What is the UnixWare 7D OpenSSH 9.9p1a Package?

The OpenSSH 9.9p1a package is an updated OpenSSH for UnixWare 7D that
addresses the following problems or new features.

Future deprecation notice
-------------------------

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025. This release disables DSA by default at compile time.

DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.

OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs, mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.

This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA
in OpenSSH to be justified and hope that removing it from OpenSSH
can accelerate its wider deprecation in supporting cryptography
libraries.

Currently DSA is disabled at compile time. The final step of
removing DSA support entirely is planned for the first OpenSSH
release of 2025.

DSA support may be re-enabled on OpenBSD by setting "DSAKEY=yes"
in Makefile.inc. To enable DSA support in portable OpenSSH, pass
the "--enable-dsa-keys" option to configure.


Contents
--------

      openssh-9.9p1a-UnixWare7D-i386.pkg.xz

SHA256 (openssh-9.9p1a-UnixWare7D-i386.pkg.xz) = 5ce02b19273fb1f2d3a3413c13a33c5b140ad6f6f78ea23e86d8fd778cee5407

Software Notes and Recommendations
----------------------------------

  The UW7D OpenSSH 9.9p1a package is intended for installation on

        UnixWare 7 Definitive 2018 with MP1


Installation Instructions
-------------------------

  1. Download openssh-9.9p1a-UnixWare7D-i386.pkg.xz file to the /tmp
     directory on your machine.

  2. As root, add the package to your system using these commands:

     $ su -
     Password: <type your root password>
     # xzcat /tmp/openssh-9.9p1a-UnixWare7D-i386.pkg.xz | pkgadd -qd - all

  3.  The upgrade process will not modify existing /etc/ssh/ssh_config
      or /etc/ssh/sshd_config files if modifications have been made.
      If not modified, default option settings as well as additional
      options different than the earlier OpenSSH options will be
      replaced. The default configuration files are saved in
      /opt/xinuos/etc/openssh. System administrators should review
      the new default options and update /etc/ssh/ssh_config and 
      /etc/ssh/sshd_config accordingly.

Removal Instructions
--------------------

  1. As root, remove the package using these commands:

     $ su -
     Password: <type your root password>
     # pkgrm openssh

  2. Your system does not contain an OpenSSH after removal of this package.

     Note: removing OpenSSH will break existing OpenSSH logins, so this 
           should be done from the console or in single user mode.

  If you have questions regarding this supplement, or the product on
  which it is installed, please contact your Xinuos software supplier.

Problems Fixed
--------------
Changes between openssh-7.3p1f and openssh-9.9p1a

Security fixes in OpenSSH 7.4
========

 * sshd(8): When privilege separation is disabled, forwarded Unix-
   domain sockets would be created by sshd(8) with the privileges of
   'root' instead of the authenticated user. This release refuses
   Unix-domain socket forwarding when privilege separation is disabled
   (Privilege separation has been enabled by default for 14 years).
   Reported by Jann Horn of Project Zero.

 * sshd(8): Avoid theoretical leak of host private key material to
   privilege-separated child processes via realloc() when reading
   keys. No such leak was observed in practice for normal-sized keys,
   nor does a leak to the child processes directly expose key material
   to unprivileged users. Reported by Jann Horn of Project Zero.
 
 * sshd(8): The shared memory manager used by pre-authentication
   compression support had a bounds checks that could be elided by
   some optimising compilers. Additionally, this memory manager was
   incorrectly accessible when pre-authentication compression was
   disabled. This could potentially allow attacks against the
   privileged monitor process from the sandboxed privilege-separation
   process (a compromise of the latter would be required first).
   This release removes support for pre-authentication compression
   from sshd(8). Reported by Guido Vranken using the Stack unstable
   optimisation identification tool (http://css.csail.mit.edu/stack/)

 * sshd(8): Fix denial-of-service condition where an attacker who
   sends multiple KEXINIT messages may consume up to 128MB per
   connection. Reported by Shi Lei of Gear Team, Qihoo 360.

 * sshd(8): Validate address ranges for AllowUser and DenyUsers
   directives at configuration load time and refuse to accept invalid
   ones. It was previously possible to specify invalid CIDR address
   ranges (e.g. user@127.1.2.3/55) and these would always match,
   possibly resulting in granting access where it was not intended.
   Reported by Laurence Parry.

Security fixes in OpenSSH 7.5
========

 * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
   that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
   Note that the OpenSSH client disables CBC ciphers by default, sshd
   offers them as lowest-preference options and will remove them by
   default entriely in the next release. Reported by Jean Paul
   Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
   Royal Holloway, University of London.

 * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
   a recursive file transfer could be maniuplated by a hostile server to
   perform a path-traversal attack. creating or modifying files outside
   of the intended target directory. Reported by Jann Horn of Google
   Project Zero.

Security fixes in OpenSSH 7.6
========

 * sftp-server(8): in read-only mode, sftp-server was incorrectly
   permitting creation of zero-length files. Reported by Michal
   Zalewski.

Security fix in OpenSSH 8.0
========

This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.

This release adds client-side checking that the filenames sent from
the server match the command-line request,

The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.

Security fixes in OpenSSH 8.1
========

 * ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer
   overflow bug was found in the private key parsing code for the XMSS
   key type. This key type is still experimental and support for it is
   not compiled by default. No user-facing autoconf option exists in
   portable OpenSSH to enable it. This bug was found by Adam Zabrocki
   and reported via SecuriTeam's SSD program.

 * ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
   rest in RAM against speculation and memory side-channel attacks like
   Spectre, Meltdown and Rambleed. This release encrypts private keys
   when they are not in use with a symmetric key that is derived from a
   relatively large "prekey" consisting of random data (currently 16KB).

Security fixes in OpenSSH 8.2
========

 * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
   (RSA/SHA1) algorithm from those accepted for certificate signatures
   (i.e. the client and server CASignatureAlgorithms option) and will
   use the rsa-sha2-512 signature algorithm by default when the
   ssh-keygen(1) CA signs new certificates.

   Certificates are at special risk to the aforementioned SHA1
   collision vulnerability as an attacker has effectively unlimited
   time in which to craft a collision that yields them a valid
   certificate, far more than the relatively brief LoginGraceTime
   window that they have to forge a host key signature.

   The OpenSSH certificate format includes a CA-specified (typically
   random) nonce value near the start of the certificate that should
   make exploitation of chosen-prefix collisions in this context
   challenging, as the attacker does not have full control over the
   prefix that actually gets signed. Nonetheless, SHA1 is now a
   demonstrably broken algorithm and futher improvements in attacks
   are highly likely.

   OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
   algorithms and will refuse to accept certificates signed by an
   OpenSSH 8.2+ CA using RSA keys unless the unsafe algorithm is
   explicitly selected during signing ("ssh-keygen -t ssh-rsa").
   Older clients/servers may use another CA key type such as
   ssh-ed25519 (supported since OpenSSH 6.5) or one of the
   ecdsa-sha2-nistp256/384/521 types (supported since OpenSSH 5.7)
   instead if they cannot be upgraded.

Security fixes in OpenSSH 8.3
========

 * scp(1): when receiving files, scp(1) could be become desynchronised
   if a utimes(2) system call failed. This could allow file contents
   to be interpreted as file metadata and thereby permit an adversary
   to craft a file system that, when copied with scp(1) in a
   configuration that caused utimes(2) to fail (e.g. under a SELinux
   policy or syscall sandbox), transferred different file names and
   contents to the actual file system layout.

   Exploitation of this is not likely as utimes(2) does not fail under
   normal circumstances. Successful exploitation is not silent - the
   output of scp(1) would show transfer errors followed by the actual
   file(s) that were received.

   Finally, filenames returned from the peer are (since openssh-8.0)
   matched against the user's requested destination, thereby
   disallowing a successful exploit from writing files outside the
   user's selected target glob (or directory, in the case of a
   recursive transfer). This ensures that this attack can achieve no
   more than a hostile peer is already able to achieve within the scp
   protocol.

Security fixes in OpenSSH 8.5
========

 * ssh-agent(1): fixed a double-free memory corruption that was
   introduced in OpenSSH 8.2 . We treat all such memory faults as
   potentially exploitable. This bug could be reached by an attacker
   with access to the agent socket.

   On modern operating systems where the OS can provide information
   about the user identity connected to a socket, OpenSSH ssh-agent
   and sshd limit agent socket access only to the originating user
   and root. Additional mitigation may be afforded by the system's
   malloc(3)/free(3) implementation, if it detects double-free
   conditions.

   The most likely scenario for exploitation is a user forwarding an
   agent either to an account shared with a malicious user or to a
   host with an attacker holding root access.

 * Portable sshd(8): Prevent excessively long username going to PAM.
   This is a mitigation for a buffer overflow in Solaris' PAM username
   handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
   implementations.  This is not a problem in sshd itself, it only
   prevents sshd from being used as a vector to attack Solaris' PAM.
   It does not prevent the bug in PAM from being exploited via some
   other PAM application. GHPR#212

Security fixes in OpenSSH 8.8
========

sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.

Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.

Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).

Security Near Miss fixed in OpenSSH 8.9
==================

 * sshd(8): fix an integer overflow in the user authentication path
   that, in conjunction with other logic errors, could have yielded
   unauthenticated access under difficult to exploit conditions.

   This situation is not exploitable because of independent checks in
   the privilege separation monitor. Privilege separation has been
   enabled by default in since openssh-3.2.2 (released in 2002) and
   has been mandatory since openssh-7.5 (released in 2017). Moreover,
   portable OpenSSH has used toolchain features available in most
   modern compilers to abort on signed integer overflow since
   openssh-6.5 (released in 2014).

   Thanks to Malcolm Stagg for finding and reporting this bug.

Security fixes in OpenSSH 9.0
========

This release contains fixes for three minor memory safety problems.
None are believed to be exploitable, but we report most memory safety
problems as potential security vulnerabilities out of caution.

 * ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing.
   Reported by Qualys

 * ssh-keygen(1): double free() in error path of file hashing step in
   signing/verify code; GHPR333

 * ssh-keysign(8): double-free in error path introduced in openssh-8.9

Security fix in OpenSSH 9.2
========

 * ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs
   options were enabled, and the system/libc resolver did not check
   that names in DNS responses were valid, then use of these options
   could allow an attacker with control of DNS to include invalid
   characters (possibly including wildcards) in names added to
   known_hosts files when they were updated. These names would still
   have to match the CanonicalizePermittedCNAMEs allow-list, so
   practical exploitation appears unlikely.

Security fixes in OpenSSH 9.3
========

This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.

 * ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.

   The getrrsetbyname(3) replacement is only included if the system's
   standard library lacks this function and portable OpenSSH was not
   compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
   only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
   problem was found by the Coverity static analyzer.

Security fixes in OpenSSH 9.6
========

This release contains fixes for a newly-discovered weakness in the
SSH transport protocol, a logic error relating to constrained PKCS#11
keys in ssh-agent(1) and countermeasures for programs that invoke
ssh(1) with user or hostnames containing invalid characters.

 * ssh(1), sshd(8): implement protocol extensions to thwart the
   so-called "Terrapin attack" discovered by Fabian B??umer, Marcus
   Brinkmann and J??rg Schwenk. This attack allows a MITM to effect a
   limited break of the integrity of the early encrypted SSH transport
   protocol by sending extra messages prior to the commencement of
   encryption, and deleting an equal number of consecutive messages
   immediately after encryption starts. A peer SSH client/server
   would not be able to detect that messages were deleted.

   While cryptographically novel, the security impact of this attack
   is fortunately very limited as it only allows deletion of
   consecutive messages, and deleting most messages at this stage of
   the protocol prevents user user authentication from proceeding and
   results in a stuck connection.

   The most serious identified impact is that it lets a MITM to
   delete the SSH2_MSG_EXT_INFO message sent before authentication
   starts, allowing the attacker to disable a subset of the keystroke
   timing obfuscation features introduced in OpenSSH 9.5. There is no
   other discernable impact to session secrecy or session integrity.

   OpenSSH 9.6 addresses this protocol weakness through a new "strict
   KEX" protocol extension that will be automatically enabled when
   both the client and server support it. This extension makes
   two changes to the SSH transport protocol to improve the integrity
   of the initial key exchange.

   Firstly, it requires endpoints to terminate the connection if any
   unnecessary or unexpected message is received during key exchange
   (including messages that were previously legal but not strictly
   required like SSH2_MSG_DEBUG). This removes most malleability from
   the early protocol.

   Secondly, it resets the Message Authentication Code counter at the
   conclusion of each key exchange, preventing previously inserted
   messages from being able to make persistent changes to the
   sequence number across completion of a key exchange. Either of
   these changes should be sufficient to thwart the Terrapin Attack.

   More details of these changes are in the PROTOCOL file in the
   OpenSSH source distribition.

 * ssh(1): if an invalid user or hostname that contained shell
   metacharacters was passed to ssh(1), and a ProxyCommand,
   LocalCommand directive or "match exec" predicate referenced the
   user or hostname via %u, %h or similar expansion token, then
   an attacker who could supply arbitrary user/hostnames to ssh(1)
   could potentially perform command injection depending on what
   quoting was present in the user-supplied ssh_config(5) directive.

   This situation could arise in the case of git submodules, where
   a repository could contain a submodule with shell characters in
   its user/hostname. Git does not ban shell metacharacters in user
   or host names when checking out repositories from untrusted
   sources.

   Although we believe it is the user's responsibility to ensure
   validity of arguments passed to ssh(1), especially across a
   security boundary such as the git example above, OpenSSH 9.6 now
   bans most shell metacharacters from user and hostnames supplied
   via the command-line. This countermeasure is not guaranteed to be
   effective in all situations, as it is infeasible for ssh(1) to
   universally filter shell metacharacters potentially relevant to
   user-supplied commands.

   User/hostnames provided via ssh_config(5) are not subject to these
   restrictions, allowing configurations that use strange names to
   continue to be used, under the assumption that the user knows what
   they are doing in their own configuration files.

Security fixes in OpenSSH 9.8
========

Logic error in ssh(1) ObscureKeystrokeTiming

In OpenSSH version 9.5 through 9.7 (inclusive), when connected to an
OpenSSH server version 9.5 or later, a logic error in the ssh(1)
ObscureKeystrokeTiming feature (on by default) rendered this feature
ineffective - a passive observer could still detect which network
packets contained real keystrokes when the countermeasure was active
because both fake and real keystroke packets were being sent
unconditionally.

This bug was found by Philippos Giavridis and also independently by
Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford of the
University of Cambridge Computer Lab.

Worse, the unconditional sending of both fake and real keystroke
packets broke another long-standing timing attack mitigation. Since
OpenSSH 2.9.9 sshd(8) has sent fake keystoke echo packets for
traffic received on TTYs in echo-off mode, such as when entering a
password into su(8) or sudo(8). This bug rendered these fake
keystroke echoes ineffective and could allow a passive observer of
a SSH session to once again detect when echo was off and obtain
fairly limited timing information about keystrokes in this situation
(20ms granularity by default).

