Call for testing: OpenSSH 10.0

Damien Miller djm at mindrot.org
Thu Apr 3 09:11:20 AEDT 2025


applied - thanks!

On Wed, 2 Apr 2025, Antonio Larrosa wrote:

> I tested building the openSUSE Tumbleweed package locally with the 20250403
> snapshot and doing a live test and it works fine.
> 
> I then also did try "make tests" on the vanilla snapshot sources and at
> first they failed to even build but after a quick fix that I've submitted
> at https://bugzilla.mindrot.org/show_bug.cgi?id=3806 the tests run fine too.
> 
> Thanks!
> 
> El mié, 2 abr 2025 a las 0:22, Darren Tucker (<dtucker at dtucker.net>)
> escribió:
> 
> > Hi all.
> >
> > OpenSSH 10.0p1 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is primarily a bugfix
> > release, although one notable change is the introduction of the sshd-auth
> > binary (see below).
> >
> > Snapshot releases for portable OpenSSH are available from
> > http://www.mindrot.org/openssh_snap/
> >
> > The OpenBSD version is available in CVS HEAD:
> > http://www.openbsd.org/anoncvs.html
> >
> > Portable OpenSSH is also available via git using the
> > instructions at http://www.openssh.com/portable.html#cvs
> > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> > https://github.com/openssh/openssh-portable
> >
> > Running the regression tests supplied with Portable OpenSSH does not
> > require installation and is a simply:
> >
> > $ ./configure && make tests
> >
> > Live testing on suitable non-production systems is also appreciated.
> > Please send reports of success or failure to
> > openssh-unix-dev at mindrot.org. Security bugs should be reported
> > directly to openssh at openssh.com.
> >
> > Below is a summary of changes. More detail may be found in the ChangeLog
> > in the portable OpenSSH tarballs.
> >
> > Thanks to the many people who contributed to this release.
> >
> > Potentially-incompatible changes
> > --------------------------------
> >
> >  * This release removes support for the weak DSA signature
> >    algorithm, completing the deprecation process that began in
> >    2015 (when DSA was disabled by default) and repeatedly warned
> >    over the the last 12 months.
> >
> >  * This release has the version number 10.0 and announces itself
> >    as "SSH-2.0-OpenSSH_10.0". Software that naively matches
> >    versions using patterns like "OpenSSH_1*" may be confused by
> >    this.
> >
> >  * sshd(8): this release removes the code responsible for the
> >    user authentication phase of the protocol from the per-
> >    connection sshd-session binary to a new sshd-auth binary.
> >    Splitting this code into a separate binary ensures that the
> >    crucial pre-authentication attack surface has an entirely
> >    disjoint address space from the code used for the rest of the
> >    connection. It also yields a small runtime memory saving as the
> >    authentication code will be unloaded after the authentication
> >    phase completes. This change should be largely invisible to
> >    users, though some log messages may now come from "sshd-auth"
> >    instead of "sshd-session". Downstream distributors of OpenSSH
> >    will need to package the sshd-auth binary.
> >
> >  * sshd(8): this release disables finite field (a.k.a modp)
> >    Diffie-Hellman key exchange in sshd by default. Specifically,
> >    this removes the "diffie-hellman-group*" and
> >    "diffie-hellman-group-exchange-*" methods from the default
> >    KEXAlgorithms list. The client is unchanged and continues to
> >    support these methods by default. Finite field Diffie Hellman
> >    is slow and computationally expensive for the same security
> >    level as Elliptic Curve DH or PQ key agreement while offering
> >    no redeeming advantages. ECDH has been specified for the SSH
> >    protocol for 15 years and some form of ECDH has been the default
> >    key exchange in OpenSSH for the last 14 years.
> >
> >  * sshd(8): this release removes the implicit fallback to compiled-
> >    in groups for Diffie-Hellman Group Exchange KEX when the moduli
> >    file exists but does not contain moduli within the client-
> >    requested range.  The fallback behaviour remains for the case
> >    where the moduli file does not exist at all. This allows
> >    administrators more explicit control over which DH groups will
> >    be selected, but can lead to connection failures if the moduli
> >    file is edited incorrectly. bz#2793
> >
