merge conflicts between OpenSSH-9.8 and 9.9

resolve conflicts between 9.7 and 9.8

Merge conflicts between 9.3 and 9.5

Merge changes between OpenSSH-9.1 and OpenSSH-9.3

merge conflicts between 9.0 and 9.1

Merge differences between openssh-8.8 and openssh-8.9

Merge our changes from OpenSSH-8.6 to OpenSSH-8.7

merge local changes between openssh 8.4 and 8.5

Merge conflicts

Merge conflicts

Merge conflicts

merge openssh-8.1

merge conflicts.

merge conflicts

merge conflicts

merge conflicts.

merge conflicts

merge conflicts

merge conflicts.

fix pam build.

Future deprecation notice
=========================

We plan on retiring more legacy cryptography in a near-future
release, specifically:

* Refusing all RSA keys smaller than 1024 bits (the current

Future deprecation notice
=========================

We plan on retiring more legacy cryptography in a near-future
release, specifically:

* Refusing all RSA keys smaller than 1024 bits (the current minimum
is 768 bits)

This list reflects our current intentions, but please check the final
release notes for future releases.

Potentially-incompatible changes
================================

This release disables a number of legacy cryptographic algorithms
by default in ssh:

* Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants
and the rijndael-cbc aliases for AES.

* MD5-based and truncated HMAC algorithms.

These algorithms are already disabled by default in sshd.

Changes since OpenSSH 7.1p2
===========================

This is primarily a bugfix release.

Security
--------

* ssh(1), sshd(8): remove unfinished and unused roaming code (was
already forcibly disabled in OpenSSH 7.1p2).

* ssh(1): eliminate fallback from untrusted X11 forwarding to
trusted forwarding when the X server disables the SECURITY
extension.

* ssh(1), sshd(8): increase the minimum modulus size supported for
diffie-hellman-group-exchange to 2048 bits.

* sshd(8): pre-auth sandboxing is now enabled by default (previous
releases enabled it for new installations via sshd_config).

New Features
------------

* all: add support for RSA signatures using SHA-256/512 hash
algorithms based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt.

* ssh(1): Add an AddKeysToAgent client option which can be set to
'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When
enabled, a private key that is used during authentication will be
added to ssh-agent if it is running (with confirmation enabled if
set to 'confirm').

* sshd(8): add a new authorized_keys option "restrict" that includes
all current and future key restrictions (no-*-forwarding, etc.).
Also add permissive versions of the existing restrictions, e.g.
"no-pty" -> "pty". This simplifies the task of setting up
restricted keys and ensures they are maximally-restricted,
regardless of any permissions we might implement in the future.

* ssh(1): add ssh_config CertificateFile option to explicitly list
certificates. bz#2436

* ssh-keygen(1): allow ssh-keygen to change the key comment for all
supported formats.

* ssh-keygen(1): allow fingerprinting from standard input, e.g.
"ssh-keygen -lf -"

* ssh-keygen(1): allow fingerprinting multiple public keys in a
file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319

* sshd(8): support "none" as an argument for sshd_config
Foreground and ChrootDirectory. Useful inside Match blocks to
override a global default. bz#2486

* ssh-keygen(1): support multiple certificates (one per line) and
reading from standard input (using "-f -") for "ssh-keygen -L"

* ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching
certificates instead of plain keys.

* ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in
hostname canonicalisation - treat them as already canonical and
remove the trailing '.' before matching ssh_config.

Bugfixes
--------

* sftp(1): existing destination directories should not terminate
recursive uploads (regression in openssh 6.8) bz#2528

* ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED
replies to unexpected messages during key exchange. bz#2949

* ssh(1): refuse attempts to set ConnectionAttempts=0, which does
not make sense and would cause ssh to print an uninitialised stack
variable. bz#2500

* ssh(1): fix errors when attempting to connect to scoped IPv6
addresses with hostname canonicalisation enabled.

* sshd_config(5): list a couple more options usable in Match blocks.
bz#2489

* sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block.

