Call for testing: OpenSSH 8.7

Dmitry Belyavskiy dbelyavs at
Sat Aug 14 05:48:49 AEST 2021

Dear Damien,

Are there any chances that something from

will be added to release?

On Fri, Aug 13, 2021 at 2:12 AM Damien Miller <djm at> wrote:

> Hi,
> OpenSSH 8.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release has a mix of
> bugfixes and new features.
> Snapshot releases for portable OpenSSH are available from
> The OpenBSD version is available in CVS HEAD:
> Portable OpenSSH is also available via git using the
> instructions at
> At or via a mirror at Github:
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
> $ ./configure && make tests
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at Security bugs should be reported
> directly to openssh at
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
> Thanks to the many people who contributed to this release.
> Potentially-incompatible changes
> ================================
> This release includes a number of changes that may affect existing
> configurations:
>  * scp(1): this release changes the behaviour of remote to remote
>    copies (e.g. "scp host-a:/path host-b:") to transfer through the
>    local host by default. This was previously available via the -3
>    flag. This mode avoids the need to expose credentials on the
>    origin hop, avoids triplicate interpretation of filenames by the
>    shell (by the local system, the copy origin and the destination)
>    and, in conjunction with the SFTP support for scp(1) mentioned
>    below, allows use of all authentication methods to the remote
>    hosts (previously, only non-interactive methods could be used).
>    A -R flag has been added to select the old behaviour.
>  * ssh(1)/sshd(8): both the client and server are now using a more
>    strict configuration file parser. The new parser uses more
>    shell-like rules for quotes, space and escape characters. It is
>    also more strict in rejecting configurations that include options
>    lacking arguments. Previously some options (e.g. DenyUsers) to
>    appear on a line with no subsequent arguments. This release will
>    reject such configurations. The new parser will also reject
>    configurations with unterminated quotes and multiple '='
>    characters after the option name.
>  * ssh(1): when using SSHFP DNS records for host key verification,
>    ssh(1) will verify all matching records instead of just those
>    with the specific signature type requested. This may cause host
>    key verification problems if stale SSHFP records of a different
>    or legacy signature type exist alongside other records for a
>    particular host. bz#3322
>  * ssh-keygen(1): when generating a FIDO key and specifying an
>    explicit attestation challenge (using -Ochallenge), the challenge
>    will now be hashed by the builtin security key middleware. This
>    removes the (undocumented) requirement that challenges be exactly
>    32 bytes in length and matches the expectations of libfido2.
>  * sshd(8): environment="..." directives in authorized_keys files are
>    now first-match-wins and limited to 1024 discrete environment
>    variable names.
> Changes since OpenSSH 8.6
> =========================
> This release contains a mix of new features and bug-fixes.
> New features
> ------------
>  - scp(1): experimental support for transfers using the SFTP protocol
>    as a replacement for the venerable SCP/RCP protocol that it has
>    traditionally used. SFTP offers more predictable filename handling
>    and does not require expansion of glob(3) patterns via the shell
>    on the remote side.
>    SFTP support may be enabled via a temporary scp -s flag. It is
>    intended for SFTP to become the default transfer mode in the
>    near future, at which time the -s flag will be removed. The -O
>    flag exists to force use of the original SCP/RCP protocol for
>    cases where SFTP may be unavailable or incompatible.
>  - sftp-server(8): add a protocol extension to support expansion of
>    ~/ and ~user/ prefixed paths. This was added to support these
>    paths when used by scp(1) while in SFTP mode.
>  - ssh(1): add a ForkAfterAuthentication ssh_config(5) counterpart to
>    the ssh(1) -f flag. GHPR#231
>  - ssh(1): add a StdinNull directive to ssh_config(5) that allows the
>    config file to do the same thing as -n does on the ssh(1) command-
>    line. GHPR#231
>  - ssh(1): add a SessionType directive to ssh_config, allowing the
>     configuration file to offer equivalent control to the -N (no
>     session) and -s (subsystem) command-line flags. GHPR#231
>  - ssh-keygen(1): let allowed signers files used by ssh-keygen(1)
