OpenSSH

OpenSSH is a freely distributed and open source software project, a library and command-line program that runs in the background of your GNU/Linux operating system and protects your entire network from intruders and attackers. It is the open source version of the SSH (Secure Shell) specification, specifically designed for

Features at a glance

OpenSSH is an open source project distributed under a free license. It offers strong authentication based on the Public Key, Kerberos Authentication and One-Time Password standards, strong encryption based on the AES, Blowfish, Arcfour and 3DES algorithms, X11 forwarding supports by encrypting the entire X Window System traffic, as well as AFS and Kerberos ticket passing.

Additionally, the software feature port forwarding support by encrypting channels for legacy protocols, data compression support, agent forwarding support by using the Single-Sign-On (SSO) authentication standard and SFTP (Secure FTP) server and client support in either SSH2 or SSH1 protocols.

Another interesting feature is interoperability, which means that the project complies with versions 1.3, 1.5 and 2.0 of the original SSH (Secure Shell) protocol. After installation, OpenSSH will automatically replace the standard FTP, Telnet, RCP and rlogin programs with secure versions of them, such as SFTP, SCP and SSH.

Under the hood, availability and supported OSes

The OpenSSH project is written entirely in the C programming language. It comprised of the main SSH implementation and the SSH daemon, which runs in the background. The software is distributed mainly as a universal sources archive, which will work with any GNU/Linux operating systems on both 32-bit and 64-bit architectures.

Portable OpenSSH

A portable version of the OpenSSH protocol is also available for download on Softoware, free of charge, called Portable OpenSSH. It is an open source implementation of SSH version 1 and SSH version 2 protocols for Linux, BSD and Solaris operating systems.

What is new in this release:

• Potentially-incompatible changes:
• This release includes a number of changes that may affect existing configurations:
• This release removes server support for the SSH v.1 protocol.
• ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like SWEET32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the default configuration, but it's highly likely that such devices already need explicit configuration for key exchange and hostkey algorithms already anyway. sshd(8): Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client. ssh-agent will refuse to load PKCS#11 modules outside a whitelist of trusted paths by default. The path whitelist may be specified at run-time.
• sshd(8): When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, sshd will now refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced-command override the other could be a bit confusing and error-prone. sshd(8): Remove the UseLogin configuration directive and support for having /bin/login manage login sessions.
• Changes since OpenSSH 7.3:
• Security:
• ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside a trusted whitelist (run-time configurable). Requests to load modules could be passed via agent forwarding and an attacker could attempt to load a hostile PKCS#11 module across the forwarded agent channel: PKCS#11 modules are shared libraries, so this would result in code execution on the system running the ssh-agent if the attacker has control of the forwarded agent-socket (on the host running the sshd server) and the ability to write to the filesystem of the host running ssh-agent (usually the host running the ssh client). Reported by Jann Horn of Project Zero.
• sshd(8): When privilege separation is disabled, forwarded Unix- domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. This release refuses Unix-domain socket forwarding when privilege separation is disabled (Privilege separation has been enabled by default for 14 years). Reported by Jann Horn of Project Zero.
• sshd(8): Avoid theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. Reported by Jann Horn of Project Zero.
• sshd(8): The shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first). This release removes support for pre-authentication compression from sshd(8). Reported by Guido Vranken using the Stack unstable optimisation identification tool (http://css.csail.mit.edu/stack/)
• sshd(8): Fix denial-of-service condition where an attacker who sends multiple KEXINIT messages may consume up to 128MB per connection. Reported by Shi Lei of Gear Team, Qihoo 360.
• sshd(8): Validate address ranges for AllowUser and DenyUsers directives at configuration load time and refuse to accept invalid ones. It was previously possible to specify invalid CIDR address ranges (e.g. user@127.1.2.3/55) and these would always match, possibly resulting in granting access where it was not intended. Reported by Laurence Parry.
• New Features:
• ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the version in PuTTY by Simon Tatham. This allows a multiplexing client to communicate with the master process using a subset of the SSH packet and channels protocol over a Unix-domain socket, with the main process acting as a proxy that translates channel IDs, etc. This allows multiplexing mode to run on systems that lack file- descriptor passing (used by current multiplexing code) and potentially, in conjunction with Unix-domain socket forwarding, with the client and multiplexing master process on different machines. Multiplexing proxy mode may be invoked using "ssh -O proxy ..."
• sshd(8): Add a sshd_config DisableForwarding option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. Like the 'restrict' authorized_keys flag, this is intended to be a simple and future-proof way of restricting an account.
• sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method. This is identical to the currently-supported method named "curve25519-sha256@libssh.org".
• sshd(8): Improve handling of SIGHUP by checking to see if sshd is already daemonised at startup and skipping the call to daemon(3) if it is. This ensures that a SIGHUP restart of sshd(8) will retain the same process-ID as the initial execution. sshd(8) will also now unlink the PidFile prior to SIGHUP restart and re-create it after a successful restart, rather than leaving a stale file in the case of a configuration error. bz#2641
• sshd(8): Allow ClientAliveInterval and ClientAliveCountMax directives to appear in sshd_config Match blocks.
• sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match those supported by AuthorizedKeysCommand (key, key type, fingerprint, etc.) and a few more to provide access to the contents of the certificate being offered.
• Added regression tests for string matching, address matching and string sanitisation functions.
• Improved the key exchange fuzzer harness.
• Bugfixes:
• ssh(1): Allow IdentityFile to successfully load and use certificates that have no corresponding bare public key. bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub).
• ssh(1): Fix public key authentication when multiple authentication is in use and publickey is not just the first method attempted. bz#2642
• regress: Allow the PuTTY interop tests to run unattended. bz#2639
• ssh-agent(1), ssh(1): improve reporting when attempting to load keys from PKCS#11 tokens with fewer useless log messages and more detail in debug messages. bz#2610
• ssh(1): When tearing down ControlMaster connections, don't pollute stderr when LogLevel=quiet.
• sftp(1): On ^Z wait for underlying ssh(1) to suspend before suspending sftp(1) to ensure that ssh(1) restores the terminal mode correctly if suspended during a password prompt.
• ssh(1): Avoid busy-wait when ssh(1) is suspended during a password prompt.
• ssh(1), sshd(8): Correctly report errors during sending of ext- info messages.
• sshd(8): fix NULL-deref crash if sshd(8) received an out-of- sequence NEWKEYS message.
• sshd(8): Correct list of supported signature algorithms sent in the server-sig-algs extension. bz#2547
• sshd(8): Fix sending ext_info message if privsep is disabled.
• sshd(8): more strictly enforce the expected ordering of privilege separation monitor calls used for authentication and allow them only when their respective authentication methods are enabled in the configuration
• sshd(8): Fix uninitialised optlen in getsockopt() call; harmless on Unix/BSD but potentially crashy on Cygwin.
• Fix false positive reports caused by explicit_bzero(3) not being recognised as a memory initialiser when compiled with -fsanitize-memory. sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for configuration examples.
• Portability:
• On environments configured with Turkish locales, fall back to the C/POSIX locale to avoid errors in configuration parsing caused by that locale's unique handling of the letters 'i' and 'I'. bz#2643
• sftp-server(8), ssh-agent(1): Deny ptrace on OS X using ptrace(PT_DENY_ATTACH, ..)
• ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL.
• Fix compilation for libcrypto compiled without RIPEMD160 support.
• contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640 sshd(8): Improve PRNG reseeding across privilege separation and force libcrypto to obtain a high-quality seed before chroot or sandboxing.
• All: Explicitly test for broken strnvis. NetBSD added an strnvis and unfortunately made it incompatible with the existing one in OpenBSD and Linux's libbsd (the former having existed for over ten years). Try to detect this mess, and assume the only safe option if we're cross compiling.