* ssh(1): expand tilde characters in filenames passed to -i options
before checking whether or not the identity file exists. Avoids
confusion for cases where shell doesn't expand (e.g. "-i ~/file"
vs. "-i~/file"). bz#2481

* ssh(1): do not prepend "exec" to the shell command run by "Match
exec" in a config file, which could cause some commands to fail
in certain environments. bz#2471

* ssh-keyscan(1): fix output for multiple hosts/addrs on one line
when host hashing or a non standard port is in use bz#2479

* sshd(8): skip "Could not chdir to home directory" message when
ChrootDirectory is active. bz#2485

* ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump.

* sshd(8): avoid changing TunnelForwarding device flags if they are
already what is needed; makes it possible to use tun/tap
networking as non-root user if device permissions and interface
flags are pre-established

* ssh(1), sshd(8): RekeyLimits could be exceeded by one packet.
bz#2521

* ssh(1): fix multiplexing master failure to notice client exit.

* ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present
empty key IDs. bz#1773

* sshd(8): avoid printf of NULL argument. bz#2535

* ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521

* ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature
support.

* ssh(1), sshd(8): fix connections with peers that use the key
exchange guess feature of the protocol. bz#2515

* sshd(8): include remote port number in log messages. bz#2503

* ssh(1): don't try to load SSHv1 private key when compiled without
SSHv1 support. bz#2505

* ssh-agent(1), ssh(1): fix incorrect error messages during key
loading and signing errors. bz#2507

* ssh-keygen(1): don't leave empty temporary files when performing
known_hosts file edits when known_hosts doesn't exist.

* sshd(8): correct packet format for tcpip-forward replies for
requests that don't allocate a port bz#2509

* ssh(1), sshd(8): fix possible hang on closed output. bz#2469

* ssh(1): expand %i in ControlPath to UID. bz#2449

* ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460

* ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182

* ssh(1): add a some debug output before DNS resolution; it's a
place where ssh could previously silently stall in cases of
unresponsive DNS servers. bz#2433

* ssh(1): remove spurious newline in visual hostkey. bz#2686

* ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+...

* ssh(1): fix expansion of HostkeyAlgorithms=+...

Documentation
-------------

* ssh_config(5), sshd_config(5): update default algorithm lists to
match current reality. bz#2527

* ssh(1): mention -Q key-plain and -Q key-cert query options.
bz#2455

* sshd_config(8): more clearly describe what AuthorizedKeysFile=none
does.

* ssh_config(5): better document ExitOnForwardFailure. bz#2444

* sshd(5): mention internal DH-GEX fallback groups in manual.
bz#2302

* sshd_config(5): better description for MaxSessions option.
bz#2531

Portability
-----------

* ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/
Solaris fine-grained privileges. Including a pre-auth privsep
sandbox and several pledge() emulations. bz#2511

* Renovate redhat/openssh.spec, removing deprecated options and
syntax.

* configure: allow --without-ssl-engine with --without-openssl

* sshd(8): fix multiple authentication using S/Key. bz#2502

* sshd(8): read back from libcrypto RAND_* before dropping
privileges. Avoids sandboxing violations with BoringSSL.

* Fix name collision with system-provided glob(3) functions.
bz#2463

* Adapt Makefile to use ssh-keygen -A when generating host keys.
bz#2459

* configure: correct default value for --with-ssh1 bz#2457

* configure: better detection of _res symbol bz#2259

* support getrandom() syscall on Linux

show more ...

import openssh-7.0

Changes since OpenSSH 6.9
=========================

This focus of this release is primarily to deprecate weak, legacy
and/or unsafe cryptography.

Security
--------

* sshd(8):

import openssh-7.0

Changes since OpenSSH 6.9
=========================

This focus of this release is primarily to deprecate weak, legacy
and/or unsafe cryptography.

Security
--------

* sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
writable. Local attackers may be able to write arbitrary messages
to logged-in users, including terminal escape sequences.
Reported by Nikolay Edigaryev.

