OpenSSH/OpenSSH versions Release Notes

Reading Release Notes is one of the best way to be updated and learn about a software. So you can read complete Release Notes or this filtered summary.

OpenSSH Versions

 * OpenSSH 8.2
 * FEATURE: Add FIDO/U2F Support
 * OpenSSH 8.1, released in October 2019
 * ssh, sshd, ssh-agent: add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed.
 * OpenSSH 8.0, released in April 2019
 * SECURITY: CVE-2019-6111 related to scp tool and protocol allowing to overwrite arbitrary files in the scp client target directory
 * OpenSSH 7.9, released in October 2018
 * allow key revocation lists (KRLs) to revoke keys specified by SHA256 hash
 * OpenSSH 7.8, released in August 2018
 * Incompatible changes: ssh-keygen write OpenSSH format private keys by default instead of using OpenSSL's PEM format.
 * OpenSSH 7.7, released in February 2018
 * FEATURE: Add " " option in sshd for authorized_keys files to allow for expiring keys.
 * OpenSSH 7.6, released in October 2017
 * FEATURE: Add  option
 * FEATURE: Add  option to ssh matching the equivalent option in sshd
 * FEATURE: ssh client reverse dynamic forwarding
 * OpenSSH 7.5, released in March 2017
 * BUGFIX: This is a mainly a bugfix release.
 * OpenSSH 7.4, released
 * sshd(8): Add a sshd_config  option
 * OpenSSH 7.3, released August 01, 2016
 * FEATURE: Adds  option (-J)
 * FEATURE: Add an  directive for ssh_config(5) files
 * OpenSSH 7.1: August 20, 2015
 * This is a bugfix release.
 * OpenSSH 7.0: August 11, 2015
 * The focus of this release is primarily to deprecate weak, legacy and unsafe cryptography.
 * OpenSSH 6.9: July 1, 2015
 * BUGFIX: This is primarily a bugfix release.
 * OpenSSH 6.8: March 18, 2015
 * Added new hostkeys@openssh.com extension to facilitate public key discovery and rotation for trusted hosts (for transition from DSA to Ed25519 public host keys)
 * to require that users authenticate using two different public keys
 * OpenSSH 6.7: October 6, 2014
 * The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default.
 * Compile-time option to not depend on OpenSSL
 * Add support for Unix domain socket forwarding


 * OpenSSH 6.6: March 16, 2014
 * This is primarily a bugfix release.


 * OpenSSH 6.5 : January 30, 2014
 * Added new ssh-ed25519 and ssh-ed25519-cert-v01@openssh.com public key types (available since 2005 but more popular since some suspicious that NSA had chosen values that gave them an advantage in factoring public-keys)


 * Added new chacha20-poly1305@openssh.com transport cipher
 * Added curve25519-sha256@libssh.org key exchange
 * FEATURE: ssh, added Match keyword for ssh_config that allows conditional configuration to be applied
 * FEATURE: client-side hostname canonicalisation:.
 * Add a new private key format that uses a bcrypt KDF


 * OpenSSH 6.4: November 8, 2013
 * This release fixes a security bug with AES-GCM


 * OpenSSH 6.3: September 13, 2013
 * This release is predominantly a bugfix release


 * OpenSSH 6.2: March 22, 2013
 * Add a GCM-mode for the AES cipher, similar to
 * Added support for encrypt-then-mac MAC modes
 * Added support for multiple required authentication methods
 * Added support for Key Revocation Lists (KRL)


 * OpenSSH 6.1: August 29, 2012
 * This is primarily a bugfix release.
 * Enables pre-auth sandboxing by default
 * Finds ECDSA keys in  and SSHFP DNS records by default now


 * OpenSSH 6.0: April 22, 2012
 * This is primarily a bugfix release.


 * OpenSSH 5.9: September 6, 2011
 * Introduce sandboxing of the pre-auth privilege separated child
 * OpenSSH 5.8: February 4, 2011
 * OpenSSH 5.7: January 24, 2011
 * Added support for elliptic curve cryptography for key exchange as well as host/user keys, per
 * OpenSSH 5.6: August 23, 2010
 * Added a option to ssh_config
 * OpenSSH 5.5: April 16, 2010
 * OpenSSH 5.4: March 8, 2010
 * Disabled SSH protocol 1 default support. Clients and servers must now explicitly enable it.
 * Added PKCS11 authentication support for ssh(1) (-I pkcs11)
 * Added Certificate based authentication
 * Added "Netcat mode" for ssh(1) (-W host:port). Similar to "-L tunnel", but forwards instead stdin and stdout. This allows, for example, using ssh(1) itself as a ssh(1)  to route connections via intermediate servers, without the need for nc(1) on the server machine.
 * Added the ability to revoke public keys in sshd(8) and ssh(1). While it was already possible to remove the keys from authorised lists, revoked keys will now trigger a warning if used.
 * OpenSSH 5.3: October 1, 2009
 * OpenSSH 5.2: February 23, 2009
 * OpenSSH 5.1: July 21, 2008
 * Added a  option to sshd_config
 * OpenSSH 5.0: April 3, 2008
 * OpenSSH 4.9: March 30, 2008
 * Added chroot support for sshd(8)
 * Create an internal SFTP server for easier use of the chroot functionality
 * OpenSSH 4.7: September 4, 2007
 * OpenSSH 4.6: March 9, 2007
 * OpenSSH 4.5: November 7, 2006
 * OpenSSH 4.4: September 27, 2006
 * OpenSSH 4.3: February 1, 2006
 * Added OSI layer 2/3 tun-based VPN (-w option on ssh(1))
 * OpenSSH 4.2: September 1, 2005
 * OpenSSH 4.1: May 26, 2005
 * OpenSSH 4.0: March 9, 2005
 * OpenSSH 3.9 : August 18, 2004
 * Implement session multiplexing.  option
 * Added a  option to sshd, allowing control over the maximum number of authentication attempts permitted per connection
 * Added  option to   which specifies that it should use keys specified in ssh_config, rather than any keys in ssh-agent
 * Re-introduce support for PAM password authentication
 * OpenSSH 3.8: February 24, 2004
 * OpenSSH 3.7.1: September 16, 2003
 * OpenSSH 3.7: September 16, 2003
 * rhosts authentication has been removed in ssh(1) and sshd(8).
 * OpenSSH 3.6.1: April 1, 2003
 * OpenSSH 3.6: March 31, 2003
 * OpenSSH 3.5: October 14, 2002
 * OpenSSH 3.4: June 26, 2002
 * OpenSSH 3.1: April 9, 2004
 * OpenSSH 3.0: November 6, 2001
 * Improved Kerberos support in protocol v1 (KerbIV and KerbV)
 * OpenSSH 2.9.9:
 * OpenSSH 2.5.1p1: February 19, 2001
 * SkeyAuthentication absoleted, use ChallengeResponseAuthentication instead.


 * OpenSSH 1.2.2p1 : March 5, 2000