This additional implication of the bug was identified by Jacky Wei
En Kung, Daniel Hugenroth and Alastair Beresford and we thank them
for their detailed analysis.

This bug does not affect connections when ObscureKeystrokeTiming
was disabled or sessions where no TTY was requested.

Potentially-incompatible changes in OpenSSH 7.4
================================

This release includes a number of changes that may affect existing
configurations:

 * This release removes server support for the SSH v.1 protocol.

 * ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
   block ciphers are not safe in 2016 and we don't want to wait until
   attacks like SWEET32 are extended to SSH. As 3des-cbc was the
   only mandatory cipher in the SSH RFCs, this may cause problems
   connecting to older devices using the default configuration,
   but it's highly likely that such devices already need explicit
   configuration for key exchange and hostkey algorithms already
   anyway.
    
 * sshd(8): Remove support for pre-authentication compression.
   Doing compression early in the protocol probably seemed reasonable
   in the 1990s, but today it's clearly a bad idea in terms of both
   cryptography (cf. multiple compression oracle attacks in TLS) and
   attack surface. Pre-auth compression support has been disabled by
   default for >10 years. Support remains in the client.
    
 * sshd(8): When a forced-command appears in both a certificate and
   an authorized keys/principals command= restriction, sshd will now
   refuse to accept the certificate unless they are identical.
   The previous (documented) behaviour of having the certificate
   forced-command override the other could be a bit confusing and
   error-prone.
    
 * sshd(8): Remove the UseLogin configuration directive and support
   for having /bin/login manage login sessions.
    
Potentially-incompatible changes in OpenSSH 7.7
================================

This release includes a number of changes that may affect existing
configurations:

 * ssh(1)/sshd(8): Drop compatibility support for some very old SSH
   implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
   versions were all released in or before 2001 and predate the final
   SSH RFCs. The support in question isn't necessary for RFC-compliant
   SSH implementations.

Potentially-incompatible changes in OpenSSH 7.8
================================

This release includes a number of changes that may affect existing
configurations:

 * ssh-keygen(1): write OpenSSH format private keys by default
   instead of using OpenSSL's PEM format. The OpenSSH format,
   supported in OpenSSH releases since 2014 and described in the
   PROTOCOL.key file in the source distribution, offers substantially
   better protection against offline password guessing and supports
   key comments in private keys. If necessary, it is possible to write
   old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments
   when generating or updating a key.

 * sshd(8): remove internal support for S/Key multiple factor
   authentication. S/Key may still be used via PAM or BSD auth.

 * ssh(1): remove vestigal support for running ssh(1) as setuid. This
   used to be required for hostbased authentication and the (long
   gone) rhosts-style authentication, but has not been necessary for
   a long time. Attempting to execute ssh as a setuid binary, or with
   uid != effective uid will now yield a fatal error at runtime.

 * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar
   HostbasedAcceptedKeyTypes options have changed. These now specify
   signature algorithms that are accepted for their respective
   authentication mechanism, where previously they specified accepted
   key types. This distinction matters when using the RSA/SHA2
   signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their
   certificate counterparts. Configurations that override these
   options but omit these algorithm names may cause unexpected
   authentication failures (no action is required for configurations
   that accept the default for these options).

 * sshd(8): the precedence of session environment variables has
   changed. ~/.ssh/environment and environment="..." options in
   authorized_keys files can no longer override SSH_* variables set
   implicitly by sshd.

 * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed.
   They will now use DSCP AF21 for interactive traffic and CS1 for
   bulk.  For a detailed rationale, please see the commit message:
   https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/readconf.c#rev1.284

Potentially-incompatible changes in OpenSSH 7.9
================================

This release includes a number of changes that may affect existing
configurations:

 * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
   option (see below) bans the use of DSA keys as certificate
   authorities.

 * sshd(8): the authentication success/failure log message has
   changed format slightly. It now includes the certificate
   fingerprint (previously it included only key ID and CA key
   fingerprint).

Potentially-incompatible changes in OpenSSH 8.0
================================

This release includes a number of changes that may affect existing
configurations:

 * scp(1): Relating to the above changes to scp(1); the scp protocol
   relies on the remote shell for wildcard expansion, so there is no
   infallible way for the client's wildcard matching to perfectly
   reflect the server's. If there is a difference between client and
   server wildcard expansion, the client may refuse files from the
   server. For this reason, we have provided a new "-T" flag to scp
   that disables these client-side checks at the risk of
   reintroducing the attack described above.

 * sshd(8): Remove support for obsolete "host/port" syntax. Slash-
   separated host/port was added in 2001 as an alternative to
   host:port syntax for the benefit of IPv6 users. These days there
   are establised standards for this like [::1]:22 and the slash
   syntax is easily mistaken for CIDR notation, which OpenSSH
   supports for some things. Remove the slash notation from
   ListenAddress and PermitOpen; bz#2335

Potentially-incompatible changes in OpenSSH 8.1
================================

This release includes a number of changes that may affect existing
configurations:

 * ssh-keygen(1): when acting as a CA and signing certificates with
   an RSA key, default to using the rsa-sha2-512 signature algorithm.
   Certificates signed by RSA keys will therefore be incompatible
   with OpenSSH versions prior to 7.2 unless the default is
   overridden (using "ssh-keygen -t ssh-rsa -s ...").

Potentially-incompatible changes in OpenSSH 8.2
================================

This release includes a number of changes that may affect existing
configurations:

 * ssh(1), sshd(8): the above removal of "ssh-rsa" from the accepted
   CASignatureAlgorithms list.

 * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
   from the default key exchange proposal for both the client and
   server.

 * ssh-keygen(1): the command-line options related to the generation
   and screening of safe prime numbers used by the
   diffie-hellman-group-exchange-* key exchange algorithms have
   changed. Most options have been folded under the -O flag.

 * sshd(8): the sshd listener process title visible to ps(1) has
   changed to include information about the number of connections that
   are currently attempting authentication and the limits configured
   by MaxStartups.

 * ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
   support to provide address-space isolation for token middleware
   libraries (including the internal one). It needs to be installed
   in the expected path, typically under /usr/libexec or similar.

Potentially-incompatible changes in OpenSSH 8.3
================================

This release includes a number of changes that may affect existing
configurations:

 * sftp(1): reject an argument of "-1" in the same way as ssh(1) and
   scp(1) do instead of accepting and silently ignoring it.

Potentially-incompatible changes in OpenSSH 8.5
================================

This release includes a number of changes that may affect existing
configurations:

 * ssh(1), sshd(8): this release changes the first-preference signature
   algorithm from ECDSA to ED25519.

 * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration
   for interactive use prior to TCP connect. The connection phase of
   the SSH session is time-sensitive and often explicitly interactive.
   The ultimate interactive/bulk TOS/DSCP will be set after
   authentication completes.

 * ssh(1), sshd(8): remove the pre-standardization cipher
   rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before
   it was standardized in RFC4253 (2006), has been deprecated and
   disabled by default since OpenSSH 7.2 (2016) and was only briefly
   documented in ssh.1 in 2001.

 * ssh(1), sshd(8): update/replace the experimental post-quantum
   hybrid key exchange method based on Streamlined NTRU Prime coupled
   with X25519.

   The previous sntrup4591761x25519-sha512@tinyssh.org method is
   replaced with sntrup761x25519-sha512@openssh.com. Per its
   designers, the sntrup4591761 algorithm was superseded almost two
   years ago by sntrup761.

   (note this both the updated method and the one that it replaced are
   disabled by default)

 * ssh(1): disable CheckHostIP by default. It provides insignificant
   benefits while making key rotation significantly more difficult,
   especially for hosts behind IP-based load-balancers.

Potentially-incompatible changes in OpenSSH 8.7
================================

This release includes a number of changes that may affect existing
configurations:

 * scp(1): this release changes the behaviour of remote to remote
   copies (e.g. "scp host-a:/path host-b:") to transfer through the
   local host by default. This was previously available via the -3
   flag. This mode avoids the need to expose credentials on the
   origin hop, avoids triplicate interpretation of filenames by the
   shell (by the local system, the copy origin and the destination)
   and, in conjunction with the SFTP support for scp(1) mentioned
   below, allows use of all authentication methods to the remote
   hosts (previously, only non-interactive methods could be used).
   A -R flag has been added to select the old behaviour.

 * ssh(1)/sshd(8): both the client and server are now using a
   stricter configuration file parser. The new parser uses more
   shell-like rules for quotes, space and escape characters. It is
   also more strict in rejecting configurations that include options
   lacking arguments. Previously some options (e.g. DenyUsers) could
   appear on a line with no subsequent arguments. This release will
   reject such configurations. The new parser will also reject
   configurations with unterminated quotes and multiple '='
   characters after the option name.

 * ssh(1): when using SSHFP DNS records for host key verification,
   ssh(1) will verify all matching records instead of just those
   with the specific signature type requested. This may cause host
   key verification problems if stale SSHFP records of a different
   or legacy signature type exist alongside other records for a
   particular host. bz#3322

 * sshd(8): environment="..." directives in authorized_keys files are
   now first-match-wins and limited to 1024 discrete environment
   variable names.

Potentially-incompatible changes in OpenSSH 8.8
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

    Host old-host
        HostkeyAlgorithms +ssh-rsa
	PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

Potentially-incompatible changes in OpenSSH 8.9
================================

 * sshd(8), portable OpenSSH only: this release removes in-built
   support for MD5-hashed passwords. If you require these on your
   system then we recommend linking against libxcrypt or similar.

Potentially-incompatible changes in OpenSSH 9.0
================================

This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.

In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.

Potentially-incompatible changes in OpenSSH 9.1
================================

 * The portable OpenSSH project now signs commits and release tags
   using git's recent SSH signature support. The list of developer
   signing keys is included in the repository as .git_allowed_signers
   and is cross-signed using the PGP key that is still used to sign
   release artifacts:
   https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

 * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
   are now first-match-wins to match other directives. Previously
   if an environment variable was multiply specified the last set
   value would have been used. bz3438

 * ssh-keygen(8): ssh-keygen -A (generate all default host key types)
   will no longer generate DSA keys, as these are insecure and have
   not been used by default for some years.

Potentially-incompatible changes in OpenSSH 9.2
================================

 * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
   controls whether the client-side ~C escape sequence that provides a
   command-line is available. Among other things, the ~C command-line
   could be used to add additional port-forwards at runtime.

   This option defaults to "no", disabling the ~C command-line that
   was previously enabled by default. Turning off the command-line
   allows platforms that support sandboxing of the ssh(1) client
   (currently only OpenBSD) to use a stricter default sandbox policy.

Potentially-incompatible changes in OpenSSH 9.3p1
================================

   Note that ssh-agent(8) depends on the SSH client to identify
   requests that are remote. The OpenSSH >=8.9 ssh(1) client does
   this, but forwarding access to an agent socket using other tools
   may circumvent this restriction.

Potentially incompatible changes in OpenSSH 9.4
================================

 * This release removes support for older versions of libcrypto.
   OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
   Note that these versions are already deprecated by their upstream
   vendors.


Potentially incompatible changes in OpenSSH 9.5
================================

 * ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys
   are very convenient due to their small size. Ed25519 keys are
   specified in RFC 8709 and OpenSSH has supported them since version 6.5
   (January 2014).
    
 * sshd(8): the Subsystem directive now accurately preserves quoting of
   subsystem commands and arguments. This may change behaviour for exotic
   configurations, but the most common subsystem configuration
   (sftp-server) is unlikely to be affected.

Potentially incompatible changes in OpenSSH 9.6
================================

 * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
   a TCP-like window mechanism that limits the amount of data that
   can be sent without acceptance from the peer. In cases where this
   limit was exceeded by a non-conforming peer SSH implementation,
   ssh(1)/sshd(8) previously discarded the extra data. From OpenSSH
   9.6, ssh(1)/sshd(8) will now terminate the connection if a peer
   exceeds the window limit by more than a small grace factor. This
   change should have no effect of SSH implementations that follow
   the specification.

Potentially-incompatible changes in OpenSSH 9.8
================================

 * all: the DSA signature algorithm is now disabled at compile time.

 * sshd(8): the server will now block client addresses that
   repeatedly fail authentication, repeatedly connect without ever
   completing authentication or that crash the server. See the
   discussion of PerSourcePenalties below for more information.
   Operators of servers that accept connections from many users, or
   servers that accept connections from addresses behind NAT or
   proxies may need to consider these settings.

 * sshd(8): the server has been split into a listener binary, sshd(8),
   and a per-session binary "sshd-session". This allows for a much
   smaller listener binary, as it no longer needs to support the SSH
   protocol. As part of this work, support for disabling privilege
   separation (which previously required code changes to disable) and
   disabling re-execution of sshd(8) has been removed. Further
   separation of sshd-session into additional, minimal binaries is
   planned for the future.

 * sshd(8): several log messages have changed. In particular, some
   log messages will be tagged with as originating from a process
   named "sshd-session" rather than "sshd".

 * ssh-keyscan(1): this tool previously emitted comment lines
   containing the hostname and SSH protocol banner to standard error.
   This release now emits them to standard output, but adds a new
   "-q" flag to silence them altogether.

 * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
   as the PAM service name. A new "PAMServiceName" sshd_config(5)
   directive allows selecting the service name at runtime. This
   defaults to "sshd". bz2101

 * (portable OpenSSH only) Automatically-generated files, such as
   configure, config.h.in, etc will now be checked in to the portable
   OpenSSH git release branch (e.g. V_9_8). This should ensure that
   the contents of the signed release branch exactly match the
   contents of the signed release tarball.

Potentially-incompatible changes in OpenSSH 9.9
================================

 * ssh(1): remove support for pre-authentication compression.
   OpenSSH has only supported post-authentication compression in
   the server for some years. Compression before authentication
   significantly increases the attack surface of SSH servers and risks
   creating oracles that reveal information about information sent
   during authentication.

 * ssh(1), sshd(8): processing of the arguments to the "Match"
   configuration directive now follows more shell-like rules for
   quoted strings, including allowing nested quotes and \-escaped
   characters. If configurations contained workarounds for the
   previous simplistic quote handling then they may need to be
   adjusted. If this is the case, it's most likely to be in the
   arguments to a "Match exec" confition. In this case, moving the
   command to be evaluated from the Match line to an external shell
   script is easiest way to preserve compatibility with both the old
   and new versions.


Changes in OpenSSH 7.4
======================

New Features
------------

 * ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
   version in PuTTY by Simon Tatham. This allows a multiplexing
   client to communicate with the master process using a subset of
   the SSH packet and channels protocol over a Unix-domain socket,
   with the main process acting as a proxy that translates channel
   IDs, etc.  This allows multiplexing mode to run on systems that
   lack file- descriptor passing (used by current multiplexing
   code) and potentially, in conjunction with Unix-domain socket
   forwarding, with the client and multiplexing master process on
   different machines. Multiplexing proxy mode may be invoked using
   "ssh -O proxy ..."

 * sshd(8): Add a sshd_config DisableForwaring option that disables
   X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
   as anything else we might implement in the future. Like the
   'restrict' authorized_keys flag, this is intended to be a simple
   and future-proof way of restricting an account.

 * sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
   method. This is identical to the currently-supported method named
   "curve25519-sha256@libssh.org".

 * sshd(8): Improve handling of SIGHUP by checking to see if sshd is
   already daemonised at startup and skipping the call to daemon(3)
   if it is. This ensures that a SIGHUP restart of sshd(8) will
   retain the same process-ID as the initial execution. sshd(8) will
   also now unlink the PidFile prior to SIGHUP restart and re-create
   it after a successful restart, rather than leaving a stale file in
   the case of a configuration error. bz#2641

 * sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
   directives to appear in sshd_config Match blocks.

 * sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
   those supported by AuthorizedKeysCommand (key, key type,
   fingerprint, etc.) and a few more to provide access to the
   contents of the certificate being offered.

 * Added regression tests for string matching, address matching and
   string sanitisation functions.

 * Improved the key exchange fuzzer harness.
 
Bugfixes
--------

 * ssh(1): Allow IdentityFile to successfully load and use
   certificates that have no corresponding bare public key. bz#2617
   certificate id_rsa-cert.pub (and no id_rsa.pub).

 * ssh(1): Fix public key authentication when multiple
   authentication is in use and publickey is not just the first
   method attempted. bz#2642

 * regress: Allow the PuTTY interop tests to run unattended. bz#2639
 
 * ssh(1): When tearing down ControlMaster connections, don't
   pollute stderr when LogLevel=quiet.

 * sftp(1): On ^Z wait for underlying ssh(1) to suspend before
   suspending sftp(1) to ensure that ssh(1) restores the terminal mode
   correctly if suspended during a password prompt.

 * ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
   prompt.

 * ssh(1), sshd(8): Correctly report errors during sending of ext-
   info messages.

 * sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
   sequence NEWKEYS message.

 * sshd(8): Correct list of supported signature algorithms sent in
   the server-sig-algs extension. bz#2547

 * sshd(8): Fix sending ext_info message if privsep is disabled.

 * sshd(8): more strictly enforce the expected ordering of privilege
   separation monitor calls used for authentication and allow them
   only when their respective authentication methods are enabled
   in the configuration

 * sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
   on Unix/BSD but potentially crashy on Cygwin.

 * Fix false positive reports caused by explicit_bzero(3) not being
   recognised as a memory initialiser when compiled with
   -fsanitize-memory.
    
 * sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
   configuration examples.

Portability
-----------

 * On environments configured with Turkish locales, fall back to the
   C/POSIX locale to avoid errors in configuration parsing caused by
   that locale's unique handling of the letters 'i' and 'I'. bz#2643

 * ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL.

 * Fix compilation for libcrypto compiled without RIPEMD160 support.

 * sshd(8): Improve PRNG reseeding across privilege separation and
   force libcrypto to obtain a high-quality seed before chroot or
   sandboxing.

 * All: Explicitly test for broken strnvis. NetBSD added an strnvis
   and unfortunately made it incompatible with the existing one in
   OpenBSD and Linux's libbsd (the former having existed for over ten
   years). Try to detect this mess, and assume the only safe option
   if we're cross compiling.

Changes in OpenSSH 7.5
======================

New Features
------------

 * ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
   algorithm lists, e.g. Ciphers=-*cbc. bz#2671

Bugfixes
--------

 * sshd(1): Fix NULL dereference crash when key exchange start
   messages are sent out of sequence.

 * ssh(1), sshd(8): Allow form-feed characters to appear in
   configuration files.
 
 * sshd(8): Fix regression in OpenSSH 7.4 support for the
   server-sig-algs extension, where SHA2 RSA signature methods were
   not being correctly advertised. bz#2680

 * ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
   known_hosts processing. bz#2591 bz#2685

 * ssh(1): Allow ssh to use certificates accompanied by a private key
   file but no corresponding plain *.pub public key. bz#2617

 * ssh(1): When updating hostkeys using the UpdateHostKeys option,
   accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
   Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
   methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
   method. bz#2650
    
 * ssh(1): Detect and report excessively long configuration file
   lines. bz#2651

 * Merge a number of fixes found by Coverity and reported via Redhat
   and FreeBSD. Includes fixes for some memory and file descriptor
   leaks in error paths. bz#2687
    
 * ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692

 * ssh(1), sshd(8): When logging long messages to stderr, don't truncate
   "\r\n" if the length of the message exceeds the buffer. bz#2688

 * ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
   line; avoid confusion over IPv6 addresses and shells that treat
   square bracket characters specially.
    
 * ssh-keygen(1): Fix corruption of known_hosts when running
   "ssh-keygen -H" on a known_hosts containing already-hashed entries.

 * Fix various fallout and sharp edges caused by removing SSH protocol
   1 support from the server, including the server banner string being
   incorrectly terminated with only \n (instead of \r\n), confusing
   error messages from ssh-keyscan bz#2583 and a segfault in sshd
   if protocol v.1 was enabled for the client and sshd_config
   contained references to legacy keys bz#2686.

 * ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683

 * sshd(8): Fix Unix domain socket forwarding for root (regression in
   OpenSSH 7.4).
    
 * sftp(1): Fix division by zero crash in "df" output when server
   returns zero total filesystem blocks/inodes.
 
 * ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
   encountered during key loading to more meaningful error codes.
   bz#2522 bz#2523

 * ssh-keygen(1): Sanitise escape sequences in key comments sent to
   printf but preserve valid UTF-8 when the locale supports it;
   bz#2520

 * ssh(1), sshd(8): Return reason for port forwarding failures where
   feasible rather than always "administratively prohibited". bz#2674

 * sshd(8): Fix deadlock when AuthorizedKeysCommand or
   AuthorizedPrincipalsCommand produces a lot of output and a key is
   matched early. bz#2655

 * Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659
    
 * ssh(1): Fix typo in ~C error message for bad port forward
   cancellation. bz#2672

 * ssh(1): Show a useful error message when included config files
   can't be opened; bz#2653

 * sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
   (previously incorrectly) advertised. bz#2637

 * sshd_config(5): Repair accidentally-deleted mention of %k token
   in AuthorizedKeysCommand; bz#2656

 * sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bz#2665

 * sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
   response handling.

Portability
-----------

 * sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
   inspection.

 * ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
   contain non-printable characters where the codeset in use is ASCII.

 * build: Fix builds that attempt to link a kerberised libldns. bz#2603

 * build: Fix compilation problems caused by unconditionally defining
   _XOPEN_SOURCE in wide character detection.

Changes in OpenSSH 7.6
======================

New Features
------------

 * ssh(1): add RemoteCommand option to specify a command in the ssh
   config file instead of giving it on the client's command line. This
   allows the configuration file to specify the command that will be
   executed on the remote host.

 * sshd(8): add ExposeAuthInfo option that enables writing details of
   the authentication methods used (including public keys where
   applicable) to a file that is exposed via a $SSH_USER_AUTH
   environment variable in the subsequent session.

 * ssh(1): add support for reverse dynamic forwarding. In this mode,
   ssh will act as a SOCKS4/5 proxy and forward connections
   to destinations requested by the remote SOCKS client. This mode
   is requested using extended syntax for the -R and RemoteForward
   options and, because it is implemented solely at the client,
   does not require the server be updated to be supported.

 * sshd(8): allow LogLevel directive in sshd_config Match blocks;
   bz#2717

 * ssh-keygen(1): allow inclusion of arbitrary string or flag
   certificate extensions and critical options.

 * ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as
   a CA when signing certificates. bz#2377

 * ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit
   ToS/DSCP value and just use the operating system default.

 * ssh-add(1): added -q option to make ssh-add quiet on success.

 * ssh(1): expand the StrictHostKeyChecking option with two new
   settings. The first "accept-new" will automatically accept
   hitherto-unseen keys but will refuse connections for changed or
   invalid hostkeys. This is a safer subset of the current behaviour
   of StrictHostKeyChecking=no. The second setting "off", is a synonym
   for the current behaviour of StrictHostKeyChecking=no: accept new
   host keys, and continue connection for hosts with incorrect
   hostkeys. A future release will change the meaning of
   StrictHostKeyChecking=no to the behaviour of "accept-new". bz#2400

 * ssh(1): add SyslogFacility option to ssh(1) matching the equivalent
   option in sshd(8). bz#2705

Bugfixes
--------

 * ssh(1): use HostKeyAlias if specified instead of hostname for
   matching host certificate principal names; bz#2728

 * sftp(1): implement sorting for globbed ls; bz#2649

 * ssh(1): add a user@host prefix to client's "Permission denied"
   messages, useful in particular when using "stacked" connections
   (e.g. ssh -J) where it's not clear which host is denying. bz#2720

 * ssh(1): accept unknown EXT_INFO extension values that contain \0
   characters. These are legal, but would previously cause fatal
   connection errors if received.

 * ssh(1)/sshd(8): repair compression statistics printed at
   connection exit

 * sftp(1): print '?' instead of incorrect link count (that the
   protocol doesn't provide) for remote listings. bz#2710

 * ssh(1): return failure rather than fatal() for more cases during
   session multiplexing negotiations. Causes the session to fall back
   to a non-mux connection if they occur. bz#2707

 * ssh(1): mention that the server may send debug messages to explain
   public key authentication problems under some circumstances; bz#2709

 * Translate OpenSSL error codes to better report incorrect passphrase
   errors when loading private keys; bz#2699

 * sshd(8): adjust compatibility patterns for WinSCP to correctly
   identify versions that implement only the legacy DH group exchange
   scheme. bz#2748

 * ssh(1): print the "Killed by signal 1" message only at LogLevel
   verbose so that it is not shown at the default level; prevents it
   from appearing during ssh -J and equivalent ProxyCommand configs.
   bz#1906, bz#2744

 * ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber
   existing keys if they exist but are zero length. zero-length keys
   could previously be made if ssh-keygen failed or was interrupted part
   way through generating them. bz#2561

 * ssh(1): fix pledge(2) violation in the escape sequence "~&" used to
   place the current session in the background.

 * ssh-keyscan(1): avoid double-close() on file descriptors; bz#2734

 * sshd(8): avoid reliance on shared use of pointers shared between
   monitor and child sshd processes. bz#2704

 * sshd_config(8): document available AuthenticationMethods; bz#2453

 * ssh(1): avoid truncation in some login prompts; bz#2768

 * sshd(8): Fix various compilations failures, inc bz#2767

 * ssh(1): make "--" before the hostname terminate argument processing
   after the hostname too.

 * ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting
   new-style private keys. Fixes problems related to private key
   handling for no-OpenSSL builds. bz#2754

 * ssh(1): warn and do not attempt to use keys when the public and
   private halves do not match. bz#2737

 * sftp(1): don't print verbose error message when ssh disconnects
   from under sftp. bz#2750

 * sshd(8): fix keepalive scheduling problem: activity on a forwarded
   port from preventing the keepalive from being sent; bz#2756

 * sshd(8): when started without root privileges, don't require the
   privilege separation user or path to exist. Makes running the
   regression tests easier without touching the filesystem.

 * Make integrity.sh regression tests more robust against timeouts.
   bz#2658

 * ssh(1)/sshd(8): correctness fix for channels implementation: accept
   channel IDs greater than 0x7FFFFFFF.

Portability
-----------

 * sshd(8): expose list of completed authentication methods to PAM
   via the SSH_AUTH_INFO_0 PAM environment variable. bz#2408

 * ssh(1)/sshd(8): fix several problems in the tun/tap forwarding code,
   mostly to do with host/network byte order confusion. bz#2735

 * Add --with-cflags-after and --with-ldflags-after configure flags to
   allow setting CFLAGS/LDFLAGS after configure has completed. These
   are useful for setting sanitiser/fuzzing options that may interfere
   with configure's operation.

 * Add clang libFuzzer harnesses for public key parsing and signature
   verification.

Changes in OpenSSH 7.7
======================

New Features
------------

 * All: Add experimental support for PQC XMSS keys (Extended Hash-
   Based Signatures) based on the algorithm described in
   https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
   The XMSS signature code is experimental and not compiled in by
   default.

 * sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword
   to allow conditional configuration that depends on which routing
   domain a connection was received on (currently supported on OpenBSD
   and Linux).

 * sshd_config(5): Add an optional rdomain qualifier to the
   ListenAddress directive to allow listening on different routing
   domains. This is supported only on OpenBSD and Linux at present.

 * sshd_config(5): Add RDomain directive to allow the authenticated
   session to be placed in an explicit routing domain. This is only
   supported on OpenBSD at present.

 * sshd(8): Add "expiry-time" option for authorized_keys files to
   allow for expiring keys.

 * ssh(1): Add a BindInterface option to allow binding the outgoing
   connection to an interface's address (basically a more usable
   BindAddress)

 * ssh(1): Expose device allocated for tun/tap forwarding via a new
   %T expansion for LocalCommand. This allows LocalCommand to be used
   to prepare the interface.

 * sshd(8): Expose the device allocated for tun/tap forwarding via a
   new SSH_TUNNEL environment variable. This allows automatic setup of
   the interface and surrounding network configuration automatically on
   the server.

 * ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
   ssh://user@host or sftp://user@host/path.  Additional connection
   parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
   implemented since the ssh fingerprint format in the draft uses the
   deprecated MD5 hash with no way to specify the any other algorithm.

 * ssh-keygen(1): Allow certificate validity intervals that specify
   only a start or stop time (instead of both or neither).

 * sftp(1): Allow "cd" and "lcd" commands with no explicit path
   argument. lcd will change to the local user's home directory as
   usual. cd will change to the starting directory for session (because
   the protocol offers no way to obtain the remote user's home
   directory). bz#2760

 * sshd(8): When doing a config test with sshd -T, only require the
   attributes that are actually used in Match criteria rather than (an
   incomplete list of) all criteria.

Bugfixes
--------

 * ssh(1)/sshd(8): More strictly check signature types during key
   exchange against what was negotiated. Prevents downgrade of RSA
   signatures made with SHA-256/512 to SHA-1.

 * sshd(8): Fix support for client that advertise a protocol version
   of "1.99" (indicating that they are prepared to accept both SSHv1 and
   SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
   support. bz#2810

 * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
   a rsa-sha2-256/512 signature was requested. This condition is possible
   when an old or non-OpenSSH agent is in use. bz#2799

 * ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent
   to fatally exit if presented an invalid signature request message.