* sshd(8): Portable OpenSSH only: Fixed a privilege separation
weakness related to PAM support. Attackers who could successfully
compromise the pre-authentication process for remote code
execution and who had valid credentials on the host could
impersonate other users. Reported by Moritz Jodeit.

* sshd(8): Portable OpenSSH only: Fixed a use-after-free bug
related to PAM support that was reachable by attackers who could
compromise the pre-authentication process for remote code
execution. Also reported by Moritz Jodeit.

* sshd(8): fix circumvention of MaxAuthTries using keyboard-
interactive authentication. By specifying a long, repeating
keyboard-interactive "devices" string, an attacker could request
the same authentication method be tried thousands of times in
a single pass. The LoginGraceTime timeout in sshd(8) and any
authentication failure delays implemented by the authentication
mechanism itself were still applied. Found by Kingcope.

Potentially-incompatible Changes
--------------------------------

* Support for the legacy SSH version 1 protocol is disabled by
default at compile time.

* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html

* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
by default at run-time. These may be re-enabled using the
instructions at http://www.openssh.com/legacy.html

* Support for the legacy v00 cert format has been removed.

* The default for the sshd_config(5) PermitRootLogin option has
changed from "yes" to "prohibit-password".

* PermitRootLogin=without-password/prohibit-password now bans all
interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted
keyboard-interactive and password-less authentication if those
were enabled).

New Features
------------

* ssh_config(5): add PubkeyAcceptedKeyTypes option to control which
public key types are available for user authentication.

* sshd_config(5): add HostKeyAlgorithms option to control which
public key types are offered for host authentications.

* ssh(1), sshd(8): extend Ciphers, MACs, KexAlgorithms,
HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes
options to allow appending to the default set of algorithms
instead of replacing it. Options may now be prefixed with a '+'
to append to the default, e.g. "HostKeyAlgorithms=+ssh-dss".

* sshd_config(5): PermitRootLogin now accepts an argument of
'prohibit-password' as a less-ambiguous synonym of 'without-
password'.

Bugfixes
--------

* ssh(1), sshd(8): add compatability workarounds for Cisco and more
PuTTY versions. bz#2424

* Fix some omissions and errors in the PROTOCOL and PROTOCOL.mux
documentation relating to Unix domain socket forwarding;
bz#2421 bz#2422

* ssh(1): Improve the ssh(1) manual page to include a better
description of Unix domain socket forwarding; bz#2423

* ssh(1), ssh-agent(1): skip uninitialised PKCS#11 slots, fixing
failures to load keys when they are present. bz#2427

* ssh(1), ssh-agent(1): do not ignore PKCS#11 hosted keys that wth
empty CKA_ID; bz#2429

* sshd(8): clarify documentation for UseDNS option; bz#2045

show more ...

Changes since OpenSSH 6.8
=========================

This is primarily a bugfix release.

Security
--------

* ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
connections made

Changes since OpenSSH 6.8
=========================

This is primarily a bugfix release.

Security
--------

* ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
connections made after ForwardX11Timeout expired could be permitted
and no longer subject to XSECURITY restrictions because of an
ineffective timeout check in ssh(1) coupled with "fail open"
behaviour in the X11 server when clients attempted connections with
expired credentials. This problem was reported by Jann Horn.

* ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
password guessing by implementing an increasing failure delay,
storing a salted hash of the password rather than the password
itself and using a timing-safe comparison function for verifying
unlock attempts. This problem was reported by Ryan Castellucci.

New Features
------------

* ssh(1), sshd(8): promote chacha20-poly1305@openssh.com to be the
default cipher

* sshd(8): support admin-specified arguments to AuthorizedKeysCommand;
bz#2081

* sshd(8): add AuthorizedPrincipalsCommand that allows retrieving
authorized principals information from a subprocess rather than
a file.