>    signatures support key lifetimes, and allow the verification mode to
>    specify a signature time to check at. This is intended for use by
>    git to support signing objects using ssh keys.
>  - ssh-keygen(8): support printing of the full public key in a sshsig
>    signature via a -Oprint-pubkey flag.
> Bugfixes
> --------
>  * ssh(1)/sshd(8): start time-based re-keying exactly on schedule in
>    the client and server mainloops. Previously the re-key timeout
>    could expire but re-keying would not start until a packet was sent
>    or received, causing a spin in select() if the connection was
>    quiescent.
>  * ssh-keygen(1): avoid Y2038 problem in printing certificate
>    validity lifetimes. Dates past 2^31-1 seconds since epoch were
>    displayed incorrectly on some platforms. bz#3329
>  * scp(1): allow spaces to appear in usernames for local to remote
>    and scp -3 remote to remote copies. bz#1164
>  * ssh(1)/sshd(8): remove references to ChallengeResponseAuthentication
>    in favour of KbdInteractiveAuthentication. The former is what was in
>    SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
>    treated as somewhat but not entirely equivalent. We retain the old
>    name as a deprecated alias so configuration files continue to work
>    as well as a reference in the man page for people looking for it.
>    bz#3303
>  * ssh(1)/ssh-add(1)/ssh-keygen(1): fix decoding of X.509 subject name
>    when extracting a key from a PKCS#11 certificate. bz#3327
>  * ssh(1): restore blocking status on stdio fds before close. ssh(1)
>    needs file descriptors in non-blocking mode to operate but it was
>    not restoring the original state on exit. This could cause
>    problems with fds shared with other programs via the shell,
>    bz#3280 and GHPR#246
>  * ssh(1)/sshd(8): switch both client and server mainloops from
>    select(3) to pselect(3). Avoids race conditions where a signal
>    may arrive immediately before select(3) and not be processed until
>    an event fires. bz#2158
>  * ssh(1): sessions started with ControlPersist were incorrectly
>    executing a shell when the -N (no shell) option was specified.
>    bz#3290
>  * ssh(1): check if IPQoS or TunnelDevice are already set before
>    overriding. Prevents values in config files from overriding values
>    supplied on the command line. bz#3319
>  * ssh(1): fix debug message when finding a private key to match a
>    certificate being attempted for user authentication. Previously it
>    would print the certificate's path, whereas it was supposed to be
>    showing the private key's path. GHPR#247
>  * sshd(8): match host certificates against host public keys, not
>    private keys. Allows use of certificates with private keys held in
>    a ssh-agent.  bz#3524
>  * ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8), which
>    allows RSA/SHA2 signatures for public key authentication but fails
>    to advertise this correctly via SSH2_MSG_EXT_INFO. This causes
>    clients of these server to incorrectly match
>    PubkeyAcceptedAlgorithmse and potentially refuse to offer valid
>    keys. bz#3213
>  * sftp(1)/scp(1): degrade gracefully if a sftp-server offers the
>    limits at extension but fails when the client tries to
>    invoke it. bz#3318
>  * ssh(1): allow ssh_config SetEnv to override $TERM, which is
>    otherwise handled specially by the protocol. Useful in ~/.ssh/config
>    to set TERM to something generic (e.g. "xterm" instead of
>    "xterm-256color") for destinations that lack terminfo entries.
>  * sftp-server(8): the limits at extension was incorrectly
>    marked as an operation that writes to the filesystem, which made it
>    unavailable in sftp-server read-only mode. bz#3318
>  * ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered when
>    the update removed more host keys than remain present.
>  * many manual page fixes.
> Portability
> -----------
>  * ssh(1): move closefrom() to before first malloc. When built against
>    tcmalloc, the closefrom() would stomp on file descriptors created
>    for tcmalloc's internal use. bz#3321
>  * sshd(8): handle GIDs > 2^31 in getgrouplist. When compiled in 32bit
>    mode, the getgrouplist implementation may fail for GIDs greater than
>    LONG_MAX.
>  * ssh(1): xstrdup environment variable used by ForwardAgent. bz#3328
>  * sshd(8): don't sigdie() in signal handler in privsep child process;
>    this can end up causing sandbox violations per bz3286
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

Dmitry Belyavskiy

More information about the openssh-unix-dev mailing list