v9.8.1.0p1-Preview

This is a preview-release (non-production ready)

This release includes:

• fix for MSI, otherwise equivalent to the v9.8.0.0p1-Preview release.

v9.8.0.0p1-Preview

This is a preview-release (non-production ready)

Note that the change from "beta" to "preview" is simply to align with release naming requirements.

This release includes:

• Upstream changes from OpenSSH 9.8p1.

• Security Fixes (all pertaining to Windows parity with pre-existing upstream behavior):

  • [ssh-agent] validate a PKCS11 library path based on allow-list configurable via -P, with default allow-list set to $env:ProgramFiles and $env:ProgramFiles(x86) - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38029.
  • [sftp] check for invalid character in filename to prevent recursive directory attack - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43581.
  • [scp] check for invalid character in filename to prevent recursive directory attack - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43615.

• Non-Security Fixes:

  • Upgrade to ZLib 1.3.1. Please refer to https://zlib.net/.
  • Upgrade to LibreSSL 3.9.2. Please refer to https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.9.2-relnotes.txt.
  • Upgrade to LibFido2 1.15.0. Please refer to https://developers.yubico.com/libfido2/Release_Notes.html.

v9.5.0.0p1-Beta

This is a beta-release (non-production ready)

This release includes:

• Upstream changes from OpenSSH 9.5p1 and a cherry-pick of the "strict KEX" protocol extension changes from OpenSSH 9.6p1.

• Breaking Changes:

  • Remove sha1-based MACs from default configuration options in https://github.com/PowerShell/openssh-portable/pull/706/files.

• Security Fixes:

  • Service paths for SSHD and SSH-Agent in contrib\win32\openssh\install-sshd.ps1 are encapsulated in double-quotes.

• Non-Security Fixes:

  • [SCP/SFTP] Permit data upload that originates from a named pipe in PowerShell/openssh-portable#704.
  • Upgrade to LibreSSL 3.8.2. Please refer to https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.2-relnotes.txt.
  • Upgrade to LibFido2 1.14.0. Please refer to https://developers.yubico.com/libfido2/Release_Notes.html.

v9.4.0.0p1-Beta

This is a beta-release (non-production ready)

This release includes:

• Upstream changes from OpenSSH 9.3p2 and OpenSSH 9.4.

• Breaking changes - see upstream release notes for more information:

  • the ssh-agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behavior "-Oallow-remote-pkcs11".

• Security Fixes:

  • the sshd service will check the $env:ProgramData\ssh folder permissions upon startup to ensure only SYSTEM and Administrator accounts have write access to the folder; similar to the existing check upon install in contrib\win32\openssh\install-sshd.ps1.

• Non-Security Fixes:

  • Upgrade to LibreSSL 3.7.3. Please refer to https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.3-relnotes.txt
  • Upgrade to ZLib 1.3. Please refer to http://zlib.net/
  • Fix #2125 - thanks @samhocevar!
  • Fix datatype mismatch - thanks @s911415!

v9.2.2.0p1-Beta

This is a beta-release (non-production ready)

This release includes:

• Security Fixes:

  • Upgrade to LibreSSL 3.7.2. Please refer to https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.2-relnotes.txt
  • MSI: change inbound firewall rule that opens port 22 to apply to Private networks only

• Non-Security Fixes:

  • Add U2F/Fido2 keys to the agent from other clients: #1961 - thanks @ddrown!
  • Fix output codepage after executing scp/sftp/ssh/ssh-keygen command: #2027 - thanks @kemaruya!
  • Fix early EOF termination when running git fetch over ssh: #2012 - thanks @cwgreene!
  • Revert mark-of-the-web for SCP/SFTP file downloads: #2029

v9.2.0.0p1-Beta

This is a beta-release (non-production ready)

This release includes:

• Upstream changes from OpenSSH 9.2, which fixes a number of security bugs.

• Breaking changes - see upstream release notes for more information:

  • adds EnableEscapeCommandline to ssh_config, a new option, that controls whether the client-side ~C escape sequence that provides a command-line is available. EnableEscapeCommandline defaults to "no", which disables the ~C escape sequence that was previously enabled by default.

• Security:

  • The sftp server will not attempt to add the Mark-of-the-Web (MOTW) for files uploaded from sftp clients, which reverts the behavior added in 9.1. This is on par with scp behavior for file uploads. File download behavior via scp and sftp remains the same as 9.1, with a best effort attempt to add the MOTW. This change was prompted by Community feedback, as discussed in #2029.

• Fixes for #2018 and #2019.

v9.1.0.0p1-Beta

This is a beta-release (non-production ready)

This release includes:

• Upstream changes from OpenSSH 9.0 & OpenSSH 9.1.

• Breaking changes - see upstream release notes for more information:

  • Switches scp from using the legacy scp/rcp protocol to using the sftp protocol by default.
  • SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used.
  • ssh-keygen -A (generate all default host key types) will no longer generate DSA keys.

• Security Fixes:

  • adds Mark of the Web (MOTW) to scp/sftp file transfers, when possible.

• Fixes for various reliability issues listed here.

• LibFido2 upgrade to version 1.12.0.

• LibreSSL upgrade to version 3.6.1.

• ZLib upgrade to version 1.2.13.

V8.9.1.0p1-Beta

This release includes

• Security fixes

  • Upgrade to LibreSSL 3.4.3. Please refer to #1917

• Non-security fixes

  • [FIDO] PIN is asked twice with keys generated with -O verify-required. #1918
  • SSH-Agent installed through MSI is missing required privileges. #1914
  • install-sshd.ps1 to allow silent installation #1916

V8.9.0.0p1-Beta

This release includes

• Upstream changes from OpenSSH 8.9. Please note this release doesn't have ssh-agent restriction feature. This is tracked as part of #1902.

• Breaking change

  • This release disables RSA signatures using the SHA-1 hash algorithm by default. For more information, refer to "Potentially-incompatible changes" here.

• Security fixes

  • Validate the ACLs of $env:programdata\ssh folder, it's contents. This is not applicable for windows 10+ / windows server 2019+. For more information, refer to #1900

• Non-security fixes

  • FIDO/U2F hardware authenticators support to Win32-OpenSSH. Thanks to @martelletto, @akshayku.
  • PKCS11 support to ssh-agent. Thanks to @yan4321.
  • MSI installation package. Thanks to @tmeckel, @heaths.
  • Fixes for various reliability issues listed here.

V8.6.0.0p1-Beta

This release includes

• Upstream changes from OpenSSH 8.6. Please note this release doesn't have FIDO support.

• Breaking change

  • SSH askpass requires SSH_ASKPASS_REQUIRE environment variable to be set as "prefer" (or) "force".

• Security fixes

  • For non en-us OS, enforce authorized keys for admin users are read from $env:programdata\ssh\administrators_authorized_keys (#1757)
  • Ensure only admin users have access to modify the registry entries like DefaultShell (#1754)
  • Use $env:programdata\ssh\ssh_config only if it has correct file permissions (non-admin users shouldn't have write permissions)
    (#1753)

• Non-security fixes

  • Allow authorizedKeysCommand to work with the System user. Thanks to @bkatyl, @NoMoreFood.
  • Add moduli support.
  • Allow support to configure the custom shell arguments.
  • Allow SSH connection when the machine name is the same as the user name. Thanks to @oldium.
  • For downlevel OS (win10 below), fix the scrolling issue after reaching the end of the screen.
  • Write non-English characters to ETW / logfile.
  • X11 related bugs . Thanks to @riverar.
  • Fixes for various reliability issues listed here.