What is new in version :

• Potentially-incompatible changes:
• This release includes a number of changes that may affect existing configurations:
• This release removes server support for the SSH v.1 protocol.
• ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like SWEET32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the default configuration, but it's highly likely that such devices already need explicit configuration for key exchange and hostkey algorithms already anyway. sshd(8): Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client. ssh-agent will refuse to load PKCS#11 modules outside a whitelist of trusted paths by default. The path whitelist may be specified at run-time.
• sshd(8): When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, sshd will now refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced-command override the other could be a bit confusing and error-prone. sshd(8): Remove the UseLogin configuration directive and support for having /bin/login manage login sessions.
• Changes since OpenSSH 7.3:
• Security:
• ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside a trusted whitelist (run-time configurable). Requests to load modules could be passed via agent forwarding and an attacker could attempt to load a hostile PKCS#11 module across the forwarded agent channel: PKCS#11 modules are shared libraries, so this would result in code execution on the system running the ssh-agent if the attacker has control of the forwarded agent-socket (on the host running the sshd server) and the ability to write to the filesystem of the host running ssh-agent (usually the host running the ssh client). Reported by Jann Horn of Project Zero.
• sshd(8): When privilege separation is disabled, forwarded Unix- domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. This release refuses Unix-domain socket forwarding when privilege separation is disabled (Privilege separation has been enabled by default for 14 years). Reported by Jann Horn of Project Zero.
• sshd(8): Avoid theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. Reported by Jann Horn of Project Zero.
• sshd(8): The shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first). This release removes support for pre-authentication compression from sshd(8). Reported by Guido Vranken using the Stack unstable optimisation identification tool (http://css.csail.mit.edu/stack/)
• sshd(8): Fix denial-of-service condition where an attacker who sends multiple KEXINIT messages may consume up to 128MB per connection. Reported by Shi Lei of Gear Team, Qihoo 360.
• sshd(8): Validate address ranges for AllowUser and DenyUsers directives at configuration load time and refuse to accept invalid ones. It was previously possible to specify invalid CIDR address ranges (e.g. user@127.1.2.3/55) and these would always match, possibly resulting in granting access where it was not intended. Reported by Laurence Parry.
• New Features:
• ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the version in PuTTY by Simon Tatham. This allows a multiplexing client to communicate with the master process using a subset of the SSH packet and channels protocol over a Unix-domain socket, with the main process acting as a proxy that translates channel IDs, etc. This allows multiplexing mode to run on systems that lack file- descriptor passing (used by current multiplexing code) and potentially, in conjunction with Unix-domain socket forwarding, with the client and multiplexing master process on different machines. Multiplexing proxy mode may be invoked using "ssh -O proxy ..."
• sshd(8): Add a sshd_config DisableForwarding option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. Like the 'restrict' authorized_keys flag, this is intended to be a simple and future-proof way of restricting an account.
• sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method. This is identical to the currently-supported method named "curve25519-sha256@libssh.org".
• sshd(8): Improve handling of SIGHUP by checking to see if sshd is already daemonised at startup and skipping the call to daemon(3) if it is. This ensures that a SIGHUP restart of sshd(8) will retain the same process-ID as the initial execution. sshd(8) will also now unlink the PidFile prior to SIGHUP restart and re-create it after a successful restart, rather than leaving a stale file in the case of a configuration error. bz#2641
• sshd(8): Allow ClientAliveInterval and ClientAliveCountMax directives to appear in sshd_config Match blocks.
• sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match those supported by AuthorizedKeysCommand (key, key type, fingerprint, etc.) and a few more to provide access to the contents of the certificate being offered.
• Added regression tests for string matching, address matching and string sanitisation functions.
• Improved the key exchange fuzzer harness.
• Bugfixes:
• ssh(1): Allow IdentityFile to successfully load and use certificates that have no corresponding bare public key. bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub).
• ssh(1): Fix public key authentication when multiple authentication is in use and publickey is not just the first method attempted. bz#2642
• regress: Allow the PuTTY interop tests to run unattended. bz#2639
• ssh-agent(1), ssh(1): improve reporting when attempting to load keys from PKCS#11 tokens with fewer useless log messages and more detail in debug messages. bz#2610
• ssh(1): When tearing down ControlMaster connections, don't pollute stderr when LogLevel=quiet.
• sftp(1): On ^Z wait for underlying ssh(1) to suspend before suspending sftp(1) to ensure that ssh(1) restores the terminal mode correctly if suspended during a password prompt.
• ssh(1): Avoid busy-wait when ssh(1) is suspended during a password prompt.
• ssh(1), sshd(8): Correctly report errors during sending of ext- info messages.
• sshd(8): fix NULL-deref crash if sshd(8) received an out-of- sequence NEWKEYS message.
• sshd(8): Correct list of supported signature algorithms sent in the server-sig-algs extension. bz#2547
• sshd(8): Fix sending ext_info message if privsep is disabled.
• sshd(8): more strictly enforce the expected ordering of privilege separation monitor calls used for authentication and allow them only when their respective authentication methods are enabled in the configuration
• sshd(8): Fix uninitialised optlen in getsockopt() call; harmless on Unix/BSD but potentially crashy on Cygwin.
• Fix false positive reports caused by explicit_bzero(3) not being recognised as a memory initialiser when compiled with -fsanitize-memory. sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for configuration examples.
• Portability:
• On environments configured with Turkish locales, fall back to the C/POSIX locale to avoid errors in configuration parsing caused by that locale's unique handling of the letters 'i' and 'I'. bz#2643
• sftp-server(8), ssh-agent(1): Deny ptrace on OS X using ptrace(PT_DENY_ATTACH, ..)
• ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL.
• Fix compilation for libcrypto compiled without RIPEMD160 support.
• contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640 sshd(8): Improve PRNG reseeding across privilege separation and force libcrypto to obtain a high-quality seed before chroot or sandboxing.
• All: Explicitly test for broken strnvis. NetBSD added an strnvis and unfortunately made it incompatible with the existing one in OpenBSD and Linux's libbsd (the former having existed for over ten years). Try to detect this mess, and assume the only safe option if we're cross compiling.

What is new in version 7.4:

• Potentially-incompatible changes:
• This release includes a number of changes that may affect existing configurations:
• This release removes server support for the SSH v.1 protocol.
• ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like SWEET32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the default configuration, but it's highly likely that such devices already need explicit configuration for key exchange and hostkey algorithms already anyway. sshd(8): Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client. ssh-agent will refuse to load PKCS#11 modules outside a whitelist of trusted paths by default. The path whitelist may be specified at run-time.
• sshd(8): When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, sshd will now refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced-command override the other could be a bit confusing and error-prone. sshd(8): Remove the UseLogin configuration directive and support for having /bin/login manage login sessions.
• Changes since OpenSSH 7.3:
• Security:
• ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside a trusted whitelist (run-time configurable). Requests to load modules could be passed via agent forwarding and an attacker could attempt to load a hostile PKCS#11 module across the forwarded agent channel: PKCS#11 modules are shared libraries, so this would result in code execution on the system running the ssh-agent if the attacker has control of the forwarded agent-socket (on the host running the sshd server) and the ability to write to the filesystem of the host running ssh-agent (usually the host running the ssh client). Reported by Jann Horn of Project Zero.
• sshd(8): When privilege separation is disabled, forwarded Unix- domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. This release refuses Unix-domain socket forwarding when privilege separation is disabled (Privilege separation has been enabled by default for 14 years). Reported by Jann Horn of Project Zero.
• sshd(8): Avoid theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. Reported by Jann Horn of Project Zero.
• sshd(8): The shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first). This release removes support for pre-authentication compression from sshd(8). Reported by Guido Vranken using the Stack unstable optimisation identification tool (http://css.csail.mit.edu/stack/)
• sshd(8): Fix denial-of-service condition where an attacker who sends multiple KEXINIT messages may consume up to 128MB per connection. Reported by Shi Lei of Gear Team, Qihoo 360.
• sshd(8): Validate address ranges for AllowUser and DenyUsers directives at configuration load time and refuse to accept invalid ones. It was previously possible to specify invalid CIDR address ranges (e.g. user@127.1.2.3/55) and these would always match, possibly resulting in granting access where it was not intended. Reported by Laurence Parry.
• New Features:
• ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the version in PuTTY by Simon Tatham. This allows a multiplexing client to communicate with the master process using a subset of the SSH packet and channels protocol over a Unix-domain socket, with the main process acting as a proxy that translates channel IDs, etc. This allows multiplexing mode to run on systems that lack file- descriptor passing (used by current multiplexing code) and potentially, in conjunction with Unix-domain socket forwarding, with the client and multiplexing master process on different machines. Multiplexing proxy mode may be invoked using "ssh -O proxy ..."
• sshd(8): Add a sshd_config DisableForwarding option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. Like the 'restrict' authorized_keys flag, this is intended to be a simple and future-proof way of restricting an account.
• sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method. This is identical to the currently-supported method named "curve25519-sha256@libssh.org".
• sshd(8): Improve handling of SIGHUP by checking to see if sshd is already daemonised at startup and skipping the call to daemon(3) if it is. This ensures that a SIGHUP restart of sshd(8) will retain the same process-ID as the initial execution. sshd(8) will also now unlink the PidFile prior to SIGHUP restart and re-create it after a successful restart, rather than leaving a stale file in the case of a configuration error. bz#2641
• sshd(8): Allow ClientAliveInterval and ClientAliveCountMax directives to appear in sshd_config Match blocks.
• sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match those supported by AuthorizedKeysCommand (key, key type, fingerprint, etc.) and a few more to provide access to the contents of the certificate being offered.
• Added regression tests for string matching, address matching and string sanitisation functions.
• Improved the key exchange fuzzer harness.
• Bugfixes:
• ssh(1): Allow IdentityFile to successfully load and use certificates that have no corresponding bare public key. bz#2617 certificate id_rsa-cert.pub (and no id_rsa.pub).
• ssh(1): Fix public key authentication when multiple authentication is in use and publickey is not just the first method attempted. bz#2642
• regress: Allow the PuTTY interop tests to run unattended. bz#2639
• ssh-agent(1), ssh(1): improve reporting when attempting to load keys from PKCS#11 tokens with fewer useless log messages and more detail in debug messages. bz#2610
• ssh(1): When tearing down ControlMaster connections, don't pollute stderr when LogLevel=quiet.
• sftp(1): On ^Z wait for underlying ssh(1) to suspend before suspending sftp(1) to ensure that ssh(1) restores the terminal mode correctly if suspended during a password prompt.
• ssh(1): Avoid busy-wait when ssh(1) is suspended during a password prompt.
• ssh(1), sshd(8): Correctly report errors during sending of ext- info messages.
• sshd(8): fix NULL-deref crash if sshd(8) received an out-of- sequence NEWKEYS message.
• sshd(8): Correct list of supported signature algorithms sent in the server-sig-algs extension. bz#2547
• sshd(8): Fix sending ext_info message if privsep is disabled.
• sshd(8): more strictly enforce the expected ordering of privilege separation monitor calls used for authentication and allow them only when their respective authentication methods are enabled in the configuration
• sshd(8): Fix uninitialised optlen in getsockopt() call; harmless on Unix/BSD but potentially crashy on Cygwin.
• Fix false positive reports caused by explicit_bzero(3) not being recognised as a memory initialiser when compiled with -fsanitize-memory. sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for configuration examples.
• Portability:
• On environments configured with Turkish locales, fall back to the C/POSIX locale to avoid errors in configuration parsing caused by that locale's unique handling of the letters 'i' and 'I'. bz#2643
• sftp-server(8), ssh-agent(1): Deny ptrace on OS X using ptrace(PT_DENY_ATTACH, ..)
• ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL.
• Fix compilation for libcrypto compiled without RIPEMD160 support.
• contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640 sshd(8): Improve PRNG reseeding across privilege separation and force libcrypto to obtain a high-quality seed before chroot or sandboxing.
• All: Explicitly test for broken strnvis. NetBSD added an strnvis and unfortunately made it incompatible with the existing one in OpenBSD and Linux's libbsd (the former having existed for over ten years). Try to detect this mess, and assume the only safe option if we're cross compiling.