> >  * sftp(1) and scp(1) will now explicitly not create a ControlMaster mux
> >    connection, since doing so would potentially create one with
> >    options more restrictive than those specified in the config file.
> >    This could lead to later confusion, particularly when used with
> >    ControlMaster=auto.  sftp(1) and scp(1) can still use a mux connection,
> >    so ssh(1) can be used to establish one, after which they can use it
> >    as per usual.
> >
> > Changes since OpenSSH 9.9
> > =========================
> >
> > New features
> > ------------
> >
> >  * ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
> >    is now used by default for key agreement. This algorithm is
> >    considered to be safe against attack by quantum computers,
> >    is guaranteed to be no less strong than the popular
> >    curve25519-sha256 algorithm, has been standardised by NIST
> >    and is considerably faster than the previous default.
> >
> >  * ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
> >    for the connection. The default cipher preference list is now
> >    Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
> >    (128/192/256).
> >
> >  * ssh(1): add %-token and environment variable expansion to the
> >    ssh_config SetEnv directive.
> >
> >  * ssh(1): allow %-token and environment variable expansion in
> >    the ssh_config User directive, with the exception of %r and %C
> >    which would be self-referential. bz#3477
> >
> >  * ssh(1), sshd(8): add "Match version" support to ssh_config and
> >    sshd_config. Allows matching on the local version of OpenSSH,
> >    e.g. "Match version OpenSSH_10.*".
> >
> >  * ssh(1): add support for "Match sessiontype" to ssh_config.
> >    Allows matching on the type of session initially requested,
> >    either "shell" for interactive sessions, "exec" for command
> >    execution sessions, "subsystem" for subsystem requests, such as
> >    sftp, or "none" for transport/forwarding-only sessions.
> >
> >  * ssh(1): add support for "Match command ..." support to
> >    ssh_config, allowing matching on the remote command as specified
> >    on the command-line.
> >
> >  * ssh(1): allow 'Match tagged ""' and 'Match command ""' to match
> >    empty tag and command values respectively.
> >
> >  * sshd(8): allow glob(3) patterns to be used in sshd_config
> >    AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
> >    bz2755
> >
> >  * sshd(1): support the VersionAddendum in the client, mirroring
> >    the option of the same name in the server; bz2745
> >
> >  * ssh-agent(1): the agent will now delete all loaded keys when
> >    signaled with SIGUSR1. This allows deletion of keys without
> >    having access to $SSH_AUTH_SOCK.
> >
> >  * Portable OpenSSH, ssh-agent(1): support systemd-style socket
> >    activation in ssh-agent using the LISTEN_PID/LISTEN_FDS
> >    mechanism. Activated when these environment variables are set,
> >    the agent is started with the -d or -D option and no socket path
> >    is set. GHPR502
> >
> >  * ssh-keygen(1): support FIDO tokens that return no attestation
> >    data, e.g. recent WinHello. GHPR542
> >
> >  * ssh-agent(1): add a "-Owebsafe-allow=..." option to allow the
> >    default FIDO application ID allow-list to be overridden.
> >
> >  * Add a work-in-progress tool to verify FIDO attestation blobs
> >    that ssh-keygen can optionally write when enrolling FIDO keys.
> >    This tool is available under regress/misc/ssh-verify-attestation
> >    for experimentation but is not installed by "make install".
> >
> >  * ssh-keygen(1): allow "-" as output file for moduli screening.
> >    GHPR393
> >
> > Bugfixes
> > --------
> >
> >  * sshd(8): remove assumption that the sshd_config and any configs
> >    it includes can fit in a (possibly enlarged) socket buffer.
> >    Previously it was possible to create a sufficiently large
> >    configuration that could cause sshd to fail to accept any
> >    connection. sshd(8) will now actively manage sending its config
> >    to the sshd-session sub-process.
> >
> >  * ssh(1): don't start the ObscureKeystrokeTiming mitigations if
> >    there has been traffic on a X11 forwarding channel recently.
> >    Should fix X11 forwarding performance problems when this setting
> >    is enabled. bz3655
> >
> >  * ssh(1): prohibit the comma character in hostnames accepted, but
> >    allow an underscore as the first character in a hostname.