* ssh(1), ssh-add(1): support PKCS#11 devices with external PIN
entry devices bz#2240

* sshd(8): allow GSSAPI host credential check to be relaxed for
multihomed hosts via GSSAPIStrictAcceptorCheck option; bz#928

* ssh-keygen(1): support "ssh-keygen -lF hostname" to search
known_hosts and print key hashes rather than full keys.

* ssh-agent(1): add -D flag to leave ssh-agent in foreground without
enabling debug mode; bz#2381

Bugfixes
--------

* ssh(1), sshd(8): deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD
message and do not try to use it against some 3rd-party SSH
implementations that use it (older PuTTY, WinSCP).

* Many fixes for problems caused by compile-time deactivation of
SSH1 support (including bz#2369)

* ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco
implementations as some would fail when attempting to use group
sizes >4K; bz#2209

* ssh(1): fix out-of-bound read in EscapeChar configuration option
parsing; bz#2396

* sshd(8): fix application of PermitTunnel, LoginGraceTime,
AuthenticationMethods and StreamLocalBindMask options in Match
blocks

* ssh(1), sshd(8): improve disconnection message on TCP reset;
bz#2257

* ssh(1): remove failed remote forwards established by muliplexing
from the list of active forwards; bz#2363

* sshd(8): make parsing of authorized_keys "environment=" options
independent of PermitUserEnv being enabled; bz#2329

* sshd(8): fix post-auth crash with permitopen=none; bz#2355

* ssh(1), ssh-add(1), ssh-keygen(1): allow new-format private keys
to be encrypted with AEAD ciphers; bz#2366

* ssh(1): allow ListenAddress, Port and AddressFamily configuration
options to appear in any order; bz#86

* sshd(8): check for and reject missing arguments for VersionAddendum
and ForceCommand; bz#2281

* ssh(1), sshd(8): don't treat unknown certificate extensions as
fatal; bz#2387

* ssh-keygen(1): make stdout and stderr output consistent; bz#2325

* ssh(1): mention missing DISPLAY environment in debug log when X11
forwarding requested; bz#1682

* sshd(8): correctly record login when UseLogin is set; bz#378

* sshd(8): Add some missing options to sshd -T output and fix output
of VersionAddendum and HostCertificate. bz#2346

* Document and improve consistency of options that accept a "none"
argument" TrustedUserCAKeys, RevokedKeys (bz#2382),
AuthorizedPrincipalsFile (bz#2288)

* ssh(1): include remote username in debug output; bz#2368

* sshd(8): avoid compatibility problem with some versions of Tera
Term, which would crash when they received the hostkeys notification
message (hostkeys-00@openssh.com)

* sshd(8): mention ssh-keygen -E as useful when comparing legacy MD5
host key fingerprints; bz#2332

* ssh(1): clarify pseudo-terminal request behaviour and use make
manual language consistent; bz#1716

* ssh(1): document that the TERM environment variable is not subject
to SendEnv and AcceptEnv; bz#2386

show more ...

Changes since OpenSSH 6.7
=========================

This is a major release, containing a number of new features as
well as a large internal re-factoring.

Potentially-incompatible changes
---------

Changes since OpenSSH 6.7
=========================

This is a major release, containing a number of new features as
well as a large internal re-factoring.

Potentially-incompatible changes
--------------------------------

* sshd(8): UseDNS now defaults to 'no'. Configurations that match
against the client host name (via sshd_config or authorized_keys)
may need to re-enable it or convert to matching against addresses.

New Features
------------

* Much of OpenSSH's internal code has been re-factored to be more
library-like. These changes are mostly not user-visible, but
have greatly improved OpenSSH's testability and internal layout.

* Add FingerprintHash option to ssh(1) and sshd(8), and equivalent
command-line flags to the other tools to control algorithm used
for key fingerprints. The default changes from MD5 to SHA256 and
format from hex to base64.

Fingerprints now have the hash algorithm prepended. An example of
the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE
Please note that visual host keys will also be different.