 * sshd_config(5): Accept yes/no flag options case-insensitively, as
   has been the case in ssh_config(5) for a long time. bz#2664

 * ssh(1): Improve error reporting for failures during connection.
   Under some circumstances misleading errors were being shown. bz#2814

 * ssh-keyscan(1): Add -D option to allow printing of results directly
   in SSHFP format. bz#2821

 * regress tests: fix PuTTY interop test broken in last release's SSHv1
   removal. bz#2823

 * ssh(1): Compatibility fix for some servers that erroneously drop the
   connection when the IUTF8 (RFC8160) option is sent.

 * scp(1): Disable RemoteCommand and RequestTTY in the ssh session
   started by scp (sftp was already doing this.)

 * ssh-keygen(1): Refuse to create a certificate with an unusable
   number of principals.

 * ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
   public key during key generation. Previously it would silently
   ignore errors writing the comment and terminating newline.

 * ssh(1): Do not modify hostname arguments that are addresses by
   automatically forcing them to lower-case. Instead canonicalise them
   to resolve ambiguities (e.g. ::0001 => ::1) before they are matched
   against known_hosts. bz#2763

 * ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
   prompts. bz#2803

 * sftp(1): Have sftp print a warning about shell cleanliness when
   decoding the first packet fails, which is usually caused by shells
   polluting stdout of non-interactive startups. bz#2800

 * ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
   time to monotonic time, allowing the packet layer to better function
   over a clock step and avoiding possible integer overflows during
   steps.

 * Numerous manual page fixes and improvements.

Portability
-----------

 * All: Build and link with "retpoline" flags when available to mitigate
   the "branch target injection" style (variant 2) of the Spectre
   branch-prediction vulnerability.

 * All: Add auto-generated dependency information to Makefile.

Changes in OpenSSH 7.8
======================

New Features
------------

 * ssh(1)/sshd(8): add new signature algorithms "rsa-sha2-256-cert-
   v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to
   explicitly force use of RSA/SHA2 signatures in authentication.

 * sshd(8): extend the PermitUserEnvironment option to accept a
   whitelist of environment variable names in addition to global
   "yes" or "no" settings.

 * sshd(8): add a PermitListen directive to sshd_config(5) and a 
   corresponding permitlisten= authorized_keys option that control
   which listen addresses and port numbers may be used by remote
   forwarding (ssh -R ...).

 * sshd(8): add some countermeasures against timing attacks used for
   account validation/enumeration. sshd will enforce a minimum time
   or each failed authentication attempt consisting of a global 5ms
   minimum plus an additional per-user 0-4ms delay derived from a
   host secret.

 * sshd(8): add a SetEnv directive to allow an administrator to
   explicitly specify environment variables in sshd_config.
   Variables set by SetEnv override the default and client-specified
   environment.

 * ssh(1): add a SetEnv directive to request that the server sets
   an environment variable in the session. Similar to the existing
   SendEnv option, these variables are set subject to server
   configuration.

 * ssh(1): allow "SendEnv -PATTERN" to clear environment variables
   previously marked for sending to the server. bz#1285

 * ssh(1)/sshd(8): make UID available as a %-expansion everywhere
   that the username is available currently. bz#2870

 * ssh(1): allow setting ProxyJump=none to disable ProxyJump
   functionality. bz#2869

Bugfixes
--------

 * sshd(8): avoid observable differences in request parsing that could
   be used to determine whether a target user is valid.

 * all: substantial internal refactoring

 * ssh(1)/sshd(8): fix some memory leaks; bz#2366

 * ssh(1): fix a pwent clobber (introduced in openssh-7.7) that could
   occur during key loading, manifesting as crash on some platforms.

 * sshd_config(5): clarify documentation for AuthenticationMethods
   option; bz#2663

 * ssh(1): ensure that the public key algorithm sent in a
   public key SSH_MSG_USERAUTH_REQUEST matches the content of the
   signature blob. Previously, these could be inconsistent when a
   legacy or non-OpenSSH ssh-agent returned a RSA/SHA1 signature
   when asked to make a RSA/SHA2 signature.

 * sshd(8): fix failures to read authorized_keys caused by faulty
   supplemental group caching. bz#2873

 * scp(1): apply umask to directories, fixing potential mkdir/chmod
   race when copying directory trees bz#2839

 * ssh-keygen(1): return correct exit code when searching for and
   hashing known_hosts entries in a single operation; bz#2772

 * ssh(1): prefer the ssh binary pointed to via argv[0] to $PATH when
   re-executing ssh for ProxyJump. bz#2831

 * sshd(8): do not ban PTY allocation when a sshd session is
   restricted because the user password is expired as it breaks
   password change dialog. (regression in openssh-7.7).

 * ssh(1)/sshd(8): fix error reporting from select() failures. 

 * ssh(1): improve documentation for -w (tunnel) flag, emphasising
   that -w implicitly sets Tunnel=point-to-point. bz#2365

 * ssh-agent(1): implement EMFILE mitigation for ssh-agent. ssh-agent
   will no longer spin when its file descriptor limit is exceeded.
   bz#2576

 * ssh(1)/sshd(8): disable SSH2_MSG_DEBUG messages for Twisted Conch
   clients. Twisted Conch versions that lack a version number in
   their identification strings will mishandle these messages when
   running on Python 2.x (https://twistedmatrix.com/trac/ticket/9422)

 * sftp(1): notify user immediately when underlying ssh process dies
   expectedly. bz#2719

 * ssh(1)/sshd(8): fix tunnel forwarding; regression in 7.7 release.
   bz#2855

 * ssh-agent(1): don't kill ssh-agent's listening socket entirely if
   it fails to accept(2) a connection. bz#2837

 * sshd(8): relax checking of authorized_keys environment="..."
   options to allow underscores in variable names (regression
   introduced in 7.7). bz#2851

 * ssh(1): add some missing options in the configuration dump output
   (ssh -G). bz#2835

Portability
-----------

 * sshd(8): Expose details of completed authentication to PAM auth
   modules via SSH_AUTH_INFO_0 in the PAM environment. bz#2408

 * Fix compilation problems caused by fights between zlib and OpenSSL
   colliding uses of "free_func"

 * Improve detection of unsupported compiler options. Recently these
   may have manifested as "unsupported -Wl,-z,retpoline" warnings
   during linking.

 * regress tests: unbreak key-options.sh test on platforms without
   openpty(3). bz#2856

 * use getrandom(2) for PRNG seeding when built without OpenSSL.

Changes in OpenSSH 7.9
======================

New Features
------------

 * ssh(1), sshd(8): allow most port numbers to be specified using
   service names from getservbyname(3) (typically /etc/services).

 * ssh(1): allow the IdentityAgent configuration directive to accept
   environment variable names. This supports the use of multiple
   agent sockets without needing to use fixed paths.

 * sshd(8): support signalling sessions via the SSH protocol.
   A limited subset of signals is supported and only for login or
   command sessions (i.e. not subsystems) that were not subject to
   a forced command via authorized_keys or sshd_config. bz#1424

 * ssh(1): support "ssh -Q sig" to list supported signature options.
   Also "ssh -Q help" to show the full set of supported queries.

 * ssh(1), sshd(8): add a CASignatureAlgorithms option for the
   client and server configs to allow control over which signature
   formats are allowed for CAs to sign certificates. For example,
   this allows banning CAs that sign certificates using the RSA-SHA1
   signature algorithm.

 * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
   revoke keys specified by SHA256 hash.

 * ssh-keygen(1): allow creation of key revocation lists directly
   from base64-encoded SHA256 fingerprints. This supports revoking
   keys using only the information contained in sshd(8)
   authentication log messages.

Bugfixes
--------

 * ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when
   attempting to load PEM private keys while using an incorrect
   passphrase. bz#2901

 * sshd(8): when a channel closed message is received from a client,
   close the stderr file descriptor at the same time stdout is
   closed. This avoids stuck processes if they were waiting for
   stderr to close and were insensitive to stdin/out closing. bz#2863

 * ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11
   forwarding timeout and support X11 forwarding indefinitely.
   Previously the behaviour of ForwardX11Timeout=0 was undefined.

 * sshd(8): when compiled with GSSAPI support, cache supported method
   OIDs regardless of whether GSSAPI authentication is enabled in the
   main section of sshd_config. This avoids sandbox violations if
   GSSAPI authentication was later enabled in a Match block. bz#2107

 * sshd(8): do not fail closed when configured with a text key
   revocation list that contains a too-short key. bz#2897

 * ssh(1): treat connections with ProxyJump specified the same as
   ones with a ProxyCommand set with regards to hostname
   canonicalisation (i.e. don't try to canonicalise the hostname
   unless CanonicalizeHostname is set to 'always'). bz#2896

 * ssh(1): fix regression in OpenSSH 7.8 that could prevent public-
   key authentication using certificates hosted in a ssh-agent(1)
   or against sshd(8) from OpenSSH <7.8.

Portability
-----------

 * All: support building against the openssl-1.1 API (releases 1.1.0g
   and later). The openssl-1.0 API will remain supported at least
   until OpenSSL terminates security patch support for that API version.

 * sshd(8): handle getgrouplist(3) returning more than
   _SC_NGROUPS_MAX groups. Some platforms consider this limit more
   as a guideline.

Changes in OpenSSH 8.0
======================

New Features
------------

 * ssh(1), sshd(8): Add experimental quantum-computing resistant
   key exchange method, based on a combination of Streamlined NTRU
   Prime 4591^761 and X25519.

 * ssh-keygen(1): Increase the default RSA key size to 3072 bits,
   following NIST Special Publication 800-57's guidance for a
   128-bit equivalent symmetric security level.

 * sshd(8): Add a log message for situations where a connection is
   dropped for attempting to run a command but a sshd_config
   ForceCommand=internal-sftp restriction is in effect; bz#2960

 * ssh(1): When prompting whether to record a new host key, accept
   the key fingerprint as a synonym for "yes". This allows the user
   to paste a fingerprint obtained out of band at the prompt and
   have the client do the comparison for you.

 * ssh-keygen(1): When signing multiple certificates on a single
   command-line invocation, allow automatically incrementing the
   certificate serial number.

 * scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
   the scp and sftp command-lines.

 * ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
   command-line flags to increase the verbosity of output; pass
   verbose flags though to subprocesses, such as ssh-pkcs11-helper
   started from ssh-agent.

 * ssh-add(1): Add a "-T" option to allowing testing whether keys in
   an agent are usable by performing a signature and a verification.

 * sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
   that replicates the functionality of the existing SSH2_FXP_SETSTAT
   operation but does not follow symlinks. bz#2067

 * sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
   they do not follow symlinks.

 * sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
   the connection 4-tuple available to PAM modules that wish to use
   it in decision-making. bz#2741

 * sshd(8): Add a ssh_config "Match final" predicate Matches in same
   pass as "Match canonical" but doesn't require hostname
   canonicalisation be enabled. bz#2906

 * sftp(1): Support a prefix of '@' to suppress echo of sftp batch
   commands; bz#2926

 * ssh-keygen(1): When printing certificate contents using
   "ssh-keygen -Lf /path/certificate", include the algorithm that
   the CA used to sign the cert.

Bugfixes
--------

 * sshd(8): Fix authentication failures when sshd_config contains
   "AuthenticationMethods any" inside a Match block that overrides
   a more restrictive default.

 * sshd(8): Avoid sending duplicate keepalives when ClientAliveCount
   is enabled.

 * sshd(8): Fix two race conditions related to SIGHUP daemon restart.
   Remnant file descriptors in recently-forked child processes could
   block the parent sshd's attempt to listen(2) to the configured
   addresses. Also, the restarting parent sshd could exit before any
   child processes that were awaiting their re-execution state had
   completed reading it, leaving them in a fallback path.

 * ssh(1): Fix stdout potentially being redirected to /dev/null when
   ProxyCommand=- was in use.

 * sshd(8): Avoid sending SIGPIPE to child processes if they attempt
   to write to stderr after their parent processes have exited;
   bz#2071

 * ssh(1): Fix bad interaction between the ssh_config ConnectTimeout
   and ConnectionAttempts directives - connection attempts after the
   first were ignoring the requested timeout; bz#2918

 * ssh-keyscan(1): Return a non-zero exit status if no keys were
   found; bz#2903

 * scp(1): Sanitize scp filenames to allow UTF-8 characters without
   terminal control sequences;  bz#2434

 * sshd(8): Fix confusion between ClientAliveInterval and time-based
   RekeyLimit that could cause connections to be incorrectly closed.
   bz#2757

 * ssh(1): Improve documentation for ProxyJump/-J, clarifying that
   local configuration does not apply to jump hosts.

 * ssh-keygen(1): Clarify manual - ssh-keygen -e only writes
   public keys, not private.

 * ssh(1), sshd(8): be more strict in processing protocol banners,
   allowing \r characters only immediately before \n.

 * Various: fix a number of memory leaks, including bz#2942 and
   bz#2938

 * scp(1), sftp(1): fix calculation of initial bandwidth limits.
   Account for bytes written before the timer starts and adjust the
   schedule on which recalculations are performed. Avoids an initial
   burst of traffic and yields more accurate bandwidth limits;
   bz#2927

 * sshd(8): Only consider the ext-info-c extension during the initial
   key eschange. It shouldn't be sent in subsequent ones, but if it
   is present we should ignore it. This prevents sshd from sending a
   SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929

 * ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in 
   authorized_keys) and -R (remove host from authorized_keys) options
   may accept either a bare hostname or a [hostname]:port combo.
   bz#2935

 * ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936

 * sshd(8): Silence error messages when sshd fails to load some of
   the default host keys. Failure to load an explicitly-configured
   hostkey is still an error, and failure to load any host key is
   still fatal. pr/103

 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
   started with ControlPersist; prevents random ProxyCommand output
   from interfering with session output.

 * ssh(1): The ssh client was keeping a redundant ssh-agent socket
   (leftover from authentication) around for the life of the
   connection; bz#2912

 * sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
   PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types
   were specified, then authentication would always fail for RSA keys
   as the monitor checks only the base key (not the signature
   algorithm) type against *AcceptedKeyTypes. bz#2746

 * ssh(1): Request correct signature types from ssh-agent when
   certificate keys and RSA-SHA2 signatures are in use.

Portability
-----------

 * sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies
   the user environment if it's enabled; bz#2937

 * Allow building against OpenSSL -dev (3.x)

 * Fix a number of build problems against version configurations and
   versions of OpenSSL. Including bz#2931 and bz#2921

 * Improve warnings in cygwin service setup. bz#2922

Changes in OpenSSH 8.1
======================

New Features
------------

 * ssh(1): Allow %n to be expanded in ProxyCommand strings

 * ssh(1), sshd(8): Allow prepending a list of algorithms to the
   default set by starting the list with the '^' character, E.g.
   "HostKeyAlgorithms ^ssh-ed25519"

 * ssh-keygen(1): add an experimental lightweight signature and
   verification ability. Signatures may be made using regular ssh keys
   held on disk or stored in a ssh-agent and verified against an
   authorized_keys-like list of allowed keys. Signatures embed a
   namespace that prevents confusion and attacks between different
   usage domains (e.g. files vs email).

