OpenSSH 10.1 has been officially released, introducing a multitude of enhancements and fixes aimed at improving security, performance, and user experience. Notably, the release deprecates SHA1 SSHFP records due to their vulnerabilities, opting instead for SHA256, which has been supported since OpenSSH version 6.1. This shift ensures that all SSHFP records utilized by OpenSSH maintain cryptographic integrity. Additionally, a warning feature has been added to notify users when a non-post-quantum key agreement algorithm is being negotiated, addressing concerns over potential "store now, decrypt later" attacks. Users can manage this setting via the new WarnWeakCrypto option in the ssh_config file.
Changes to DSCP marking, also known as IPQoS, have been implemented to enhance the prioritization of interactive traffic. The default DSCP values have been revised, with interactive traffic now assigned to the Expedited Forwarding (EF) class, while non-interactive traffic defaults to the operating system's standard DSCP settings.
Other key improvements include the automatic removal of expired certificates by ssh-add(1), the removal of experimental support for XMSS keys, relocation of agent listener sockets from /tmp to ~/.ssh/agent, and the introduction of a new flag (-U) to prevent the automatic cleanup of stale agent sockets when initializing ssh-agent.
Security enhancements involve a ban on control characters in usernames provided via command line or configuration files and a relaxation of checks for literal usernames. New features encompass SIGINFO handlers for logging active channel and session data, improved logging in sshd(8) for denied certificate authentication attempts, support for ed25519 keys on PKCS#11 tokens, and the addition of the RefuseConnection option in ssh_config, which halts ssh(1) with an error message.
Bug fixes addressed include a resolution to a MaxStartups process exit tracking issue in sshd(8), alleviation of delays in X client startup under ObscureKeystrokeTiming, and an increase in the maximum supported configuration size for sshd(8) to 4MB.
Furthermore, portability improvements have been made, including the use of SSH_TUN_COMPAT_AF on FreeBSD for resolving IPv6 message sending issues, preemptive checks for the nlist function's presence, and the addition of missing common system header files across various platforms.
The source code for OpenSSH 10.1 is now available for download on the official OpenSSH website, where further information and bug reporting options can also be found.
In summary, OpenSSH 10.1 marks a significant update that not only enhances security protocols and user experience but also adapts to modern cryptographic standards and improves system compatibility. As the reliance on secure communications continues to grow, this release reflects a commitment to maintaining robust security measures while enhancing usability across diverse platforms. Future updates are anticipated to further refine these features and address emerging security challenges
Changes to DSCP marking, also known as IPQoS, have been implemented to enhance the prioritization of interactive traffic. The default DSCP values have been revised, with interactive traffic now assigned to the Expedited Forwarding (EF) class, while non-interactive traffic defaults to the operating system's standard DSCP settings.
Other key improvements include the automatic removal of expired certificates by ssh-add(1), the removal of experimental support for XMSS keys, relocation of agent listener sockets from /tmp to ~/.ssh/agent, and the introduction of a new flag (-U) to prevent the automatic cleanup of stale agent sockets when initializing ssh-agent.
Security enhancements involve a ban on control characters in usernames provided via command line or configuration files and a relaxation of checks for literal usernames. New features encompass SIGINFO handlers for logging active channel and session data, improved logging in sshd(8) for denied certificate authentication attempts, support for ed25519 keys on PKCS#11 tokens, and the addition of the RefuseConnection option in ssh_config, which halts ssh(1) with an error message.
Bug fixes addressed include a resolution to a MaxStartups process exit tracking issue in sshd(8), alleviation of delays in X client startup under ObscureKeystrokeTiming, and an increase in the maximum supported configuration size for sshd(8) to 4MB.
Furthermore, portability improvements have been made, including the use of SSH_TUN_COMPAT_AF on FreeBSD for resolving IPv6 message sending issues, preemptive checks for the nlist function's presence, and the addition of missing common system header files across various platforms.
The source code for OpenSSH 10.1 is now available for download on the official OpenSSH website, where further information and bug reporting options can also be found.
In summary, OpenSSH 10.1 marks a significant update that not only enhances security protocols and user experience but also adapts to modern cryptographic standards and improves system compatibility. As the reliance on secure communications continues to grow, this release reflects a commitment to maintaining robust security measures while enhancing usability across diverse platforms. Future updates are anticipated to further refine these features and address emerging security challenges
OpenSSH 10.1 released
OpenSSH 10.1 has been released with a range of improvements and bug fixes that enhance its security, performance, and usability. The release includes deprecation of SHA1 SSHFP records due to known weaknesses, as well as changes to DSCP marking (a.k.a IPQoS) handling to improve interactive traffic prioritization. Additionally, the release addresses various security issues, including disallowing control characters in usernames and relaxing validity checks for literal usernames.