* ssh(1), sshd(8): Experimental host key rotation support. Add a
protocol extension for a server to inform a client of all its
available host keys after authentication has completed. The client
may record the keys in known_hosts, allowing it to upgrade to better
host key algorithms and a server to gracefully rotate its keys.

The client side of this is controlled by a UpdateHostkeys config
option (default off).

* ssh(1): Add a ssh_config HostbasedKeyType option to control which
host public key types are tried during host-based authentication.

* ssh(1), sshd(8): fix connection-killing host key mismatch errors
when sshd offers multiple ECDSA keys of different lengths.

* ssh(1): when host name canonicalisation is enabled, try to
parse host names as addresses before looking them up for
canonicalisation. fixes bz#2074 and avoiding needless DNS
lookups in some cases.

* ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer
require OpenSSH to be compiled with OpenSSL support.

* ssh(1), ssh-keysign(8): Make ed25519 keys work for host based
authentication.

* sshd(8): SSH protocol v.1 workaround for the Meyer, et al,
Bleichenbacher Side Channel Attack. Fake up a bignum key before
RSA decryption.

* sshd(8): Remember which public keys have been used for
authentication and refuse to accept previously-used keys.
This allows AuthenticationMethods=publickey,publickey to require
that users authenticate using two _different_ public keys.

* sshd(8): add sshd_config HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options to allow sshd to control what
public key types will be accepted. Currently defaults to all.

* sshd(8): Don't count partial authentication success as a failure
against MaxAuthTries.

* ssh(1): Add RevokedHostKeys option for the client to allow
text-file or KRL-based revocation of host keys.

* ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by
serial number or key ID without scoping to a particular CA.

* ssh(1): Add a "Match canonical" criteria that allows ssh_config
Match blocks to trigger only in the second config pass.

* ssh(1): Add a -G option to ssh that causes it to parse its
configuration and dump the result to stdout, similar to "sshd -T".

* ssh(1): Allow Match criteria to be negated. E.g. "Match !host".

* The regression test suite has been extended to cover more OpenSSH
features. The unit tests have been expanded and now cover key
exchange.

Bugfixes

* ssh-keyscan(1): ssh-keyscan has been made much more robust again
servers that hang or violate the SSH protocol.

* ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were
being lost as comment fields.

* ssh(1): Allow ssh_config Port options set in the second config
parse phase to be applied (they were being ignored). bz#2286

* ssh(1): Tweak config re-parsing with host canonicalisation - make
the second pass through the config files always run when host name
canonicalisation is enabled (and not whenever the host name
changes) bz#2267

* ssh(1): Fix passing of wildcard forward bind addresses when
connection multiplexing is in use; bz#2324;

* ssh-keygen(1): Fix broken private key conversion from non-OpenSSH
formats; bz#2345.

* ssh-keygen(1): Fix KRL generation bug when multiple CAs are in
use.

* Various fixes to manual pages: bz#2288, bz#2316, bz#2273

Portable OpenSSH

* Support --without-openssl at configure time

Disables and removes dependency on OpenSSL. Many features,
including SSH protocol 1 are not supported and the set of crypto
options is greatly restricted. This will only work on systems
with native arc4random or /dev/urandom.

Considered highly experimental for now.

* Support --without-ssh1 option at configure time

Allows disabling support for SSH protocol 1.

* sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296

* Allow custom service name for sshd on Cygwin. Permits the use of
multiple sshd running with different service names.

Checksums:
==========

- SHA1 (openssh-6.8.tar.gz) = 99903c6ca76e0a2c044711017f81127e12459d37
- SHA256 (openssh-6.8.tar.gz) = N1uzVarFbrm2CzAwuDu3sRoszmqpK+5phAChP/QNyuw=

- SHA1 (openssh-6.8p1.tar.gz) = cdbc51e46a902b30d263b05fdc71340920e91c92
- SHA256 (openssh-6.8p1.tar.gz) = P/ZM5z7hJEgLW/dnuYMNfTwDu8tqvnFrePAZLDfOFg4=

Please note that the PGP key used to sign releases was recently rotated.
The new key has been signed by the old key to provide continuity. It is
available from the mirror sites as RELEASE_KEY.asc.