 * ssh-keygen(1): print key comment when extracting public key from a
   private key.  bz#3052

 * ssh-keygen(1): accept the verbose flag when searching for host keys
   in known hosts (i.e. "ssh-keygen -vF host") to print the matching
   host's random-art signature too. bz#3003

Bugfixes
--------

 * ssh(1): produce a useful error message if the user's shell is set
   incorrectly during "match exec" processing. bz#2791

 * sftp(1): allow the maximum uint32 value for the argument passed
   to -b which allows better error messages from later validation.
   bz#3050

 * ssh(1): avoid pledge sandbox violations in some combinations of
   remote forwarding, connection multiplexing and ControlMaster.

 * ssh-keyscan(1): include SHA2-variant RSA key algorithms in KEX
   proposal; allows ssh-keyscan to harvest keys from servers that
   disable old SHA1 ssh-rsa. bz#3029

 * sftp(1): print explicit "not modified" message if a file was
   requested for resumed download but was considered already complete.
   bz#2978

 * sftp(1): fix a typo and make <esc><right> move right to the
   closest end of a word just like <esc><left> moves left to the
   closest beginning of a word.

 * sshd(8): cap the number of permitopen/permitlisten directives
   allowed to appear on a single authorized_keys line.

 * All: fix a number of memory leaks (one-off or on exit paths).

 * Regression tests: a number of fixes and improvements, including
   fixes to the interop tests, adding the ability to run most tests
   on builds that disable OpenSSL support, better support for running
   tests under Valgrind and a number of bug-fixes.

 * ssh(1), sshd(8): check for convtime() refusing to accept times that
   resolve to LONG_MAX Reported by Kirk Wolf bz2977

 * ssh(1): slightly more instructive error message when the user
   specifies multiple -J options on the command-line. bz3015

 * ssh-agent(1): process agent requests for RSA certificate private
   keys using correct signature algorithm when requested. bz3016

 * sftp(1): check for user@host when parsing sftp target. This
   allows user@[1.2.3.4] to work without a path.  bz#2999

 * sshd(8): enlarge format buffer size for certificate serial
   number so the log message can record any 64-bit integer without
   truncation. bz#3012

 * sshd(8): for PermitOpen violations add the remote host and port to
   be able to more easily ascertain the source of the request. Add the
   same logging for PermitListen violations which where not previously
   logged at all.

 * scp(1), sftp(1): use the correct POSIX format style for left
   justification for the transfer progress meter. bz#3002

 * sshd(8) when examining a configuration using sshd -T, assume any
   attribute not provided by -C does not match, which allows it to work
   when sshd_config contains a Match directive with or without -C.
   bz#2858

Portability
-----------

 * sshd(8): add no-op implementation of pam_putenv to avoid build
   breakage on platforms where the PAM implementation lacks this
   function (e.g. HP-UX). bz#3008

 * All: use "doc" man page format if the mandoc(1) tool is present on
   the system. Previously configure would not select the "doc" man
   page format if mandoc was present but nroff was not.

 * sshd(8): don't install duplicate STREAMS modules on Solaris; check
   if STREAMS modules are already installed on a pty before installing
   since when compiling with XPG>=4 they will likely be installed
   already. Prevents hangs and duplicate lines on the terminal.
   bz#2945 and bz#2998,

Changes in OpenSSH 8.2
======================

 * Added FIDO2 support to some platforms

 * sshd(8): add an Include sshd_config keyword that allows including
   additional configuration files via glob(3) patterns. bz2468

 * ssh(1)/sshd(8): make the LE (low effort) DSCP code point available
   via the IPQoS directive; bz2986,

 * ssh(1): when AddKeysToAgent=yes is set and the key contains no
   comment, add the key to the agent with the key's path as the
   comment. bz2564
    
 * ssh-keygen(1): allow PEM export of DSA and ECDSA keys; bz3091

 * ssh(1), sshd(8): make zlib compile-time optional, available via the
   Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure
   option for OpenSSH portable.

 * sshd(8): when clients get denied by MaxStartups, send a
   notification prior to the SSH2 protocol banner according to
   RFC4253 section 4.2.

 * ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt
   program, pass a hint to the program to describe the type of
   desired prompt.  The possible values are "confirm" (indicating
   that a yes/no confirmation dialog with no text entry should be
   shown), "none" (to indicate an informational message only), or
   blank for the original ssh-askpass behaviour of requesting a
   password/phrase.

 * ssh(1): allow forwarding a different agent socket to the path
   specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
   option to accepting an explicit path or the name of an environment
   variable in addition to yes/no.
   
 * ssh-keygen(1): add a new signature operations "find-principals" to
   look up the principal associated with a signature from an allowed-
   signers file.
    
 * sshd(8): expose the number of currently-authenticating connections
   along with the MaxStartups limit in the process title visible to
   "ps".

Bugfixes
--------

 * sshd(8): make ClientAliveCountMax=0 have sensible semantics: it
   will now disable connection killing entirely rather than the
   current behaviour of instantly killing the connection after the
   first liveness test regardless of success. bz2627
    
 * sshd(8): clarify order of AllowUsers / DenyUsers vs AllowGroups /
   DenyGroups in the sshd(8) manual page. bz1690

 * sshd(8): better describe HashKnownHosts in the manual page. bz2560

 * sshd(8): clarify that that permitopen=/PermitOpen do no name or
   address translation in the manual page. bz3099

 * sshd(8): allow the UpdateHostKeys feature to function when
   multiple known_hosts files are in use. When updating host keys,
   ssh will now search subsequent known_hosts files, but will add
   updated host keys to the first specified file only. bz2738
    
 * All: replace all calls to signal(2) with a wrapper around
   sigaction(2). This wrapper blocks all other signals during the
   handler preventing races between handlers, and sets SA_RESTART
   which should reduce the potential for short read/write operations.
    
 * sftp(1): fix a race condition in the SIGCHILD handler that could
   turn in to a kill(-1); bz3084

 * sshd(8): fix a case where valid (but extremely large) SSH channel
   IDs were being incorrectly rejected. bz3098

 * ssh(1): when checking host key fingerprints as answers to new
   hostkey prompts, ignore whitespace surrounding the fingerprint
   itself.

 * All: wait for file descriptors to be readable or writeable during
   non-blocking connect, not just readable. Prevents a timeout when
   the server doesn't immediately send a banner (e.g. multiplexers
   like sslh)
 
 * sshd_config(5): document the sntrup4591761x25519-sha512@tinyssh.org
   key exchange algorithm. PR#151

Portability
-----------

 * Explicit check for memmem declaration and fix up declaration if the
   system headers lack it. bz3102
 
Changes in OpenSSH 8.3
======================

New Features
------------

 * sshd(8): make IgnoreRhosts a tri-state option: "yes" to ignore
   rhosts/shosts, "no" allow rhosts/shosts or (new) "shosts-only"
   to allow .shosts files but not .rhosts.

 * sshd(8): allow the IgnoreRhosts directive to appear anywhere in a
   sshd_config, not just before any Match blocks; bz3148

 * ssh(1): add %TOKEN percent expansion for the LocalFoward and
   RemoteForward keywords when used for Unix domain socket forwarding.
   bz#3014

 * all: allow loading public keys from the unencrypted envelope of a
   private key file if no corresponding public key file is present.
    
 * ssh(1), sshd(8): prefer to use chacha20 from libcrypto where
   possible instead of the (slower) portable C implementation included
   in OpenSSH.

 * ssh-keygen(1): add ability to dump the contents of a binary key
   revocation list via "ssh-keygen -lQf /path" bz#3132

Bugfixes
--------

 * ssh-keygen(1): avoid NULL dereference when trying to convert an
   invalid RFC4716 private key.

 * scp(1): when performing remote-to-remote copies using "scp -3",
   start the second ssh(1) channel with BatchMode=yes enabled to
   avoid confusing and non-deterministic ordering of prompts.

 * ssh(1): fix incorrect error message for "too many known hosts
   files." bz#3149

 * ssh(1): make failures when establishing "Tunnel" forwarding
   terminate the connection when ExitOnForwardFailure is enabled;
   bz#3116

 * ssh-keygen(1): fix printing of fingerprints on private keys and add
   a regression test for same.

 * sshd(8): document order of checking AuthorizedKeysFile (first) and
   AuthorizedKeysCommand (subsequently, if the file doesn't match);
   bz#3134

 * sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are
   not considered for HostbasedAuthentication when the target user is
   root; bz#3148
 
 * ssh(1), ssh-keygen(1): fix NULL dereference in private certificate
   key parsing (oss-fuzz #20074).

 * ssh(1), sshd(8): more consistency between sets of %TOKENS are
   accepted in various configuration options.

 * ssh(1), sshd(8): make error messages for problems during SSH banner
   exchange consistent with other SSH transport-layer error messages
   and ensure they include the relevant IP addresses bz#3129

 * various: fix a number of spelling errors in comments and debug/error
   messages

 * ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within
   the values allowed by the wire format (u32). Prevents integer
   wraparound of the timeout values. bz#3119

 * ssh(1): detect and prevent trivial configuration loops when using
    ProxyJump. bz#3057.
    
Portability
-----------

 * Detect systems where signals flagged with SA_RESTART will interrupt
   select(2). POSIX permits implementations to choose whether
   select(2) will return when interrupted with a SA_RESTART-flagged
   signal, but OpenSSH requires interrupting behaviour.

 * On platforms that do not support setting process-wide routing
   domains (all excepting OpenBSD at present), fail to accept a
   configuration attempts to set one at process start time rather than
   fatally erroring at run time. bz#3126

 * Improve detection of egrep (used in regression tests) on platforms
   that offer a poor default one (e.g. Solaris).

 * A number of shell portability fixes for the regression tests.

 * Fix theoretical infinite loop in the glob(3) replacement
   implementation.


Changes in OpenSSH 8.4
======================

New features
------------

 * ssh(1): allow some keywords to expand shell-style ${ENV}
   environment variables. The supported keywords are CertificateFile,
   ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
   RemoteForward when used for Unix domain socket paths. bz#3140

 * ssh(1), ssh-agent(1): allow some additional control over the use of
   ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
   including forcibly enabling and disabling its use. bz#69

 * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
   limit for keys in addition to its current flag options. Time-
   limited keys will automatically be removed from ssh-agent after
   their expiry time has passed.

 * scp(1), sftp(1): allow the -A flag to explicitly enable agent
   forwarding in scp and sftp. The default remains to not forward an
   agent, even when ssh_config enables it.

 * ssh(1): add a '%k' TOKEN that expands to the effective HostKey of
   the destination. This allows, e.g., keeping host keys in individual
   files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654

 * ssh(1): add %-TOKEN, environment variable and tilde expansion to
   the UserKnownHostsFile directive, allowing the path to be
   completed by the configuration (e.g. bz#1654)

 * ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted
   from stdin. bz#3180

 * sshd(8): improve logging for MaxStartups connection throttling.
   sshd will now log when it starts and stops throttling and periodically
   while in this state. bz#3055

Bugfixes
--------

 * sshd(8): fix Include before Match in sshd_config; bz#3122

 * ssh(1): close stdin/out/error when forking after authentication
   completes ("ssh -f ...") bz#3137

 * ssh(1), sshd(8): limit the amount of channel input data buffered,
   avoiding peers that advertise large windows but are slow to read
   from causing high memory consumption.

 * ssh-agent(1): handle multiple requests sent in a single write() to
   the agent.

 * sshd(8): allow sshd_config longer than 256k

 * sshd(8): avoid spurious "Unable to load host key" message when sshd
   load a private key but no public counterpart

 * ssh(1): prefer the default hostkey algorithm list whenever we have
   a hostkey that matches its best-preference algorithm.

 * sshd(1): when ordering the hostkey algorithms to request from a
   server, prefer certificate types if the known_hosts files contain a key
   marked as a @cert-authority; bz#3157

 * ssh(1): perform host key fingerprint comparisons for the "Are you
   sure you want to continue connecting (yes/no/[fingerprint])?"
   prompt with case sensitivity.

 * sshd(8): ensure that address/masklen mismatches in sshd_config
   yield fatal errors at daemon start time rather than later when
   they are evaluated.

 * ssh-keygen(1): ensure that certificate extensions are lexically
   sorted. Previously if the user specified a custom extension then
   the everything would be in order except the custom ones. bz#3198

 * ssh(1): also compare username when checking for JumpHost loops.
   bz#3057

 * ssh-keygen(1): preserve group/world read permission on known_hosts
   files across runs of "ssh-keygen -Rf /path". The old behaviour was
   to remove all rights for group/other. bz#3146

 * ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen
   manual page and usage().

 * sshd(8): explicitly construct path to ~/.ssh/rc rather than
   relying on it being relative to the current directory, so that it
   can still be found if the shell startup changes its directory.
   bz#3185

 * sshd(8): when redirecting sshd's log output to a file, undo this
   redirection after the session child process is forked(). Fixes
   missing log messages when using this feature under some
   circumstances.

 * sshd(8): start ClientAliveInterval bookkeeping before first pass
   through select() loop; fixed theoretical case where busy sshd may
   ignore timeouts from client.

 * ssh(1): only reset the ServerAliveInterval check when we receive
   traffic from the server and ignore traffic from a port forwarding
   client, preventing a client from keeping a connection alive when
   it should be terminated. bz#2265

 * ssh-keygen(1): avoid spurious error message when ssh-keygen
   creates files outside ~/.ssh

 * sftp-client(1): fix off-by-one error that caused sftp downloads to
   make one more concurrent request that desired. This prevented using
   sftp(1) in unpipelined request/response mode, which is useful when
   debugging. bz#3054

 * ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect()
   helpers. bz#3071

 * ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to
   write to it so we don't leave an empty .ssh directory when it's not
   needed. bz#3156

 * ssh(1), sshd(8): fix multiplier when parsing time specifications
   when handling seconds after other units. bz#3171

Portability
-----------

 * sshd(8): always send any PAM account messages. If the PAM account
   stack returns any messages, always send them to the user and not
   just if the check succeeds. bz#2049

 * Implement some backwards compatibility for libfido2 libraries
   older than 1.5.0. Note that use of an older library will result
   in the loss of certain features including resident key support,
   PIN support and support for multiple attached tokens.

 * gnome-ssh-askpass3: allow some control over textarea colour via
   $GNOME_SSH_ASKPASS_FG_COLOR and $GNOME_SSH_ASKPASS_BG_COLOR
   environment variables.

