This release changes the first-preference signature algorithm from ECDSA to ED25519.
Set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
Remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001.
Update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761.
Disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers.
New features
This release enables UpdateHostkeys by default subject to some conservative preconditions:
The key was matched in the UserKnownHostsFile (and not in the GlobalKnownHostsFile).
The same key does not exist under another name.
A certificate host key is not in use.
known_hosts contains no matching wildcard hostname pattern.
VerifyHostKeyDNS is not enabled.
The default UserKnownHostsFile is in use.
Allow the ssh_config(5)CanonicalizePermittedCNAMEs directive to accept a "none" argument to specify the default behaviour.
Add a new LogVerbose configuration directive for that allows forcing maximum debug logging by file/function/line pattern-lists.
When prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key.
Allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys.
Add a ssh_configKnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files.
Add a ssh_configPermitRemoteOpen option that allows the client to restrict the destination when RemoteForward is used with SOCKS.
For FIDO keys, if a signature operation fails with a "incorrect PIN" reason and no PIN was initially requested from the user, then request a PIN and retry the operation. This supports some biometric devices that fall back to requiring PIN when reading of the biometric failed, and devices that require PINs for all hosted credentials.
Use the new limits@openssh.com extension (when available) to select better transfer lengths in the client.
Bugfixes
When requesting a FIDO token touch on stderr, inform the user once the touch has been recorded.
Prevent integer overflow when ridiculously large ConnectTimeout values are specified, capping the effective value (for most platforms) at 24 days. bz#3229
Consider the ECDSA key subtype when ordering host key algorithms in the client.
Rename the PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms. The previous name incorrectly suggested that it control allowed key algorithms, when this option actually specifies the signature algorithms that are accepted. The previous name remains available as an alias. bz#3253
Similarly, rename HostbasedKeyTypes to HostbasedAcceptedAlgorithms.
More strictly enforce KEX state-machine by banning packet types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
When doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that the transfer can actually complete, then set the directory permission as the final step. bz#3222
Ignore comments at the end of config lines in ssh_config, similar to what we already do for sshd_config. bz#2320
Fix potential integer truncation of (unlikely) timeout values. bz#3250
Make hostbased authentication send the signature algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. This make HostbasedAcceptedAlgorithms do what it is supposed to - filter on signature algorithm and not key type.
Ensure that pkcs11_del_provider() is called before exit. GHPR234
Fix problems in string->argv conversion. Multiple backslashes were not being dequoted correctly and quoted space in the middle of a string was being incorrectly split. GHPR223
Return non-zero exit status when killed by signal; bz#3281
Start time-based re-keying exactly on schedule in the client and server mainloops. Previously the re-key timeout could expire but re-keying would not start until a packet was sent or received, causing a spin in select() if the connection was quiescent.
Remove references to ChallengeResponseAuthentication in favour of KbdInteractiveAuthentication. The former is what was in SSHv1, the latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but not entirely equivalent. We retain the old name as a deprecated alias so configuration files continue to work as well as a reference in the man page for people looking for it. bz#3303
Fix decoding of X.509 subject name when extracting a key from a PKCS#11 certificate. bz#3327
Sessions started with ControlPersist were incorrectly executing a shell when the -N (no shell) option was specified. bz#3290
Fix debug message when finding a private key to match a certificate being attempted for user authentication. Previously it would print the certificate's path, whereas it was supposed to be showing the private key's path. GHPR247
Add a workaround for a bug in OpenSSH 7.4 sshd(8), which allows RSA/SHA2 signatures for public key authentication but fails to advertise this correctly via SSH2_MSG_EXT_INFO. This causes clients of these server to incorrectly match PubkeyAcceptedAlgorithms and potentially refuse to offer valid keys. bz#3213
Allow ssh_configSetEnv to override $TERM, which is otherwise handled specially by the protocol. Useful in ~/.ssh/config to set TERM to something generic (e.g. "xterm" instead of "xterm-256color") for destinations that lack terminfo entries.
Fix SEGV in UpdateHostkeys debug() message, triggered when the update removed more host keys than remain present.