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

show more ...

Changes since OpenSSH 6.6
=========================

Potentially-incompatible changes

* sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular,

Changes since OpenSSH 6.6
=========================

Potentially-incompatible changes

* sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour*
are disabled by default.

The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.

* sshd(8): Support for tcpwrappers/libwrap has been removed.

* OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
using the curve25519-sha256@libssh.org KEX exchange method to fail
when connecting with something that implements the specification
correctly. OpenSSH 6.7 disables this KEX method when speaking to
one of the affected versions.

New Features

* Major internal refactoring to begin to make part of OpenSSH usable
as a library. So far the wire parsing, key handling and KRL code
has been refactored. Please note that we do not consider the API
stable yet, nor do we offer the library in separable form.

* ssh(1), sshd(8): Add support for Unix domain socket forwarding.
A remote TCP port may be forwarded to a local Unix domain socket
and vice versa or both ends may be a Unix domain socket.

* ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for
ED25519 key types.

* sftp(1): Allow resumption of interrupted uploads.

* ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it
is the same as the one sent during initial key exchange; bz#2154

* sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind
addresses when GatewayPorts=no; allows client to choose address
family; bz#2222

* sshd(8): Add a sshd_config PermitUserRC option to control whether
~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
option; bz#2160

* ssh(1): Add a %C escape sequence for LocalCommand and ControlPath
that expands to a unique identifer based on a hash of the tuple of
(local host, remote user, hostname, port). Helps avoid exceeding
miserly pathname limits for Unix domain sockets in multiplexing
control paths; bz#2220

* sshd(8): Make the "Too many authentication failures" message
include the user, source address, port and protocol in a format
similar to the authentication success / failure messages; bz#2199

* Added unit and fuzz tests for refactored code. These are run
automatically in portable OpenSSH via the "make tests" target.

Bugfixes

* sshd(8): Fix remote forwarding with the same listen port but
different listen address.

* ssh(1): Fix inverted test that caused PKCS#11 keys that were
explicitly listed in ssh_config or on the commandline not to be
preferred.

* ssh-keygen(1): Fix bug in KRL generation: multiple consecutive
revoked certificate serial number ranges could be serialised to an
invalid format. Readers of a broken KRL caused by this bug will
fail closed, so no should-have-been-revoked key will be accepted.

* ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in
exit status. Previously we were always returning 0; bz#2255

* ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the
randomart border; bz#2247

* ssh-agent(1): Only cleanup agent socket in the main agent process
and not in any subprocesses it may have started (e.g. forked
askpass). Fixes agent sockets being zapped when askpass processes
fatal(); bz#2236

* ssh-add(1): Make stdout line-buffered; saves partial output getting
lost when ssh-add fatal()s part-way through (e.g. when listing keys
from an agent that supports key types that ssh-add doesn't);
bz#2234

* ssh-keygen(1): When hashing or removing hosts, don't choke on
@revoked markers and don't remove @cert-authority markers; bz#2241

* ssh(1): Don't fatal when hostname canonicalisation fails and a
ProxyCommand is in use; continue and allow the ProxyCommand to
connect anyway (e.g. to a host with a name outside the DNS behind
a bastion)

* scp(1): When copying local->remote fails during read, don't send
uninitialised heap to the remote end.

* sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing
filenames with a single quote char somewhere in the string;
bz#2238

* ssh-keyscan(1): Scan for Ed25519 keys by default.

* ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-
convert any certificate keys to plain keys and attempt SSHFP
resolution. Prevents a server from skipping SSHFP lookup and
forcing a new-hostkey dialog by offering only certificate keys.

* sshd(8): Avoid crash at exit via NULL pointer reference; bz#2225

* Fix some strict-alignment errors.

Portable OpenSSH

* Portable OpenSSH now supports building against libressl-portable.

* Portable OpenSSH now requires openssl 0.9.8f or greater. Older
versions are no longer supported.