 * sshd(8): document another PAM spec problem in a frustrated comment

Changes in OpenSSH 8.5
======================

New features
------------

 * ssh(1): this release enables UpdateHostkeys by default subject to
   some conservative preconditions:
    - The key was matched in the UserKnownHostsFile (and not in the
      GlobalKnownHostsFile).
    - The same key does not exist under another name.
    - A certificate host key is not in use.
    - known_hosts contains no matching wildcard hostname pattern.
    - VerifyHostKeyDNS is not enabled.
    - The default UserKnownHostsFile is in use.

   We expect some of these conditions will be modified or relaxed in
   future.

 * ssh(1), sshd(8): add a new LogVerbose configuration directive for
   that allows forcing maximum debug logging by file/function/line
   pattern-lists.

 * ssh(1): when prompting the user to accept a new hostkey, display
   any other host names/addresses already associated with the key.

 * ssh(1): allow UserKnownHostsFile=none to indicate that no
   known_hosts file should be used to identify host keys.

 * ssh(1): add a ssh_config KnownHostsCommand option that allows the
   client to obtain known_hosts data from a command in addition to
   the usual files.

 * ssh(1): add a ssh_config PermitRemoteOpen option that allows the
   client to restrict the destination when RemoteForward is used
   with SOCKS.

 * sshd(8): implement client address-based rate-limiting via new
   sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize
   directives that provide more fine-grained control on a per-origin
   address basis than the global MaxStartups limit.

Bugfixes
--------

 * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to
   make it easier to determine which connection they are associated
   with in cases like scp -3, ProxyJump, etc. bz#3224

 * sshd(8): fix sshd_config SetEnv directives located inside Match
   blocks. GHPR#201

 * ssh(1): prevent integer overflow when ridiculously large
   ConnectTimeout values are specified, capping the effective value
   (for most platforms) at 24 days. bz#3229

 * ssh(1): consider the ECDSA key subtype when ordering host key
   algorithms in the client.

 * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
   PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
   that it control allowed key algorithms, when this option actually
   specifies the signature algorithms that are accepted. The previous
   name remains available as an alias. bz#3253

 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
   HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.

 * sftp-server(8): add missing lsetstat@openssh.com documentation
   and advertisement in the server's SSH2_FXP_VERSION hello packet.

 * ssh(1), sshd(8): more strictly enforce KEX state-machine by
   banning packet types once they are received. Fixes memleak caused
   by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).

 * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
   platforms instead of being limited by LONG_MAX. bz#3206

 * Minor man page fixes (capitalization, commas, etc.) bz#3223

 * sftp(1): when doing an sftp recursive upload or download of a
   read-only directory, ensure that the directory is created with
   write and execute permissions in the interim so that the transfer
   can actually complete, then set the directory permission as the
   final step. bz#3222

 * ssh-keygen(1): document the -Z, check the validity of its argument
   earlier and provide a better error message if it's not correct.
   bz#2879

 * ssh(1): ignore comments at the end of config lines in ssh_config,
   similar to what we already do for sshd_config. bz#2320

 * sshd_config(5): mention that DisableForwarding is valid in a
   sshd_config Match block. bz3239

 * sftp(1): fix incorrect sorting of "ls -ltr" under some
   circumstances. bz3248.

 * ssh(1), sshd(8): fix potential integer truncation of (unlikely)
   timeout values. bz#3250

 * ssh(1): make hostbased authentication send the signature algorithm
   in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
   This make HostbasedAcceptedAlgorithms do what it is supposed to -
   filter on signature algorithm and not key type.

Portability
-----------

 * sshd(8): add a number of platform-specific syscalls to the Linux
   seccomp-bpf sandbox. bz#3232 bz#3260

 * sshd(8): remove debug message from sigchld handler that could cause
   deadlock on some platforms. bz#3259

 * Sync contrib/ssh-copy-id with upstream.

 * unittests: add a hostname function for systems that don't have it.
   Some systems don't have a hostname command (it's not required by
   POSIX). The do have uname -n (which is), but not all of those have
   it report the FQDN.

Changes in OpenSSH 8.6
======================

New features
------------

 * sftp-server(8): add a new limits@openssh.com protocol extension
   that allows a client to discover various server limits, including
   maximum packet size and maximum read/write length.

 * sftp(1): use the new limits@openssh.com extension (when available)
   to select better transfer lengths in the client.

 * sshd(8): Add ModuliFile keyword to sshd_config to specify the
   location of the "moduli" file containing the groups for DH-GEX.

 * unit tests: Add a TEST_SSH_ELAPSED_TIMES environment variable to
   enable printing of the elapsed time in seconds of each test.

Bugfixes
--------

 * ssh_config(5), sshd_config(5): sync CASignatureAlgorithms lists in
   manual pages with the current default. GHPR#174

 * ssh(1): ensure that pkcs11_del_provider() is called before exit.
   GHPR#234

 * ssh(1), sshd(8): fix problems in string->argv conversion. Multiple
   backslashes were not being dequoted correctly and quoted space in
   the middle of a string was being incorrectly split. GHPR#223

 * ssh(1): return non-zero exit status when killed by signal; bz#3281

 * sftp-server(8): increase maximum SSH2_FXP_READ to match the maximum
   packet size. Also handle zero-length reads that are not explicitly
   banned by the spec.

Portability
-----------

 * sshd(8): don't mistakenly exit on transient read errors on the
   network socket (e.g. EINTR, EAGAIN); bz3297

 * Fix portability build errors bz3293 bz3292 bz3291 bz3278

 * sshd(8): soft-disallow the fstatat64 syscall in the Linux
   seccomp-bpf sandbox. bz3276

 * unit tests: enable autoopt and misc unit tests that were
   previously skipped

Changes in OpenSSH 8.7
======================

New features
------------

 - scp(1): experimental support for transfers using the SFTP protocol
   as a replacement for the venerable SCP/RCP protocol that it has
   traditionally used. SFTP offers more predictable filename handling
   and does not require expansion of glob(3) patterns via the shell
   on the remote side.

   SFTP support may be enabled via a temporary scp -s flag. It is
   intended for SFTP to become the default transfer mode in the
   near future, at which time the -s flag will be removed. The -O
   flag exists to force use of the original SCP/RCP protocol for
   cases where SFTP may be unavailable or incompatible.

 - sftp-server(8): add a protocol extension to support expansion of
   ~/ and ~user/ prefixed paths. This was added to support these
   paths when used by scp(1) while in SFTP mode.

 - ssh(1): add a ForkAfterAuthentication ssh_config(5) counterpart to
   the ssh(1) -f flag. GHPR#231

 - ssh(1): add a StdinNull directive to ssh_config(5) that allows the
   config file to do the same thing as -n does on the ssh(1) command-
   line. GHPR#231

 - ssh(1): add a SessionType directive to ssh_config, allowing the
    configuration file to offer equivalent control to the -N (no
    session) and -s (subsystem) command-line flags. GHPR#231

 - ssh-keygen(1): allowed signers files used by ssh-keygen(1)
   signatures now support listing key validity intervals alongside
   they key, and ssh-keygen(1) can optionally check during signature
   verification whether a specified time falls inside this interval.
   This feature is intended for use by git to support signing and
   verifying objects using ssh keys.

 - ssh-keygen(8): support printing of the full public key in a sshsig
   signature via a -Oprint-pubkey flag.

Bugfixes
--------

 * ssh(1)/sshd(8): start time-based re-keying exactly on schedule in
   the client and server mainloops. Previously the re-key timeout
   could expire but re-keying would not start until a packet was sent
   or received, causing a spin in select() if the connection was
   quiescent.

 * ssh-keygen(1): avoid Y2038 problem in printing certificate
   validity lifetimes. Dates past 2^31-1 seconds since epoch were
   displayed incorrectly on some platforms. bz#3329

 * scp(1): allow spaces to appear in usernames for local to remote
   and scp -3 remote to remote copies. bz#1164

 * ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
   in favour of KbdInteractiveAuthentication. The former is what was in
   SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
   treated as somewhat but not entirely equivalent. We retain the old
   name as a deprecated alias so configuration files continue to work
   as well as a reference in the man page for people looking for it.
   bz#3303

 * ssh(1): restore blocking status on stdio fds before close. ssh(1)
   needs file descriptors in non-blocking mode to operate but it was
   not restoring the original state on exit. This could cause
   problems with fds shared with other programs via the shell,
   bz#3280 and GHPR#246

 * ssh(1)/sshd(8): switch both client and server mainloops from
   select(3) to pselect(3). Avoids race conditions where a signal
   may arrive immediately before select(3) and not be processed until
   an event fires. bz#2158

 * ssh(1): sessions started with ControlPersist were incorrectly
   executing a shell when the -N (no shell) option was specified.
   bz#3290

 * ssh(1): check if IPQoS or TunnelDevice are already set before
   overriding. Prevents values in config files from overriding values
   supplied on the command line. bz#3319

 * ssh(1): fix debug message when finding a private key to match a
   certificate being attempted for user authentication. Previously it
   would print the certificate's path, whereas it was supposed to be
   showing the private key's path. GHPR#247

 * sshd(8): match host certificates against host public keys, not
   private keys. Allows use of certificates with private keys held in
   a ssh-agent.  bz#3524

 * ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8), which
   allows RSA/SHA2 signatures for public key authentication but fails
   to advertise this correctly via SSH2_MSG_EXT_INFO. This causes
   clients of these server to incorrectly match
   PubkeyAcceptedAlgorithmse and potentially refuse to offer valid
   keys. bz#3213

 * sftp(1)/scp(1): degrade gracefully if a sftp-server offers the
   limits@openssh.com extension but fails when the client tries to
   invoke it. bz#3318

 * ssh(1): allow ssh_config SetEnv to override $TERM, which is
   otherwise handled specially by the protocol. Useful in ~/.ssh/config
   to set TERM to something generic (e.g. "xterm" instead of
   "xterm-256color") for destinations that lack terminfo entries.

 * sftp-server(8): the limits@openssh.com extension was incorrectly
   marked as an operation that writes to the filesystem, which made it
   unavailable in sftp-server read-only mode. bz#3318

 * ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered when
   the update removed more host keys than remain present.

 * many manual page fixes.

Portability
-----------

 * ssh(1): move closefrom() to before first malloc. When built against
   tcmalloc, the closefrom() would stomp on file descriptors created
   for tcmalloc's internal use. bz#3321

 * sshd(8): handle GIDs > 2^31 in getgrouplist. When compiled in 32bit
   mode, the getgrouplist implementation may fail for GIDs greater than
   LONG_MAX.

 * ssh(1): xstrdup environment variable used by ForwardAgent. bz#3328

 * sshd(8): don't sigdie() in signal handler in privsep child process;
   this can end up causing sandbox violations per bz3286

Changes in OpenSSH 8.8
======================

New features
------------
 * ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
   directive to accept a "none" argument to specify the default
   behaviour.

Bugfixes
--------

 * scp(1): when using the SFTP protocol, continue transferring files
   after a transfer error occurs, better matching original scp/rcp
   behaviour.
    
 * ssh(1): fixed a number of memory leaks in multiplexing,

 * ssh-keygen(1): avoid crash when using the -Y find-principals
   command.

 * A number of documentation and manual improvements, including
   bz#3340, PR#139, PR#215, PR#241, PR#257

Portability
-----------

 * ssh(1)/sshd(8): some fixes to the pselect(2) replacement
   compatibility code. bz#3345

Changes in OpenSSH 8.9
======================

This release includes a number of new features.

New features
------------

 * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
   restricting forwarding and use of keys added to ssh-agent(1)
   A detailed description of the feature is available at
   https://www.openssh.com/agent-restrict.html and the protocol
   extensions are documented in the PROTOCOL and PROTOCOL.agent
   files in the source release.

 * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
   ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
   default KEXAlgorithms list (after the ECDH methods but before the
   prime-group DH ones). The next release of OpenSSH is likely to
   make this key exchange the default method.
    
 * ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to
   perform matching of principals names against an allowed signers
   file. To be used towards a TOFU model for SSH signatures in git.

 * ssh-keygen(1): allow selection of hash at sshsig signing time
   (either sha512 (default) or sha256).

 * ssh(1), sshd(8): read network data directly to the packet input
   buffer instead indirectly via a small stack buffer. Provides a
   modest performance improvement.

 * ssh(1), sshd(8): read data directly to the channel input buffer,
   providing a similar modest performance improvement.

 * ssh(1): extend the PubkeyAuthentication configuration directive to
   accept yes|no|unbound|host-bound to allow control over one of the
   protocol extensions used to implement agent-restricted keys.

Bugfixes
--------

 * sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and
   PubkeyAuthOptions can be used in a Match block. PR#277.

 * sshd(8): fix possible string truncation when constructing paths to
   .rhosts/.shosts files with very long user home directory names.

 * ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512
   exchange hashes
    
 * ssh(1): don't put the TTY into raw mode when SessionType=none,
   avoids ^C being unable to kill such a session. bz3360

 * scp(1): fix some corner-case bugs in SFTP-mode handling of
   ~-prefixed paths.

 * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to
   select RSA keys when only RSA/SHA2 signature algorithms are
   configured (this is the default case). Previously RSA keys were
   not being considered in the default case.

 * ssh-keysign(1): make ssh-keysign use the requested signature
   algorithm and not the default for the key type. Part of unbreaking
   hostbased auth for RSA/SHA2 keys.

 * ssh(1): stricter UpdateHostkey signature verification logic on
   the client- side. Require RSA/SHA2 signatures for RSA hostkeys
   except when RSA/SHA1 was explicitly negotiated during initial
   KEX; bz3375

 * ssh(1), sshd(8): fix signature algorithm selection logic for
   UpdateHostkeys on the server side. The previous code tried to
   prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some
   cases. This will use RSA/SHA2 signatures for RSA keys if the
   client proposed these algorithms in initial KEX. bz3375

 * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2).
   This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1)
   and sftp-server(8), as well as the sshd(8) listen loop and all
   other FD read/writability checks. On platforms with missing or
   broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is
   available.
    
 * ssh-keygen(1): the "-Y find-principals" command was verifying key
   validity when using ca certs but not with simple key lifetimes
   within the allowed signers file.
    
 * ssh-keygen(1): make sshsig verify-time argument parsing optional

 * sshd(8): fix truncation in rhosts/shosts path construction.

 * ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to
   allow for the preceding two ECN bits. bz#3373

 * ssh-keygen(1): add missing -O option to usage() for the "-Y sign"
   option.

 * ssh-keygen(1): fix a NULL deref when using the find-principals
   function, when matching an allowed_signers line that contains a
   namespace restriction, but no restriction specified on the
   command-line

 * ssh-agent(1): fix memleak in process_extension(); oss-fuzz
   issue #42719

 * ssh(1): suppress "Connection to xxx closed" messages when LogLevel
   is set to "error" or above. bz3378

 * ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing
   compressed packet data. bz3372
 
 * scp(1): when recursively transferring files in SFTP mode, create the
   destination directory if it doesn't already exist to match scp(1) in
   legacy RCP mode behaviour.
    
