Announce: OpenSSH 6.2 released

Iain Morgan imorgan at
Sat Mar 23 12:20:20 EST 2013

There are some _really_ nice features in this release. Thanks to the
OpenSSH developers for all their effort!

Iain Morgan

On Thu, Mar 21, 2013 at 19:38:43 -0500, Damien Miller wrote:
> Changes since OpenSSH 6.1
> =========================
> This release introduces a number of new features:
> Features:
>  * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
>    SSH protocol 2. The new cipher is available as aes128-gcm at
>    and aes256-gcm at It uses an identical packet format to the
>    AES-GCM mode specified in RFC 5647, but uses simpler and different
>    selection rules during key exchange.
>  * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes
>    for SSH protocol 2. These modes alter the packet format and compute
>    the MAC over the packet length and encrypted packet rather than over
>    the plaintext data. These modes are considered more secure and are
>    used by default when available.
>  * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as
>    "umac-128 at" and "umac-128-etm at". The latter
>    being an encrypt-then-mac mode.
>  * sshd(8): Added support for multiple required authentication in SSH
>    protocol 2 via an AuthenticationMethods option. This option lists
>    one or more comma-separated lists of authentication method names.
>    Successful completion of all the methods in any list is required for
>    authentication to complete. This allows, for example, requiring a
>    user having to authenticate via public key or GSSAPI before they
>    are offered password authentication.
>  * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists
>    (KRLs), a compact binary format to represent lists of revoked keys
>    and certificates that take as little as one bit per certificate when
>    revoking by serial number. KRLs may be generated using ssh-keygen(1)
>    and are loaded into sshd(8) via the existing RevokedKeys sshd_config
>    option.
>  * ssh(1): IdentitiesOnly now applies to keys obtained from a
>    PKCS11Provider. This allows control of which keys are offered from
>    tokens using IdentityFile.
>  * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local"
>    and "remote" in addition to its previous "yes"/"no" keywords to allow
>    the server to specify whether just local or remote TCP forwarding is
>    enabled.
>  * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
>    support fetching authorized_keys from a command in addition to (or
>    instead of) from the filesystem. The command is run under an account
>    specified by an AuthorizedKeysCommandUser sshd_config(5) option.
>  * sftp-server(8): Now supports a -d option to allow the starting
>    directory to be something other than the user's home directory.
>  * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11
>    tokens using "ssh-keygen -lD pkcs11_provider".
>  * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1)
>    now immediately sends its SSH protocol banner to the server without
>    waiting to receive the server's banner, saving time when connecting.
>  * ssh(1): Added ~v and ~V escape sequences to raise and lower the
>    logging level respectively.
>  * ssh(1): Made the escape command help (~?) context sensitive so that
>    only commands that will work in the current session are shown.
>  * ssh-keygen(1): When deleting host lines from known_hosts using
>    "ssh-keygen -R host", ssh-keygen(1) now prints details of which lines
>    were removed.
> Bugfixes:
>  * ssh(1): Force a clean shutdown of ControlMaster client sessions when
>    the ~. escape sequence is used. This means that ~. should now work in
>    mux clients even if the server is no longer responding.
>  * ssh(1): Correctly detect errors during local TCP forward setup in
>    multiplexed clients. bz#2055
>  * ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with
>    adding keys with respect to certificates. It now tries to delete the
>    corresponding certificate and respects the -k option to allow deleting
>    of the key only.
>  * sftp(1): Fix a number of parsing and command-editing bugs, including
>    bz#1956
>  * ssh(1): When muxmaster is run with -N, ensured that it shuts down
>    gracefully when a client sends it "-O stop" rather than hanging around.
>    bz#1985
>  * ssh-keygen(1): When screening moduli candidates, append to the file
>    rather than overwriting to allow resumption. bz#1957
>  * ssh(1): Record "Received disconnect" messages at ERROR rather than
>    INFO priority. bz#2057.
>  * ssh(1): Loudly warn if explicitly-provided private key is unreadable.
>    bz#1981
> Portable OpenSSH:
>  * sshd(8): The Linux seccomp-filter sandbox is now supported on ARM
>    platforms where the kernel supports it.
>  * sshd(8): The seccomp-filter sandbox will not be enabled if the system
>    headers support it at compile time, regardless of whether it can be
>    enabled then. If the run-time system does not support seccomp-filter,
>    sshd will fall back to the rlimit pseudo-sandbox.
>  * ssh(1): Don't link in the Kerberos libraries. They aren't necessary
>    on the client, just on sshd(8). bz#2072
>  * Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI
>    library. bz#2073
>  * Fix compilation on systems with openssl-1.0.0-fips.
>  * Fix a number of errors in the RPM spec files.
> Checksums:
> ==========
>  - SHA1 (openssh-6.2.tar.gz) = b3f6cd774d345f22f6d0038cc9464cce131a0676
>  - SHA1 (openssh-6.2p1.tar.gz) = 8824708c617cc781b2bb29fa20bd905fd3d2a43d
> Reporting Bugs:
> ===============
> - Please read
>   Security bugs should be reported directly to openssh at
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

Iain Morgan

More information about the openssh-unix-dev mailing list