* In the OpenSSL version check, allow fix version upgrades (but not
downgrades. Debian bug #748150.

* sshd(8): On Cygwin, determine privilege separation user at runtime,
since it may need to be a domain account.

* sshd(8): Don't attempt to use vhangup on Linux. It doesn't work for
non-root users, and for them it just messes up the tty settings.

* Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
available. It considers time spent suspended, thereby ensuring
timeouts (e.g. for expiring agent keys) fire correctly. bz#2228

* Add support for ed25519 to opensshd.init init script.

* sftp-server(8): On platforms that support it, use prctl() to
prevent sftp-server from accessing /proc/self/{mem,maps}

Changes since OpenSSH 6.5
=========================

This is primarily a bugfix release.

Security:

* sshd(8): when using environment passing with a sshd_config(5)
AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be
tricked into accepting any enviornment variable that contains the
characters before the wildcard character.

New / changed features:

* ssh(1), sshd(8): this release removes the J-PAKE authentication code.
This code was experimental, never enabled and had been unmaintained
for some time.

* ssh(1): when processing Match blocks, skip 'exec' clauses other clauses
predicates failed to match.

* ssh(1): if hostname canonicalisation is enabled and results in the
destination hostname being changed, then re-parse ssh_config(5) files
using the new destination hostname. This gives 'Host' and 'Match'
directives that use the expanded hostname a chance to be applied.

Bugfixes:

* ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in
ssh -W. bz#2200, debian#738692

* sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace
sandbox modes, as it is reachable if the connection is terminated
during the pre-auth phase.

* ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum
parsing. Minimum key length checks render this bug unexploitable to
compromise SSH 1 sessions.

* sshd_config(5): clarify behaviour of a keyword that appears in
multiple matching Match blocks. bz#2184

* ssh(1): avoid unnecessary hostname lookups when canonicalisation is
disabled. bz#2205

* sshd(8): avoid sandbox violation crashes in GSSAPI code by caching
the supported list of GSSAPI mechanism OIDs before entering the
sandbox. bz#2107

* ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption
that the SOCKS username is nul-terminated.

* ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is
not specified.

* ssh(1), sshd(8): fix memory leak in ECDSA signature verification.

* ssh(1): fix matching of 'Host' directives in ssh_config(5) files
to be case-insensitive again (regression in 6.5).

Portable OpenSSH:

* sshd(8): don't fatal if the FreeBSD Capsicum is offered by the
system headers and libc but is not supported by the kernel.
* Fix build using the HP-UX compiler.

Changes since OpenSSH 6.4
=========================

This is a feature-focused release.

New features:

* ssh(1), sshd(8): Add support for key exchange using elliptic-curve
Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange
method is the default when both the client and server support it.

* ssh(1), sshd(8): Add support for Ed25519 as a public key type.
Ed25519 is a elliptic curve signature scheme that offers
better security than ECDSA and DSA and good performance. It may be
used for both user and host keys.

* Add a new private key format that uses a bcrypt KDF to better
protect keys at rest. This format is used unconditionally for
Ed25519 keys, but may be requested when generating or saving
existing keys of other types via the -o ssh-keygen(1) option.
We intend to make the new format the default in the near future.
Details of the new format are in the PROTOCOL.key file.

* ssh(1), sshd(8): Add a new transport cipher
"chacha20-poly1305@openssh.com" that combines Daniel Bernstein's
ChaCha20 stream cipher and Poly1305 MAC to build an authenticated
encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.

* ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and
servers that use the obsolete RSA+MD5 signature scheme. It will
still be possible to connect with these clients/servers but only
DSA keys will be accepted, and OpenSSH will refuse connection
entirely in a future release.

* ssh(1), sshd(8): Refuse old proprietary clients and servers that
use a weaker key exchange hash calculation.

* ssh(1): Increase the size of the Diffie-Hellman groups requested
for each symmetric key size. New values from NIST Special
Publication 800-57 with the upper limit specified by RFC4419.

