2 min read

OpenSSH 7.9 has been released with some new features and bug fixes. There are new features like support for signalling sessions and client and server configs. In bug fixes, invalid format errors and bugs in closing connections are solved.

New features in OpenSSH 7.9

Most port numbers are now allowed to be specified using service names from getservbyname(3). This is typically /etc/services.

The IdentityAgent configuration directive is allowed to accept environment variable names. This adds the support to use multiple agent sockets without having to use fixed paths.

Support is added for signalling sessions via the SSH protocol. However, only a limited subset of signals is supported. The support is only for login or command sessions and not subsystems that were exempt from a forced command via authorized_keys or sshd_config.

Support for “ssh -Q sig” to list supported signature options is added. There is also “ssh -Q help” that will show the full set of supported queries.

A CASignatureAlgorithms option is added for the client and server configs. It allows control over which signature formats are allowed for CAs to sign certificates. As an example, this allows to ban CAs that sign certificates using the RSA-SHA1 signature algorithm.

Key revocation lists (KRLs) are allowed to revoke keys specified by SHA256 hash.

Allowing creation of key revocation lists straight from base64-encoded SHA256 fingerprints. This supports removing keys using only the information contained in sshd(8) authentication log messages.

Bug fixes in OpenSSH 7.9

ssh(1), ssh-keygen(1): Avoiding Spurious “invalid format” errors while attempting to load PEM private keys when using an incorrect passphrase.

sshd(8): On receiving a channel closed message from a client, the stderr file descriptor and stdout are closed at the same time. Processes don’t stop anymore if they were waiting for stderr to close and were indifferent to the closing of stdin/out.

ssh(1): You can now set ForwardX11Timeout=0 to disable the untrusted X11 forwarding timeout and support X11 forwarding endlessly. In previous versions, ForwardX11Timeout=0 was undefined.

sshd(8): On compiling with GSSAPI support, cache supported method OIDs regardless of whether GSSAPI authentication is enabled in the main section of sshd_config. This behaviour avoids sandbox violations when GSSAPI authentication was enabled later in a Match block.

sshd(8): Closing a connection does not failed when configuration is done with a text key revocation list that contains a very short key.

ssh(1): Connections with specified ProxyJump are treated the same as ones with a ProxyCommand set with regards to hostname canonicalisation. This means that unless CanonicalizeHostname is set to ‘always’ the hostname should not be canonicalised.

ssh(1): Fixed a regression in OpenSSH 7.8 that could prevent public- key authentication using certificates hosted in an ssh-agent(1) or against sshd(8) from OpenSSH 7.8 or newer.

For more details, visit the OpenSSH website.

Read next

How the Titan M chip will improve Android security

IBM launches Industry’s first ‘Cybersecurity Operations Center on Wheels’ for on-demand cybersecurity support

low.js, a Node.js port for embedded systems