<feed xmlns='http://www.w3.org/2005/Atom'>
<title>src/crypto/openssh/ssh_config, branch main</title>
<subtitle>FreeBSD source tree</subtitle>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/'/>
<entry>
<title>OpenSSH: Update to 10.1p1</title>
<updated>2026-05-12T20:24:10+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2026-05-12T20:24:10+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=644b4646c7acab87dc20d4e5dd53d2d9da152989'/>
<id>644b4646c7acab87dc20d4e5dd53d2d9da152989</id>
<content type='text'>
Full release notes are available at
https://www.openssh.com/txt/release-10.1

Selected highlights from the release notes:

Potentially-incompatible changes

 * ssh(1): add a warning when the connection negotiates a non-post
   quantum key agreement algorithm.

 * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS

 * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
   keywords in the IPQoS configuration directive.

 * ssh-add(1): when adding certificates to an agent, set the expiry
   to the certificate expiry time plus a short (5 min) grace period.

 * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
   under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
   in sshd(8).

Security

 * ssh(1): disallow control characters in usernames passed via the
   commandline or expanded using %-sequences from the configuration
   file, and disallow \0 characters in ssh:// URIs.

New features

 * ssh(1), sshd(8): add SIGINFO handlers to log active channel and
   session information.

Sponsored by:	The FreeBSD Foundation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Full release notes are available at
https://www.openssh.com/txt/release-10.1

Selected highlights from the release notes:

Potentially-incompatible changes

 * ssh(1): add a warning when the connection negotiates a non-post
   quantum key agreement algorithm.

 * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS

 * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
   keywords in the IPQoS configuration directive.

 * ssh-add(1): when adding certificates to an agent, set the expiry
   to the certificate expiry time plus a short (5 min) grace period.

 * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
   under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
   in sshd(8).

Security

 * ssh(1): disallow control characters in usernames passed via the
   commandline or expanded using %-sequences from the configuration
   file, and disallow \0 characters in ssh:// URIs.

New features

 * ssh(1), sshd(8): add SIGINFO handlers to log active channel and
   session information.

Sponsored by:	The FreeBSD Foundation
</pre>
</div>
</content>
</entry>
<entry>
<title>ssh: Update to OpenSSH 9.4p1</title>
<updated>2023-08-11T03:10:18+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2023-08-11T03:10:18+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=535af610a4fdace6d50960c0ad9be0597eea7a1b'/>
<id>535af610a4fdace6d50960c0ad9be0597eea7a1b</id>
<content type='text'>
Excerpts from the release notes:

 * ssh-agent(1): PKCS#11 modules must now be specified by their full
   paths. Previously dlopen(3) could search for them in system
   library directories.

 * ssh(1): allow forwarding Unix Domain sockets via ssh -W.

 * ssh(1): add support for configuration tags to ssh(1).
   This adds a ssh_config(5) "Tag" directive and corresponding
   "Match tag" predicate that may be used to select blocks of
   configuration similar to the pf.conf(5) keywords of the same
   name.

 * ssh(1): add a "match localnetwork" predicate. This allows matching
   on the addresses of available network interfaces and may be used to
   vary the effective client configuration based on network location.

 * ssh-agent(1): improve isolation between loaded PKCS#11 modules
   by running separate ssh-pkcs11-helpers for each loaded provider.

 * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
   modules being loaded by checking that the requested module
   contains the required symbol before loading it.

 * ssh(1): don't incorrectly disable hostname canonicalization when
   CanonicalizeHostname=yes and ProxyJump was expicitly set to
   "none". bz3567

Full release notes at https://www.openssh.com/txt/release-9.4

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Excerpts from the release notes:

 * ssh-agent(1): PKCS#11 modules must now be specified by their full
   paths. Previously dlopen(3) could search for them in system
   library directories.

 * ssh(1): allow forwarding Unix Domain sockets via ssh -W.

 * ssh(1): add support for configuration tags to ssh(1).
   This adds a ssh_config(5) "Tag" directive and corresponding
   "Match tag" predicate that may be used to select blocks of
   configuration similar to the pf.conf(5) keywords of the same
   name.

 * ssh(1): add a "match localnetwork" predicate. This allows matching
   on the addresses of available network interfaces and may be used to
   vary the effective client configuration based on network location.

 * ssh-agent(1): improve isolation between loaded PKCS#11 modules
   by running separate ssh-pkcs11-helpers for each loaded provider.

 * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
   modules being loaded by checking that the requested module
   contains the required symbol before loading it.

 * ssh(1): don't incorrectly disable hostname canonicalization when
   CanonicalizeHostname=yes and ProxyJump was expicitly set to
   "none". bz3567

Full release notes at https://www.openssh.com/txt/release-9.4

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
</pre>
</div>
</content>
</entry>
<entry>
<title>ssh: default VerifyHostKeyDNS to no, following upstream</title>
<updated>2023-03-01T14:19:07+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2023-02-17T01:26:41+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=41ff5ea22cb95deb9e7415510eb2f5f00b91537a'/>
<id>41ff5ea22cb95deb9e7415510eb2f5f00b91537a</id>
<content type='text'>
Revert to upstream's default.  Using VerifyHostKeyDNS may depend on a
trusted nameserver and network path.

This reverts commit 83c6a5242c80160fff76fb85454938761645b0c4.

Reported by:	David Leadbeater, G-Research
Reviewed by:	gordon
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D38648
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Revert to upstream's default.  Using VerifyHostKeyDNS may depend on a
trusted nameserver and network path.

This reverts commit 83c6a5242c80160fff76fb85454938761645b0c4.

Reported by:	David Leadbeater, G-Research
Reviewed by:	gordon
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D38648
</pre>
</div>
</content>
</entry>
<entry>
<title>ssh: retire client VersionAddendum</title>
<updated>2022-08-19T14:38:42+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2022-04-23T19:40:48+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=bffe60ead024a1fdf4312eaec5892435a7f6b4c5'/>
<id>bffe60ead024a1fdf4312eaec5892435a7f6b4c5</id>
<content type='text'>
FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f88 and later extended it to the client in
commit 9e2cbe04ff4f.

In 2012 upstream added support for server VersionAddendum, in commit
23528816dc10.  They do not support it for the client.

The argument for supporting this in the client is not nearly as strong
as for the server, so retire this option to reduce the scope of our
local patch set.  This also avoids some cases of conflicts in ssh_config
during update, as a user's configuration would typically follow the
commented-out default VersionAddendum value.

Reviewed by:	gordon, glebius
Relnotes:	yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32930
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
FreeBSD introduced VersionAddendum for the server as a local change in
2001 in commit 933ca70f8f88 and later extended it to the client in
commit 9e2cbe04ff4f.

In 2012 upstream added support for server VersionAddendum, in commit
23528816dc10.  They do not support it for the client.

The argument for supporting this in the client is not nearly as strong
as for the server, so retire this option to reduce the scope of our
local patch set.  This also avoids some cases of conflicts in ssh_config
during update, as a user's configuration would typically follow the
commented-out default VersionAddendum value.

Reviewed by:	gordon, glebius
Relnotes:	yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32930
</pre>
</div>
</content>
</entry>
<entry>
<title>ssh: drop $FreeBSD$ from crypto/openssh</title>
<updated>2022-04-22T23:12:23+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2022-04-22T23:05:44+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=835ee05f3c754d905099a3500f421dc01fab028f'/>
<id>835ee05f3c754d905099a3500f421dc01fab028f</id>
<content type='text'>
After we moved to git $FreeBSD$ is no longer expanded and serves no
purpose.  Remove them from OpenSSH to reduce diffs against upstream.

Sponsored by:	The FreeBSD Foundation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
After we moved to git $FreeBSD$ is no longer expanded and serves no
purpose.  Remove them from OpenSSH to reduce diffs against upstream.

Sponsored by:	The FreeBSD Foundation
</pre>
</div>
</content>
</entry>
<entry>
<title>ssh: update to OpenSSH v9.0p1</title>
<updated>2022-04-15T14:41:08+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2022-04-15T14:41:08+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=87c1498d1a7473ff983e5c0456f30608f3f1e601'/>
<id>87c1498d1a7473ff983e5c0456f30608f3f1e601</id>
<content type='text'>
Release notes are available at https://www.openssh.com/txt/release-9.0

Some highlights:

 * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
   exchange method by default ("sntrup761x25519-sha512@openssh.com").
   The NTRU algorithm is believed to resist attacks enabled by future
   quantum computers and is paired with the X25519 ECDH key exchange
   (the previous default) as a backstop against any weaknesses in
   NTRU Prime that may be discovered in the future. The combination
   ensures that the hybrid exchange offers at least as good security
   as the status quo.