* ssh(1), ssh-agent(1): Support PKCS#11 tokens that only provide
X.509 certs instead of raw public keys (requested as bz#1908).

* ssh(1): Add a ssh_config(5) "Match" keyword that allows
conditional configuration to be applied by matching on hostname,
user and result of arbitrary commands.

* ssh(1): Add support for client-side hostname canonicalisation
using a set of DNS suffixes and rules in ssh_config(5). This
allows unqualified names to be canonicalised to fully-qualified
domain names to eliminate ambiguity when looking up keys in
known_hosts or checking host certificate names.

* sftp-server(8): Add the ability to whitelist and/or blacklist sftp
protocol requests by name.

* sftp-server(8): Add a sftp "fsync@openssh.com" to support calling
fsync(2) on an open file handle.

* sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation,
mirroring the longstanding no-pty authorized_keys option.

* ssh(1): Add a ssh_config ProxyUseFDPass option that supports the
use of ProxyCommands that establish a connection and then pass a
connected file descriptor back to ssh(1). This allows the
ProxyCommand to exit rather than staying around to transfer data.

Bugfixes:

* ssh(1), sshd(8): Fix potential stack exhaustion caused by nested
certificates.

* ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort.

* sftp(1): bz#2137: fix the progress meter for resumed transfer.

* ssh-add(1): bz#2187: do not request smartcard PIN when removing
keys from ssh-agent.

* sshd(8): bz#2139: fix re-exec fallback when original sshd binary
cannot be executed.

* ssh-keygen(1): Make relative-specified certificate expiry times
relative to current time and not the validity start time.

* sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block.

* sftp(1): bz#2129: symlinking a file would incorrectly canonicalise
the target path.

* ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent
helper executable.

* sshd(8): Improve logging of sessions to include the user name,
remote host and port, the session type (shell, command, etc.) and
allocated TTY (if any).

* sshd(8): bz#1297: tell the client (via a debug message) when
their preferred listen address has been overridden by the
server's GatewayPorts setting.

* sshd(8): bz#2162: include report port in bad protocol banner
message.

* sftp(1): bz#2163: fix memory leak in error path in do_readdir().

* sftp(1): bz#2171: don't leak file descriptor on error.

* sshd(8): Include the local address and port in "Connection from
..." message (only shown at loglevel>=verbose).

Portable OpenSSH:

* Please note that this is the last version of Portable OpenSSH that
will support versions of OpenSSL prior to 0.9.6. Support (i.e.
SSH_OLD_EVP) will be removed following the 6.5p1 release.

* Portable OpenSSH will attempt compile and link as a Position
Independent Executable on Linux, OS X and OpenBSD on recent gcc-
like compilers. Other platforms and older/other compilers may
request this using the --with-pie configure flag.

* A number of other toolchain-related hardening options are used
automatically if available, including -ftrapv to abort on signed
integer overflow and options to write-protect dynamic linking
information. The use of these options may be disabled using the
--without-hardening configure flag.

* If the toolchain supports it, one of the -fstack-protector-strong,
-fstack-protector-all or -fstack-protector compilation flag are
used to add guards to mitigate attacks based on stack overflows.
The use of these options may be disabled using the
--without-stackprotect configure option.

* sshd(8): Add support for pre-authentication sandboxing using the
Capsicum API introduced in FreeBSD 10.

* Switch to a ChaCha20-based arc4random() PRNG for platforms that do
not provide their own.

* sshd(8): bz#2156: restore Linux oom_adj setting when handling
SIGHUP to maintain behaviour over retart.

* sshd(8): bz#2032: use local username in krb5_kuserok check rather
than full client name which may be of form user@REALM.

* ssh(1), sshd(8): Test for both the presence of ECC NID numbers in
OpenSSL and that they actually work. Fedora (at least) has
NID_secp521r1 that doesn't work.

* bz#2173: use pkg-config --libs to include correct -L location for
libedit.

show more ...