> >
> >  * sftp(1): set high-water when resuming a "put". Prevents bogus
> >    "server reordered acks" debug message.
> >
> >  * ssh(1), sshd(8): fix regression in openssh-9.8, which would fail
> >    to accept "Match criteria=argument" as well as the documented
> >    "Match criteria argument" syntax in ssh_config and sshd_config.
> >    bz3739
> >
> >  * scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by
> >    scp & sftp. This disables implicit session creation by these
> >    tools when ControlMaster was set to yes/auto by configuration,
> >    which some users found surprising. This change will not prevent
> >    scp/sftp from using an existing multiplexing session if one had
> >    already been created. GHPR557
> >
> >  * sftp(1), ssh(1): fix a number possible NULL dereference bugs,
> >    including Coverity CIDs 405019 and 477813.
> >
> >  * sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty
> >    when LoginGraceTime was exceeded. bz3797
> >
> >  * sshd(8): fix "Match invalid-user" from incorrectly being
> >    activated in initial configuration pass when no other predicates
> >    were present on the match line
> >
> >  * sshd(8): fix debug logging of user specific delay. GHPR#552
> >
> >  * sshd(8): improve debug logging across sub-process boundaries.
> >    Previously some log messages were lost early in the sshd-auth and
> >    sshd-session processes' life.
> >
> >  * ssh(1): require control-escape character sequences passed via
> >    the '-e ^x' command-line to be exactly two characters long. Avoids
> >    one byte out-of-bounds read if ssh is invoked as "ssh -e^ ..."
> >    GHPR368
> >
> >  * ssh(1), sshd(8): prevent integer overflow in x11 port handling.
> >    These are theoretically possible if the admin misconfigured
> >    X11DisplayOffset or the user misconfigures their own $DISPLAY,
> >    but don't happen in normal operation. bz#3730
> >
> >  * ssh-keygen(1): don't mess up ssh-keygen -l output when the file
> >    contains CR characters; GHPR236 bz3385.
> >
> >  * sshd(8): add rate limits to logging of connections dropped by
> >    PerSourcePenalties. Previously these could be noisy in logs.
> >
> >  * ssh(1): fix argument of "Compression" directive in ssh -G config
> >    dump, which regressed in openssh-9.8.
> >
> >  * sshd(8): fix a corner-case triggered by UpdateHostKeys when sshd
> >    refuses to accept the signature returned by an agent holding host
> >    keys during the hostkey rotation sub-protocol. This situation
> >    could occur in situations where a PKCS#11 smartcard that lacked
> >    support for particular signature algorithms was used to store
> >    host keys.
> >
> >  * ssh-keygen(1): when using RSA keys to sign messages with
> >    "ssh-keygen -Y", select the signature algorithm based on the
> >    requested hash algorithm ("-Ohashalg=xxx"). This allows using
> >    something other than the default of rsa-sha2-512, which may not
> >    be supported on all signing backends, e.g. some smartcards only
> >    support SHA256.
> >
> >  * ssh(1), sshd(8), ssh-keyscan(1): fix ML-KEM768x25519 KEX on
> >    big-endian systems.
> >
> >  * Many regression and interop test improvements.
> >
> > Portability
> > -----------
> >
> >  * All: add support for AWS-LC (AWS libcrypto). bz3784
> >
> >  * sshd(8): add wtmpdb support as a Y2038 safe wtmp replacement.
> >
> >  * sshd(8): add support for locking sshd into memory, enabled with
> >    the --with-linux-memlock-onfault configure flag.
> >
> >  * Add support for building a standalone sk-libfido2 library,
> >    enabled by --with-security-key-standalone
> >
> >  * ssh(1), sshd(8), ssh-keyscan(1): include __builtin_popcount
> >    replacement function. for compilers that lack it.
> >
> >  * All: Check for and replace le32toh, le64toh, htole64 separately.
> >    It appears that at least some versions of endian.h in glibc do
> >    not have the latter two. bz#3794
> >
> >  * Remove ancient RHL 6.x config in RPM spec.
> >
> > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> > Tim Rice and Ben Lindstrom.
> >
> > --
> > Darren Tucker (dtucker at dtucker.net)
> > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
> >     Good judgement comes with experience. Unfortunately, the experience
> > usually comes from bad judgement.
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 


More information about the openssh-unix-dev mailing list