 * scp(1): many improvements in error message consistency between scp(1)
   in SFTP mode vs legacy RCP mode.

 * sshd(8): fix potential race in SIGTERM handling PR#289

 * ssh(1), ssh(8): since DSA keys are deprecated, move them to the
   end of the default list of public keys so that they will be tried
   last. PR#295

 * ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match
   wildcard principals in allowed_signers files
    
Portability
-----------

 * ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's
   implementation does not work in a chroot when the kernel does not
   have close_range(2). It tries to read from /proc/self/fd and when
   that fails dies with an assertion of sorts. Instead, call
   close_range(2) directly from our compat code and fall back if
   that fails.  bz#3349,

 * Correct handling of exceptfds/POLLPRI in our select(2)-based
   poll(2)/ppoll(2) compat implementation.

 * Cygwin: correct checking of mbstowcs() return value.

 * Add a basic SECURITY.md that refers people to the openssh.com
   website.

 * Enable additional compiler warnings and toolchain hardening flags,
   including -Wbitwise-instead-of-logical, -Wmisleading-indentation,
   -fzero-call-used-regs and -ftrivial-auto-var-init.

Changes in OpenSSH 9.0
======================

New features
------------

 * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
   exchange method by default ("sntrup761x25519-sha512@openssh.com").
   The NTRU algorithm is believed to resist attacks enabled by future
   quantum computers and is paired with the X25519 ECDH key exchange
   (the previous default) as a backstop against any weaknesses in
   NTRU Prime that may be discovered in the future. The combination
   ensures that the hybrid exchange offers at least as good security
   as the status quo.

   We are making this change now (i.e. ahead of cryptographically-
   relevant quantum computers) to prevent "capture now, decrypt
   later" attacks where an adversary who can record and store SSH
   session ciphertext would be able to decrypt it once a sufficiently
   advanced quantum computer is available.

 * sftp-server(8): support the "copy-data" extension to allow server-
   side copying of files/data, following the design in
   draft-ietf-secsh-filexfer-extensions-00. bz2948

 * sftp(1): add a "cp" command to allow the sftp client to perform
   server-side file copies.

Bugfixes
--------

 * ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output
   fd closes without data in the channel buffer. bz3405 and bz3411

 * sshd(8): pack pollfd array in server listen/accept loop. Could
   cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE

 * ssh-keygen(1): avoid NULL deref via the find-principals and
   check-novalidate operations. bz3409 and GHPR#307 respectively.

 * scp(1): fix a memory leak in argument processing. bz3404

 * sshd(8): don't try to resolve ListenAddress directives in the sshd
   re-exec path. They are unused after re-exec and parsing errors
   (possible for example if the host's network configuration changed)
   could prevent connections from being accepted.
    
 * sshd(8): when refusing a public key authentication request from a
   client for using an unapproved or unsupported signature algorithm
   include the algorithm name in the log message to make debugging
   easier.
    
Portability
-----------

 * sshd(8): refactor platform-specific locked account check, fixing
   an incorrect free() on platforms with both libiaf and shadow
   passwords (probably only Unixware) GHPR#284,

 * ssh(1), sshd(8): Fix possible integer underflow in scan_scaled(3)
   parsing of K/M/G/etc quantities. bz#3401.

 * Check for missing ftruncate prototype. GHPR#301

 * sshd(8): default to not using sandbox when cross compiling. On most
   systems poll(2) does not work when the number of FDs is reduced
   with setrlimit, so assume it doesn't when cross compiling and we
   can't run the test.  bz#3398.

 * Improve detection of -fzero-call-used-regs=all support in
   configure script.


Changes in OpenSSH 9.1
======================

New features
------------

 * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
   RSA key length. Keys below this length will be ignored for user
   authentication and for host authentication in sshd(8). 

   ssh(1) will terminate a connection if the server offers an RSA key
   that falls below this limit, as the SSH protocol does not include
   the ability to retry a failed key exchange.

 * sftp-server(8): add a "users-groups-by-id@openssh.com" extension
   request that allows the client to obtain user/group names that
   correspond to a set of uids/gids.

 * sftp(1): use "users-groups-by-id@openssh.com" sftp-server
   extension (when available) to fill in user/group names for
   directory listings.

 * sftp-server(8): support the "home-directory" extension request
   defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
   a bit with the existing "expand-path@openssh.com", but some other
   clients support it.

 * ssh-keygen(1), sshd(8): allow certificate validity intervals,
   sshsig verification times and authorized_keys expiry-time options
   to accept dates in the UTC time zone in addition to the default
   of interpreting them in the system time zone. YYYYMMDD and
   YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
   with a 'Z' character.

   Also allow certificate validity intervals to be specified in raw
   seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
   is intended for use by regress tests and other tools that call
   ssh-keygen as part of a CA workflow. bz3468

 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
   "/usr/libexec/sftp-server -el debug3"

 * ssh-keygen(1): allow the existing -U (use agent) flag to work
   with "-Y sign" operations, where it will be interpreted to require
   that the private keys is hosted in an agent; bz3429

Bugfixes
--------

 * ssh-agent(1): hook up the restrict_websafe command-line flag;
   previously the flag was accepted but never actually used.

 * sftp(1): improve filename tab completions: never try to complete
   names to non-existent commands, and better match the completion
   type (local or remote filename) against the argument position
   being completed.

 * sshd(8): improve logging of errors when opening authorized_keys
   files. bz2042

 * ssh(1): avoid multiplexing operations that could cause SIGPIPE from
   causing the client to exit early. bz3454

 * ssh_config(5), sshd_config(5): clarify that the RekeyLimit
   directive applies to both transmitted and received data. GHPR328

 * ssh-keygen(1): avoid double fclose() in error path.

 * sshd(8): log an error if pipe() fails while accepting a
   connection. bz3447

 * ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
   GHPR294.

 * sshd(8): ensure that authentication passwords are cleared from
   memory in error paths. GHPR286

 * ssh(1), ssh-agent(1): avoid possibility of notifier code executing
   kill(-1). GHPR286

 * ssh_config(5): note that the ProxyJump directive also accepts the
   same tokens as ProxyCommand. GHPR305.

 * scp(1): do not not ftruncate(3) files early when in sftp mode. The
   previous behaviour of unconditionally truncating the destination
   file would cause "scp ~/foo localhost:foo" and the reverse
   "scp localhost:foo ~/foo" to delete all the contents of their
   destination. bz3431

 * ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is
   unable to load a private key; bz3429

 * sftp(1), scp(1): when performing operations that glob(3) a remote
   path, ensure that the implicit working directory used to construct
   that path escapes glob(3) characters. This prevents glob characters
   from being processed in places they shouldn't, e.g. "cd /tmp/a*/",
   "get *.txt" should have the get operation treat the path "/tmp/a*"
   literally and not attempt to expand it.

 * ssh(1), sshd(8): be stricter in which characters will be accepted
   in specifying a mask length; allow only 0-9. GHPR278

 * ssh-keygen(1): avoid printing hash algorithm twice when dumping a
   KRL

 * ssh(1), sshd(8): continue running local I/O for open channels
   during SSH transport rekeying. This should make ~-escapes work in
   the client (e.g. to exit) if the connection happened to have
   stalled during a rekey event.

 * ssh(1), sshd(8): avoid potential poll() spin during rekeying

 * Further hardening for sshbuf internals: disallow "reparenting" a
   hierarchical sshbuf and zero the entire buffer if reallocation
   fails. GHPR287

Portability
-----------

 * Portable OpenSSH: remove workarounds for obsolete and unsupported
   versions of OpenSSL libcrypto. In particular, this release removes
   fallback support for OpenSSL that lacks AES-CTR or AES-GCM.

   Those AES cipher modes were added to OpenSSL prior to the minimum
   version currently supported by OpenSSH, so this is not expected to
   impact any currently supported configurations.

 * All: resync and clean up internal CSPRNG code.

 * scp(1), sftp(1), sftp-server(8): avoid linking these programs with
   unnecessary libraries. They are no longer linked against libz and
   libcrypto. This may be of benefit to space constrained systems
   using any of those components in isolation.

 * sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
   architectures.

 * configure: remove special casing of crypt(). configure will no
   longer search for crypt() in libcrypto, as it was removed from
   there years ago. configure will now only search libc and libcrypt.

 * configure: refuse to use OpenSSL 3.0.4 due to potential RCE in its
   RSA implementation (CVE-2022-2274) on x86_64.

 * All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR#322

 * ssh(1), ssh-keygen(1), sshd(8): fix a number of missing includes
   required by the XMSS code on some platforms.


Changes in OpenSSH 9.2
======================

New features
------------

 * sshd(8): add support for channel inactivity timeouts via a new
   sshd_config(5) ChannelTimeout directive. This allows channels that
   have not seen traffic in a configurable interval to be
   automatically closed. Different timeouts may be applied to session,
   X11, agent and TCP forwarding channels.

 * sshd(8): add a sshd_config UnusedConnectionTimeout option to
   terminate client connections that have no open channels for a
   length of time. This complements the ChannelTimeout option above.
    
 * sshd(8): add a -V (version) option to sshd like the ssh client has.

 * ssh(1): add a "Host" line to the output of ssh -G showing the
   original hostname argument. bz3343
    
 * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
   allow control over some SFTP protocol parameters: the copy buffer
   length and the number of in-flight requests, both of which are used
   during upload/download. Previously these could be controlled in
   sftp(1) only. This makes them available in both SFTP protocol
   clients using the same option character sequence.
    
 * ssh-keyscan(1): allow scanning of complete CIDR address ranges,
   e.g.  "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
   it will be expanded to all possible addresses in the range
   including the all-0s and all-1s addresses. bz#976

 * ssh(1): support dynamic remote port forwarding in escape
   command-line's -R processing. bz#3499

Bugfixes
--------

 * ssh(1): when restoring non-blocking mode to stdio fds, restore
   exactly the flags that ssh started with and don't just clobber them
   with zero, as this could also remove the append flag from the set.
   bz3523
    
 * ssh(1): avoid printf("%s", NULL) if using UserKnownHostsFile=none
   and a hostkey in one of the system known hosts file changes.
    
 * scp(1): switch scp from using pipes to a socket-pair for
   communication with its ssh sub-processes, matching how sftp(1)
   operates.

 * sshd(8): clear signal mask early in main(); sshd may have been
   started with one or more signals masked (sigprocmask(2) is not
   cleared on fork/exec) and this could interfere with various things,
   e.g. the login grace timer. Execution environments that fail to
   clear the signal mask before running sshd are clearly broken, but
   apparently they do exist.
    
 * ssh(1): warn if no host keys for hostbased auth can be loaded.
    
 * sshd(8): Add server debugging for hostbased auth that is queued and
   sent to the client after successful authentication, but also logged
   to assist in diagnosis of HostbasedAuthentication problems. bz3507

 * ssh(1): document use of the IdentityFile option as being usable to
   list public keys as well as private keys. GHPR352
    
 * sshd(8): check for and disallow MaxStartups values less than or
   equal to zero during config parsing, rather than failing later at
   runtime.  bz3489
    
 * ssh-keygen(1): fix parsing of hex cert expiry times specified on
   the command-line when acting as a CA.
 
 * scp(1): when scp(1) is using the SFTP protocol for transport (the
   default), better match scp/rcp's handling of globs that don't match
   the globbed characters but do match literally (e.g. trying to
   transfer a file named "foo.[1]"). Previously scp(1) in SFTP mode
   would not match these pathnames but legacy scp/rcp mode would.
   bz3488
    
 * ssh-agent(1): document the "-O no-restrict-websafe" command-line
   option.

 * ssh(1): honour user's umask(2) if it is more restrictive then the
   ssh default (022).

Portability
-----------

 * sshd(8): simply handling of SSH_CONNECTION PAM env var, removing
   global variable and checking the return value from pam_putenv.
   bz3508

 * sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was mistakenly
   enabled during the OpenSSH 9.1 release cycle.

 * misc: update autotools and regenerate the config files using the
   latest autotools

 * all: use -fzero-call-used-regs=used on clang 15 instead of
   -fzero-call-used-reg=all, as some versions of clang 15 have
   miscompile code when it was enabled. bz3475

 * sshd(8): defer PRNG seeding until after the initial closefrom(2)
   call. PRNG seeding will initialize OpenSSL, and some engine
   providers (e.g. Intel's QAT) will open descriptors for their own
   use that closefrom(2) could clobber. bz3483

 * misc: in the poll(2)/ppoll(2) compatibility code, avoid assuming
   the layout of fd_set.

 * sftp-server(8), ssh-agent(1): fix ptrace(2) disabling on older
   FreeBSD kernels. Some versions do not support using id 0 to refer
   to the current PID for procctl, so try again with getpid()
   explicitly before failing.


Changes in OpenSSH 9.3
======================

New features
------------

 * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
   outputting SSHFP fingerprints to allow algorithm selection. bz3493
    
 * sshd(8): add a `sshd -G` option that parses and prints the
   effective configuration without attempting to load private keys
   and perform other checks. This allows usage of the option before
   keys have been generated and for configuration evaluation and
   verification by unprivileged users.

Bugfixes
--------

 * scp(1), sftp(1): fix progressmeter corruption on wide displays;
   bz3534

 * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
   of private keys as some systems are starting to disable RSA/SHA1
   in libcrypto.

 * sftp-server(8): fix a memory leak. GHPR363

 * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
   compatibility code and simplify what's left.

 * Fix a number of low-impact Coverity static analysis findings.
   These include several reported via bz2687

 * ssh_config(5), sshd_config(5): mention that some options are not
   first-match-wins.

 * Rework logging for the regression tests. Regression tests will now
   capture separate logs for each ssh and sshd invocation in a test.

 * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
   says it should; bz3532.

 * ssh(1): ensure that there is a terminating newline when adding a
   new entry to known_hosts; bz3529

Changes in OpenSSH 9.4
======================

New features
------------

 * ssh(1): allow forwarding Unix Domain sockets via ssh -W.

 * ssh(1): add support for configuration tags to ssh(1).
   This adds a ssh_config(5) "Tag" directive and corresponding
   "Match tag" predicate that may be used to select blocks of
   configuration similar to the pf.conf(5) keywords of the same
   name.

 * ssh(1): add a "match localnetwork" predicate. This allows matching
   on the addresses of available network interfaces and may be used to
   vary the effective client configuration based on network location.

 * ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
   extensions.  This defines wire formats for optional KRL extensions
   and implements parsing of the new submessages. No actual extensions
   are supported at this point.

 * sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
   accept two additional %-expansion sequences: %D which expands to
   the routing domain of the connected session and %C which expands
   to the addresses and port numbers for the source and destination
   of the connection.

 * ssh-keygen(1): increase the default work factor (rounds) for the
   bcrypt KDF used to derive symmetric encryption keys for passphrase
   protected key files by 50%.