 * sftp-server(8): support the "copy-data" extension to allow server-
   side copying of files/data, following the design in
   draft-ietf-secsh-filexfer-extensions-00. bz2948

 * sftp(1): add a "cp" command to allow the sftp client to perform
   server-side file copies.

This commit excludes the scp(1) change to use the SFTP protocol by
default; that change will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Release notes are available at https://www.openssh.com/txt/release-9.0

Some highlights:

 * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
   exchange method by default ("sntrup761x25519-sha512@openssh.com").
   The NTRU algorithm is believed to resist attacks enabled by future
   quantum computers and is paired with the X25519 ECDH key exchange
   (the previous default) as a backstop against any weaknesses in
   NTRU Prime that may be discovered in the future. The combination
   ensures that the hybrid exchange offers at least as good security
   as the status quo.

 * sftp-server(8): support the "copy-data" extension to allow server-
   side copying of files/data, following the design in
   draft-ietf-secsh-filexfer-extensions-00. bz2948

 * sftp(1): add a "cp" command to allow the sftp client to perform
   server-side file copies.

This commit excludes the scp(1) change to use the SFTP protocol by
default; that change will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
</pre>
</div>
</content>
</entry>
<entry>
<title>ssh: update to OpenSSH v8.9p1</title>
<updated>2022-04-13T20:00:56+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2022-04-13T20:00:56+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=1323ec571215a77ddd21294f0871979d5ad6b992'/>
<id>1323ec571215a77ddd21294f0871979d5ad6b992</id>
<content type='text'>
Release notes are available at https://www.openssh.com/txt/release-8.9

Some highlights:

 * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
   restricting forwarding and use of keys added to ssh-agent(1)

 * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
   ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
   default KEXAlgorithms list (after the ECDH methods but before the
   prime-group DH ones). The next release of OpenSSH is likely to
   make this key exchange the default method.

 * sshd(8), portable OpenSSH only: this release removes in-built
   support for MD5-hashed passwords. If you require these on your
   system then we recommend linking against libxcrypt or similar.

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Release notes are available at https://www.openssh.com/txt/release-8.9

Some highlights:

 * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
   restricting forwarding and use of keys added to ssh-agent(1)

 * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
   ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
   default KEXAlgorithms list (after the ECDH methods but before the
   prime-group DH ones). The next release of OpenSSH is likely to
   make this key exchange the default method.

 * sshd(8), portable OpenSSH only: this release removes in-built
   support for MD5-hashed passwords. If you require these on your
   system then we recommend linking against libxcrypt or similar.

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
</pre>
</div>
</content>
</entry>
<entry>
<title>ssh: update to OpenSSH v8.8p1</title>
<updated>2021-12-19T16:02:02+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2021-12-19T16:02:02+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=e9e8876a4d6afc1ad5315faaa191b25121a813d7'/>
<id>e9e8876a4d6afc1ad5315faaa191b25121a813d7</id>
<content type='text'>
OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures.  It also has a few minor bug fixes.

The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures.  It also has a few minor bug fixes.

The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
</pre>
</div>
</content>
</entry>
<entry>
<title>openssh: update to OpenSSH v8.7p1</title>
<updated>2021-09-08T01:05:51+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2021-09-08T01:05:51+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=19261079b74319502c6ffa1249920079f0f69a72'/>
<id>19261079b74319502c6ffa1249920079f0f69a72</id>
<content type='text'>
Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985
</pre>
</div>
</content>
</entry>
<entry>
<title>Upgrade to OpenSSH 7.9p1.</title>
<updated>2020-02-14T19:06:59+00:00</updated>
<author>
<name>Ed Maste</name>
<email>emaste@FreeBSD.org</email>
</author>
<published>2020-02-14T19:06:59+00:00</published>
<link rel='alternate' type='text/html' href='http://cgit.freebsd.org/src/commit/?id=2f513db72b034fd5ef7f080b11be5c711c15186a'/>
<id>2f513db72b034fd5ef7f080b11be5c711c15186a</id>
<content type='text'>
MFC after:	2 months
Sponsored by:	The FreeBSD Foundation
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
MFC after:	2 months
Sponsored by:	The FreeBSD Foundation
</pre>
</div>
</content>
</entry>
</feed>