What is new in version 7.3:

• Security:
• sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters. Independently reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.
• sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at verint.com
• ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers are disabled by default and only included for legacy compatibility.
• ssh(1), sshd(8): Improve operation ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This removes the possibility of timing differences leaking facts about the plaintext, though no such leakage has been observed. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes. If PAM is configured to read user-specified environment variables and UseLogin=yes in sshd_config, then a hostile local user may attack /bin/login via LD_PRELOAD or similar environment variables set via PAM. CVE-2015-8325, found by Shayan Sadigh.
• New Features:
• ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".
• ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment. ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. bz#2577
• ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per draft-sgtatham-secsh-iutf8-00. ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
• ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA signatures in certificates; ssh(1): Add an Include directive for ssh_config(5) files.
• ssh(1): Permit UTF-8 characters in pre-authentication banners sent from the server. bz#2058
• Bugfixes:
• ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events from LOG_CRIT. bz#2585
• sshd(8): Refuse AuthenticationMethods="" in configurations and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. bz#2398
• sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. bz#2585
• ssh(1): Close ControlPersist background process stderr except in debug mode or when logging to syslog. bz#1988
• misc: Make PROTOCOL description for direct-streamlocal@openssh.com channel open messages match deployed code. bz#2529
• ssh(1): Deduplicate LocalForward and RemoteForward entries to fix failures when both ExitOnForwardFailure and hostname canonicalisation are enabled. bz#2562
• sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001. bz#2559.
• sshd_config(5): Correct description of UseDNS: it affects ssh hostname processing for authorized_keys, not known_hosts; bz#2554 ssh(1): Fix authentication using lone certificate keys in an agent without corresponding private keys on the filesystem. bz#2550
• sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit is set; previously keepalive packets were not being sent. bz#2252

What is new in version 7.2:

