-KEM768x25519 KEX on > big-endian systems. > > * Many regression and interop test improvements. > > Portability > ----------- > > * All: add support for AWS-LC (AWS libcrypto). bz3784 > > * sshd(8): add wtmpdb support as a Y2038 safe wtmp replacement. > > * sshd(8): add support for locking sshd into memory, enabled with > the --with-linux-memlock-onfault configure flag. > > * Add support for building a standalone sk-libfido2 library, > enabled by --with-security-key-standalone > > * ssh(1), sshd(8), ssh-keyscan(1): include __builtin_popcount > replacement function. for compilers that lack it. > > * All: Check for and replace le32toh, le64toh, htole64 separately. > It appears that at least some versions of endian.h in glibc do > not have the latter two. bz#3794 > > * Remove ancient RHL 6.x config in RPM spec. > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > -- > Darren Tucker (dtucker at dtucker.net) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >-- Dmitry Belyavskiy
On Wed, Apr 02, 2025 at 09:19:37AM +1100, Darren Tucker wrote:> * This release has the version number 10.0 and announces itself > as "SSH-2.0-OpenSSH_10.0". Software that naively matches > versions using patterns like "OpenSSH_1*" may be confused by > this.While this won't be a problem for a long time, I note that OpenSSH's own compat.c has: { "OpenSSH_2*," "OpenSSH_3*," "OpenSSH_4*", SSH_BUG_SIGTYPE }, { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT| SSH_BUG_SIGTYPE}, Should these be changed to 2.* etc. to avoid future problems? (Incidentally, unless I've misunderstood OpenSSH's historical versioning arrangements, I don't think that either the "OpenSSH_2*" or "OpenSSH_3*" patterns there can ever legitimately match, because there are previous "OpenSSH_2.*" and "OpenSSH_3.*" patterns that will always match first.) -- Colin Watson (he/him) [cjwatson at debian.org]
On 4/1/25 16:19, Darren Tucker wrote:> Hi all. > > [...] > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests >make tests failed on RHEL 8 and RHEL 9: From rhel 8: ----- gcc --version && openssl version gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-24) Copyright (C) 2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. OpenSSL 1.1.1k? FIPS 25 Mar 2021 [...] make[1]: Leaving directory '/home/leo/openssh/regress' all file-tests passed cd ./regress || exit $?; \ EGREP='/usr/bin/grep -E' \ OPENSSL_BIN='/usr/bin/openssl' \ make \ ??? .CURDIR="/home/leo/openssh/regress" \ ??? .OBJDIR="/home/leo/openssh/regress" \ ??? BUILDDIR="/home/leo/openssh" \ ??? OBJ="/home/leo/openssh/regress" \ ??? PATH="/home/leo/openssh:${PATH}" \ ??? TEST_ENV=MALLOC_OPTIONS="" \ ??? TEST_MALLOC_OPTIONS="" \ ??? TEST_SSH_SCP="/home/leo/openssh/scp" \ ??? TEST_SSH_SSH="/home/leo/openssh/ssh" \ ??? TEST_SSH_SSHD=""/home/leo/openssh/sshd"" \ ??? TEST_SSH_SSHD_SESSION="/home/leo/openssh/sshd-session" \ ??? TEST_SSH_SSHD_AUTH="/home/leo/openssh/sshd-auth" \ ??? TEST_SSH_SSHAGENT="/home/leo/openssh/ssh-agent" \ ??? TEST_SSH_SSHADD="/home/leo/openssh/ssh-add" \ ??? TEST_SSH_SSHKEYGEN="/home/leo/openssh/ssh-keygen" \ ??? TEST_SSH_SSHPKCS11HELPER="/home/leo/openssh/ssh-pkcs11-helper" \ ??? TEST_SSH_SSHKEYSCAN="/home/leo/openssh/ssh-keyscan" \ ??? TEST_SSH_SFTP="/home/leo/openssh/sftp" \ ??? TEST_SSH_PKCS11_HELPER="/home/leo/openssh/ssh-pkcs11-helper" \ ??? TEST_SSH_SK_HELPER="/home/leo/openssh/ssh-sk-helper" \ ??? TEST_SSH_SFTPSERVER="/home/leo/openssh/sftp-server" \ ??? TEST_SSH_MODULI_FILE="/home/leo/openssh/moduli" \ ??? TEST_SSH_PLINK="" \ ??? TEST_SSH_PUTTYGEN="" \ ??? TEST_SSH_CONCH="" \ ??? TEST_SSH_DROPBEAR="" \ ??? TEST_SSH_DROPBEARKEY="" \ ??? TEST_SSH_DROPBEARCONVERT="" \ ??? TEST_SSH_DBCLIENT="" \ ??? TEST_SSH_IPV6="yes" \ ??? TEST_SSH_UTF8="yes" \ ??? TEST_SHELL="sh" \ ??? EXEEXT="" \ ??? interop-tests && echo all interop-tests passed make[1]: Entering directory '/home/leo/openssh/regress' run test putty-transfer.sh ... /home/leo/openssh/regress/ssh-rsa already exists. Overwrite (y/n)? ssh-keygen for ssh-rsa failed SKIPPED: putty interop tests not enabled make[1]: *** [Makefile:278: t-exec-interop] Error 1 make[1]: Leaving directory '/home/leo/openssh/regress' make: *** [Makefile:788: interop-tests] Error 2 make: *** Waiting for unfinished jobs.... FATAL: no sshd running on port 4242 make[1]: *** [Makefile:255: t-exec] Error 1 make[1]: Leaving directory '/home/leo/openssh/regress' make: *** [Makefile:788: t-exec] Error 2 ----- From rhel 9: ----- gcc --version && openssl version gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-5) Copyright (C) 2021 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024) [...] make[1]: Leaving directory '/export/home/l/lsaavedr/boxer3/openssh-portable/regress' all file-tests passed cp: cannot create regular file '/export/home/l/lsaavedr/boxer3/openssh-portable/regress/sshd_proxy': File exists /export/home/l/lsaavedr/boxer3/openssh-portable/regress/ecdsa-sha2-nistp256 already exists. Overwrite (y/n)? /export/home/l/lsaavedr/boxer3/openssh-portable/regress/ecdsa-sha2-nistp256 already exists. Overwrite (y/n)? cat: /export/home/l/lsaavedr/boxer3/openssh-portable/regress/ssh.log: No such file or directory cat: /export/home/l/lsaavedr/boxer3/openssh-portable/regress/ssh.log: No such file or directory tar: Removing leading `/' from member names tar: Removing leading `/' from hard link targets tar: Removing leading `/' from member names tar: Removing leading `/' from hard link targets ssh-keygen for ecdsa-sha2-nistp256 failed ssh-keygen for ecdsa-sha2-nistp256 failed /export/home/l/lsaavedr/boxer3/openssh-portable/regress/ssh-rsa already exists. Overwrite (y/n)? ssh-keygen for ssh-rsa failed SKIPPED: No PKCS#11 library found make[1]: *** [Makefile:285: t-extra] Error 1 make[1]: Leaving directory '/export/home/l/lsaavedr/boxer3/openssh-portable/regress' make: *** [Makefile:788: extra-tests] Error 2 make: *** Waiting for unfinished jobs.... /export/home/l/lsaavedr/boxer3/openssh-portable/regress/ssh-rsa already exists. Overwrite (y/n)? ssh-keygen for ssh-rsa failed SKIPPED: putty interop tests not enabled make[1]: *** [Makefile:278: t-exec-interop] Error 1 make[1]: Leaving directory '/export/home/l/lsaavedr/boxer3/openssh-portable/regress' make: *** [Makefile:788: interop-tests] Error 2 failed simple connect make[1]: *** [Makefile:255: t-exec] Error 1 make[1]: Leaving directory '/export/home/l/lsaavedr/boxer3/openssh-portable/regress' make: *** [Makefile:788: t-exec] Error 2 -- Leo.
Darren Tucker <dtucker at dtucker.net> wrote:> OpenSSH 10.0p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is primarily a bugfix > release, although one notable change is the introduction of the sshd-auth > binary (see below).I noticed that bbc9c18e84 added a use of time() but didn't include <time.h>: sshd.c: In function 'drop_connection': sshd.c:622:41: error: implicit declaration of function 'time' [-Wimplicit-function-declaration] 622 | ratelimited = log_ratelimit(rl, time(NULL), NULL, &ndropped); | ^~~~ sshd.c:96:1: note: 'time' is defined in header '<time.h>'; this is probably fixable by adding '#include <time.h>' 95 | #include "atomicio.h" +++ |+#include <time.h> 96 | This only appears with --without-openssl, so <time.h> must be getting transitively included through openssl headers. It might also be specific to musl, since musl's headers often don't pull in as much stuff as other libcs.