Bugfixes
--------

 * ssh(1): make -f (fork after authentication) work correctly with
   multiplexed connections, including ControlPersist. bz3589 bz3589

 * ssh(1): make ConnectTimeout apply to multiplexing sockets and not
   just to network connections.

 * sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
   appears before it in sshd_config. Since OpenSSH 8.7 the
   AuthorizedPrincipalsCommand directive was incorrectly ignored in
   this situation. bz3574

 * sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
   signatures When the KRL format was originally defined, it included
   support for signing of KRL objects. However, the code to sign KRLs
   and verify KRL signatues was never completed in OpenSSH. This
   release removes the partially-implemented code to verify KRLs.
   All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
   KRL files.

 * All: fix a number of memory leaks and unreachable/harmless integer
   overflows.

 * sshd(8), ssh(1): better validate CASignatureAlgorithms in
   ssh_config and sshd_config. Previously this directive would accept
   certificate algorithm names, but these were unusable in practice as
   OpenSSH does not support CA chains. bz3577

 * ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
   algorithms that are valid for CA signing. Previous behaviour was
   to list all signing algorithms, including certificate algorithms.

 * ssh-keyscan(1): gracefully handle systems where rlimits or the
   maximum number of open files is larger than INT_MAX; bz3581

 * ssh-keygen(1): fix "no comment" not showing on when running
   `ssh-keygen -l` on multiple keys where one has a comment and other
   following keys do not. bz3580

 * scp(1), sftp(1): adjust ftruncate() logic to handle servers that
   reorder requests. Previously, if the server reordered requests then
   the resultant file would be erroneously truncated.

 * ssh(1): don't incorrectly disable hostname canonicalization when
   CanonicalizeHostname=yes and ProxyJump was expicitly set to
   "none". bz3567

 * scp(1): when copying local->remote, check that the source file
   exists before opening an SFTP connection to the server. Based on
   GHPR#370

Portability
-----------

 * All: a number of build fixes for various platforms and
   configuration combinations.

 * All: relax libcrypto version checks for OpenSSL >=3. Beyond
   OpenSSL 3.0, the ABI compatibility guarantees are wider (only
   the library major must match instead of major and minor in
   earlier versions).  bz#3548.

Changes in OpenSSH 9.5
======================

New features
------------

 * ssh(1): add keystroke timing obfuscation to the client. This attempts
   to hide inter-keystroke timings by sending interactive traffic at
   fixed intervals (default: every 20ms) when there is only a small
   amount of data being sent. It also sends fake "chaff" keystrokes for
   a random interval after the last real keystroke. These are
   controlled by a new ssh_config ObscureKeystrokeTiming keyword.
    
 * ssh(1), sshd(8): Introduce a transport-level ping facility. This adds
   a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to
   implement a ping capability. These messages use numbers in the "local
   extensions" number space and are advertised using a "ping@openssh.com"
   ext-info message with a string version number of "0".
    
 * sshd(8): allow override of Sybsystem directives in sshd Match blocks.

Bugfixes
--------

 * scp(1): fix scp in SFTP mode recursive upload and download of
   directories that contain symlinks to other directories. In scp mode,
   the links would be followed, but in SFTP mode they were not. bz3611
    
 * ssh-keygen(1): handle cr+lf (instead of just cr) line endings in
   sshsig signature files.
    
 * ssh(1): interactive mode for ControlPersist sessions if they
   originally requested a tty.
    
 * sshd(8): make PerSourceMaxStartups first-match-wins
    
 * sshd(8): limit artificial login delay to a reasonable maximum (5s)
   and don't delay at all for the "none" authentication mechanism.cw
    bz3602
    
 * sshd(8): Log errors in kex_exchange_identification() with level
   verbose instead of error to reduce preauth log spam. All of those
   get logged with a more generic error message by sshpkt_fatal().
    
 * sshd(8): correct math for ClientAliveInterval that caused the probes
    to be sent less frequently than configured.
    
 * ssh(1): fix regression in OpenSSH 9.4 (mux.c r1.99) that caused
   multiplexed sessions to ignore SIGINT under some circumstances.

Portability
-----------

 * Fix configure test for zlib 1.3 and later/development versions. bz3604

Changes in OpenSSH 9.6
======================

New features
------------

 * ssh(1): add a %j token that expands to the configured ProxyJump
   hostname (or the empty string if this option is not being used)
   that can be used in a number of ssh_config(5) keywords. bz3610

 * ssh(1): add ChannelTimeout support to the client, mirroring the
   same option in the server and allowing ssh(1) to terminate
   quiescent channels.

 * ssh(1), sshd(8): introduce a protocol extension to allow
   renegotiation of acceptable signature algorithms for public key
   authentication after the server has learned the username being
   used for authentication. This allows varying sshd_config(5)
   PubkeyAcceptedAlgorithms in a "Match user" block.

Bugfixes
--------

 * ssh(1): when deciding whether to enable the keystroke timing
   obfuscation, enable it only if a channel with a TTY is active.

 * ssh(1): switch mainloop from poll(3) to ppoll(3) and mask signals
   before checking flags set in signal handler. Avoids potential
   race condition between signaling ssh to exit and polling. bz3531
 
 * ssh(1): when connecting to a destination with both the
   AddressFamily and CanonicalizeHostname directives in use,
   the AddressFamily directive could be ignored. bz5326

 * sftp(1): correct handling of the limits@openssh.com option when
   the server returned an unexpected message.

 * A number of fixes to the PuTTY and Dropbear regress/integration
   tests.

 * ssh(1): release GSS OIDs only at end of authentication, avoiding
   unnecessary init/cleanup cycles. bz2982

 * ssh_config(5): mention "none" is a valid argument to IdentityFile
   in the manual. bz3080

 * scp(1): improved debugging for paths from the server rejected for
   not matching the client's glob(3) pattern in old SCP/RCP protocol
   mode.

 * ssh-agent(1): refuse signing operations on destination-constrained
   keys if a previous session-bind operation has failed. This may
   prevent a fail-open situation in future if a user uses a mismatched
   ssh(1) client and ssh-agent(1) where the client supports a key type
   that the agent does not support.

Portability
-----------

 * Better identify unsupported and unstable compiler flags, such as
   -fzero-call-used-regs which has been unstable across a several
   clang releases.

 * A number of fixes to regression test reliability and log
   collection.

 * Update the OpenSSL dependency in the RPM specification.


Changes in OpenSSH 9.7
======================

New features
------------

 * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
   all open channels and will close all open channels if there is no
   traffic on any of them for the specified interval. This is in
   addition to the existing per-channel timeouts added recently.

   This supports situations like having both session and x11
   forwarding channels open where one may be idle for an extended
   period but the other is actively used. The global timeout could
   close both channels when both have been idle for too long.

 * All: make DSA key support compile-time optional, defaulting to on.

Bugfixes
--------

 * sshd(8): don't append an unnecessary space to the end of subsystem
   arguments (bz3667)

 * ssh(1): fix the multiplexing "channel proxy" mode, broken when
   keystroke timing obfuscation was added. (GHPR#463)

 * ssh(1), sshd(8): fix spurious configuration parsing errors when
   options that accept array arguments are overridden (bz3657).

 * ssh-agent(1): fix potential spin in signal handler (bz3670)

 * Many fixes to manual pages and other documentation, including
   GHPR#462, GHPR#454, GHPR#442 and GHPR#441.

 * Greatly improve interop testing against PuTTY.

Portability
-----------

 * Improve the error message when the autoconf OpenSSL header check
   fails (bz#3668)

 * Improve detection of broken toolchain -fzero-call-used-regs support
   (bz3645).

Changes in OpenSSH 9.8
======================

New features
------------

 * sshd(8): as described above, sshd(8) will now penalise client
   addresses that, for various reasons, do not successfully complete
   authentication. This feature is controlled by a new sshd_config(5)
   PerSourcePenalties option and is on by default.

   sshd(8) will now identify situations where the session did not
   authenticate as expected. These conditions include when the client
   repeatedly attempted authentication unsucessfully (possibly
   indicating an attack against one or more accounts, e.g. password
   guessing), or when client behaviour caused sshd to crash (possibly
   indicating attempts to exploit bugs in sshd).

   When such a condition is observed, sshd will record a penalty of
   some duration (e.g. 30 seconds) against the client's address. If
   this time is above a minimum configurable threshold, then all
   connections from the client address will be refused (along with any
   others in the same PerSourceNetBlockSize CIDR range) until the
   penalty expire.

   Repeated offenses by the same client address will accrue greater
   penalties, up to a configurable maximum. Address ranges may be
   fully exempted from penalties, e.g. to guarantee access from a set
   of trusted management addresses, using the new sshd_config(5)
   PerSourcePenaltyExemptList option.

   We hope these options will make it significantly more difficult for
   attackers to find accounts with weak/guessable passwords or exploit
   bugs in sshd(8) itself. This option is enabled by default.

 * ssh(8): allow the HostkeyAlgorithms directive to disable the
   implicit fallback from certificate host key to plain host keys.

Bugfixes
--------

 * misc: fix a number of inaccuracies in the PROTOCOL.*
   documentation files. GHPR430 GHPR487

 * all: switch to strtonum(3) for more robust integer parsing in most
   places.

 * ssh(1), sshd(8): correctly restore sigprocmask around ppoll()

 * ssh-keysign(8): stricter validation of messaging socket fd GHPR492

 * sftp(1): flush stdout after writing "sftp>" prompt when not using
   editline. GHPR480

 * sftp-server(8): fix home-directory extension implementation, it
   previously always returned the current user's home directory
   contrary to the spec. GHPR477

 * ssh-keyscan(1): do not close stdin to prevent error messages when
   stdin is read multiple times. E.g.
   echo localhost | ssh-keyscan -f - -f -

 * regression tests: fix rekey test that was testing the same KEX
   algorithm repeatedly instead of testing all of them. bz3692

 * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive
   documentation, especially around what is supported vs available.
   bz3701.

Portability
-----------

 * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
   unconditionally. The previous behaviour was to expose it only when
   particular authentication methods were in use.

 * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
   environment variable to enable SSH_ASKPASS, similarly to the X11
   DISPLAY environment variable. GHPR479

 * build: improve detection of the -fzero-call-used-regs compiler
   flag. bz3673.

 * build: relax OpenSSL version check to accept all OpenSSL 3.x
   versions.

 * sshd(8): add support for notifying systemd on server listen and
   reload, using a standalone implementation that doesn't depend on
   libsystemd. bz2641


Changes in OpenSSH 9.9
======================

New features
------------

 * ssh(1), sshd(8): add support for a new hybrid post-quantum key
   exchange based on the FIPS 203 Module-Lattice Key Enapsulation
   mechanism (ML-KEM) combined with X25519 ECDH as described by
   https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
   This algorithm "mlkem768x25519-sha256" is available by default.

 * ssh(1): the ssh_config "Include" directive can now expand
   environment as well as the same set of %-tokens "Match Exec"
   supports.

 * sshd(8): add a sshd_config "RefuseConnection" option that, if set
   will terminate the connection at the first authentication request.

 * sshd(8): add a "refuseconnection" penalty class to sshd_config
   PerSourcePenalties that is applied when a connection is dropped by
   the new RefuseConnection keyword.

 * sshd(8): add a "Match invalid-user" predicate to sshd_config Match
   options that matches when the target username is not valid on the
   server.

 * ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
   substantially faster implementation.

 * ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key
   exchange algorithm now has an IANA-assigned name in addition to
   the "@openssh.com" vendor extension name. This algorithm is now
   also available under this name "sntrup761x25519-sha512"

 * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
   included in core dump files for most of their lifespans. This is
   in addition to pre-existing controls in ssh-agent(1) and sshd(8)
   that prevented coredumps. This feature is supported on OpenBSD,
   Linux and FreeBSD.

 * All: convert key handling to use the libcrypto EVP_PKEY API, with
   the exception of DSA.

 * sshd(8): add a random amount of jitter (up to 4 seconds) to the
   grace login time to make its expiry unpredictable.

Bugfixes
--------

 * sshd(8): relax absolute path requirement back to what it was prior
   to OpenSSH 9.8, which incorrectly required that sshd was started
   with an absolute path in inetd mode. bz3717

 * sshd(8): fix regression introduced in openssh-9.8 that swapped the
   order of source and destination addresses in some sshd log messages.

 * sshd(8): do not apply authorized_keys options when signature
   verification fails. Prevents more restrictive key options being
   incorrectly applied to subsequent keys in authorized_keys. bz3733

 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
   prompts. Helps the user know what's going on when ssh-keygen is
   invoked via other tools. Requested in GHPR503

 * ssh(1), ssh-add(1): make parsing user@host consistently look for
   the last '@' in the string rather than the first. This makes it
   possible to more consistently use usernames that contain '@'
   characters.

 * ssh(1), sshd(8): be more strict in parsing key type names. Only
   allow short names (e.g "rsa") in user-interface code and require
   full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725

 * regress: many performance and correctness improvements to the
   re-keying regression test.

 * ssh-keygen(1): clarify that ed25519 is the default key type
   generated and clarify that rsa-sha2-512 is the default signature
   scheme when RSA is in use. GHPR505

 * sshd(8): fix minor memory leak in Subsystem option parsing; GHPR515

 * All: additional hardening and consistency checks for the sshbuf
   code.

 * sshd(8): reduce default logingrace penalty to ensure that a single
   forgotton login that times out will be below the penalty threshold.

 * ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started with
   ControlPersist then later has a forwarding added using mux proxy
   connection and the forwarding was used, then when the mux proxy
   session terminated, the mux master process would issue a bad message
   that terminated the connection.

Portability
-----------

 * sync contrib/ssh-copy-id to the latest upstream version.

 * regress: improve portablility for some awk(1) usage (e.g. Solaris)

 * In the contrib/redhat RPM spec file, without_openssl was previously
   incorrectly enabled unconditionally.

 * sshd(8) restore audit call before exit that regressed in openssh-9.8
   Fixes an issue where the SSH_CONNECTION_ABANDON event was not
   recorded.

       Add comments in ssh_config for connecting to old (pre 6.6) systems.

       The ssh client has been enhanced to provide on first connect the
       host key fingerprints in md5 and sha256.

       For backward compatibility with old devices that only support SSH1,
       we have included this SSH1 only implementation.
       Note: The SSH1 protocol is insecure.
       Files: /etc/ssh/ssh1_config /usr/bin/scp1 /usr/bin/ssh1
              /usr/bin/ssh-keygen1
              /usr/man/cat1/scp1.1 /usr/man/man1/scp1.1
	      /usr/man/cat1/ssh1.1 /usr/man/man1/ssh1.1
              /usr/man/cat1/ssh-keygen1.1 /usr/man/man1/ssh-keygen1.1
              /usr/man/cat5/ssh1_config.5 /usr/man/man5/ssh1_config.5