• Security:
• ssh(1), sshd(8): remove unfinished and unused roaming code (was already forcibly disabled in OpenSSH 7.1p2).
• ssh(1): eliminate fallback from untrusted X11 forwarding to trusted forwarding when the X server disables the SECURITY extension.
• ssh(1), sshd(8): increase the minimum modulus size supported for diffie-hellman-group-exchange to 2048 bits.
• sshd(8): pre-auth sandboxing is now enabled by default (previous releases enabled it for new installations via sshd_config).
• New Features:
• all: add support for RSA signatures using SHA-256/512 hash algorithms based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt.
• ssh(1): Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm').
• sshd(8): add a new authorized_keys option "restrict" that includes all current and future key restrictions (no-*-forwarding, etc.). Also add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. ssh(1): add ssh_config CertificateFile option to explicitly list certificates. bz#2436
• ssh-keygen(1): allow ssh-keygen to change the key comment for all supported formats.
• ssh-keygen(1): allow fingerprinting from standard input, e.g. "ssh-keygen -lf -"
• ssh-keygen(1): allow fingerprinting multiple public keys in a file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319
• sshd(8): support "none" as an argument for sshd_config Foreground and ChrootDirectory. Useful inside Match blocks to override a global default. bz#2486
• ssh-keygen(1): support multiple certificates (one per line) and reading from standard input (using "-f -") for "ssh-keygen -L" ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching certificates instead of plain keys.
• ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostname canonicalisation - treat them as already canonical and remove the trailing '.' before matching ssh_config.
• Bugfixes:
• sftp(1): existing destination directories should not terminate recursive uploads (regression in openssh 6.8) bz#2528
• ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during key exchange. bz#2949
• ssh(1): refuse attempts to set ConnectionAttempts=0, which does not make sense and would cause ssh to print an uninitialised stack variable. bz#2500
• ssh(1): fix errors when attempting to connect to scoped IPv6 addresses with hostname canonicalisation enabled.
• sshd_config(5): list a couple more options usable in Match blocks. bz#2489
• sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block. ssh(1): expand tilde characters in filenames passed to -i options before checking whether or not the identity file exists. Avoids confusion for cases where shell doesn't expand (e.g. "-i ~/file" vs. "-i~/file"). bz#2481
• ssh(1): do not prepend "exec" to the shell command run by "Match exec" in a config file, which could cause some commands to fail in certain environments. bz#2471
• ssh-keyscan(1): fix output for multiple hosts/addrs on one line when host hashing or a non standard port is in use bz#2479
• sshd(8): skip "Could not chdir to home directory" message when ChrootDirectory is active. bz#2485
• ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump. sshd(8): avoid changing TunnelForwarding device flags if they are already what is needed; makes it possible to use tun/tap networking as non-root user if device permissions and interface flags are pre-established
• ssh(1), sshd(8): RekeyLimits could be exceeded by one packet. bz#2521
• ssh(1): fix multiplexing master failure to notice client exit.
• ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present empty key IDs. bz#1773
• sshd(8): avoid printf of NULL argument. bz#2535
• ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521
• ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature support.
• ssh(1), sshd(8): fix connections with peers that use the key exchange guess feature of the protocol. bz#2515
• sshd(8): include remote port number in log messages. bz#2503
• ssh(1): don't try to load SSHv1 private key when compiled without SSHv1 support. bz#2505
• ssh-agent(1), ssh(1): fix incorrect error messages during key loading and signing errors. bz#2507
• ssh-keygen(1): don't leave empty temporary files when performing known_hosts file edits when known_hosts doesn't exist.
• sshd(8): correct packet format for tcpip-forward replies for requests that don't allocate a port bz#2509
• ssh(1), sshd(8): fix possible hang on closed output. bz#2469 ssh(1): expand %i in ControlPath to UID. bz#2449
• ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460
• ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182
• ssh(1): add a some debug output before DNS resolution; it's a place where ssh could previously silently stall in cases of unresponsive DNS servers. bz#2433 ssh(1): remove spurious newline in visual hostkey. bz#2686
• ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+...
• ssh(1): fix expansion of HostkeyAlgorithms=+...
• Documentation:
• ssh_config(5), sshd_config(5): update default algorithm lists to match current reality. bz#2527
• ssh(1): mention -Q key-plain and -Q key-cert query options. bz#2455
• sshd_config(8): more clearly describe what AuthorizedKeysFile=none does.
• ssh_config(5): better document ExitOnForwardFailure. bz#2444
• sshd(5): mention internal DH-GEX fallback groups in manual. bz#2302
• sshd_config(5): better description for MaxSessions option. bz#2531
• Portability:
• ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/ Solaris fine-grained privileges. Including a pre-auth privsep sandbox and several pledge() emulations. bz#2511
• Renovate redhat/openssh.spec, removing deprecated options and syntax.
• configure: allow --without-ssl-engine with --without-openssl
• sshd(8): fix multiple authentication using S/Key. bz#2502
• sshd(8): read back from libcrypto RAND_before dropping privileges. Avoids sandboxing violations with BoringSSL.
• Fix name collision with system-provided glob(3) functions. bz#2463
• Adapt Makefile to use ssh-keygen -A when generating host keys. bz#2459
• configure: correct default value for --with-ssh1 bz#2457
• configure: better detection of _res symbol bz#2259
• support getrandom() syscall on Linux

What is new in version 7.1:

• Security:
• sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin= prohibit-password/without-password that could, depending on compile-time configuration, permit password authentication to root while preventing other forms of authentication. This problem was reported by Mantas Mikulenas.
• Bugfixes:
• ssh(1), sshd(8): add compatability workarounds for FuTTY
• ssh(1), sshd(8): refine compatability workarounds for WinSCP
• Fix a number of memory faults (double-free, free of uninitialised memory, etc) in ssh(1) and ssh-keygen(1). Reported by Mateusz Kocielski.