Portable OpenSSH 2.5.1p1 has just been uploaded. It will be available from the mirrors listed at http://www.openssh.com/portable.html shortly. OpenSSH is a 100% complete SSH 1.3 & 1.5 protocol implementation and a 99% SSH 2 protocol implementation, including sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). OpenSSH 2.5.0p1 was skipped because of interoperability issues with ssh-1.2.18 => ssh-1.2.22. We would like to thank the OpenSSH community for their continued support and encouragement. Important Changes: ================== 1) Features added to the implementation of the SSH 2 protocol: * agent forwarding * support for -R forwarding * RSA host and userkeys * extended support for older SSH 2 protocol implementations OpenSSH still lacks support for rekeying, so you have to turn off rekeying if your server tries to force this feature. The next release of OpenSSH will probably support rekeying. 2) Damien Miller contributed an interactive sftp client. The sftp client works for both SSH protocol versions. 3) David Mazieres' ssh-keyscan has been added to the OpenSSH distribution. 4) Now there are three types of keys in OpenSSH: RSA1 is used by the SSH 1 protocol only, RSA and DSA keys are used by the SSH 2 protocol implementation. You can generate RSA keys for use with SSH 2 protocol with: $ ssh-keygen -t rsa -f /etc/ssh_host_rsa_key To use RSA or DSA keys in SSH 2 protocol, simply add the public keys to the .ssh/authorised_keys2 file. IdentityFile2, HostDsaKey and DSAAuthentication are obsolete: You can use multiple IdentityFile and HostKey options instead, e.g HostKey /etc/ssh_host_key HostKey /etc/ssh_host_dsa_key HostKey /etc/ssh_host_rsa_key in /etc/sshd_config The option DSAAuthentication has been replaced by PubkeyAuthentication. Fingerprinting works for all types of keys: $ ssh-keygen -l -f $HOME/.ssh/{authorized_keys,known_hosts}{,2} 5) Important changes in the implementation of SSH 1 protocol: The OpenSSH server does not require a privileged source port for RhostsRsaAuthentication, since it adds no additional security. Interoperation with SSH 1.4 protocol 6) New option HostKeyAlias This option allows the user to record the host key under a different name. This is useful for tunneling over forwarded connections or if you run multiple sshd's on different ports on the same machine. Alternatively you can use the UserKnownHostsFile or UserKnownHostsFile2 options to specify seperate host key files for the connection. 7) The ReverseMappingCheck is now optional in sshd_config. If you combine this with the 'sshd -u0' option the server will not do DNS lookups when a client connects. 8) Stricter Hostkey Checking 9) Option Change Summary: a) New or changed: ChallengeResponseAuthentication MACs PubkeyAuthentication HostkeyAlias (Client only) Banner (Server only) ReverseMappingCheck (Server only) PermitRootLogin {yes,without-password,forced-commands-only,no} {Allow,Deny}Groups now support supplementary groups sshd -D for monitoring scripts or inittab ssh -t multiple -t force tty allocation b) Obsolete: DsaAuthentication (use PubkeyAuthentication instead) HostDsaKey (use HostKey) Identityfile2 (use Identityfile or -i) SkeyAuthentication (use ChallengeResponseAuthentication) TisAuthentication (use ChallengeResponseAuthentication) OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom.