OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. It encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks.
Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.
- Added a ControlPersist option to ssh_config(5) that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity.
- Hostbased authentication may now use certificate host keys. CA keys must be specified in a known_hosts file using the @cert-authority marker as described in sshd(8).
- ssh-keygen(1) now supports signing certificate using a CA key that has been stored in a PKCS#11 token.
- ssh(1) will now log the hostname and address that we connected to at LogLevel=verbose after authentication is successful to mitigate “phishing” attacks by servers with trusted keys that accept authentication silently and automatically before presenting fake password/passphrase prompts. Note that, for such an attack to be successful, the user must have disabled StrictHostKeyChecking (enabled by default) or an attacker must have access to a trusted host key for the destination server.
- Expand %h to the hostname in ssh_config Hostname options. While this sounds useless, it is actually handy for working with unqualified hostnames.
- Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8 keys in addition to RFC4716 (SSH.COM) encodings via a new -m option.
- sshd(8) will now queue debug messages for bad ownership or permissions on the user’s keyfiles encountered during authentication and will send them after authentication has successfully completed. These messages may be viewed in ssh(1) at LogLevel=debug or higher.
- ssh(1) connection multiplexing now supports remote forwarding with dynamic port allocation and can report the allocated port back to the user: LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
- sshd(8) now supports indirection in matching of principal names listed in certificates. By default, if a certificate has an embedded principals list then the username on the server must match one of the names in the list for it to be accepted for authentication. sshd(8) now has a new AuthorizedPrincipalsFile option to specify a file containing a list of names that may be accepted in place of the username when authorizing a certificate trusted via the sshd_config(5) TrustedCAKeys option. Similarly, authentication using a CA trusted in ~/.ssh/authorized_keys now accepts a principals=”name1[,name2,…]” to specify a list of permitted names. If either option is absent, the current behavior of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and “user@realm”-style naming policies in certificates.
- Additional sshd_config(5) options are now valid inside Match blocks.
- Revised the format of certificate keys.