Language Selection

English French German Italian Portuguese Spanish

OpenSSH 8.5

Filed under
OpenSSH 8.5 was released on 2021-03-03. It is available from the
mirrors listed at

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:

Future deprecation notice

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K.

In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
hash algorithm in conjunction with the RSA public key algorithm.
OpenSSH will disable this signature scheme by default in the near

Note that the deactivation of "ssh-rsa" signatures does not necessarily
require cessation of use for RSA keys. In the SSH protocol, keys may be
capable of signing using multiple algorithms. In particular, "ssh-rsa"
keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
"rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
these is being turned off by default.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs that is still
enabled by default.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The RFC8709 ssh-ed25519 signature algorithm. It has been supported
   in OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be

This release enables the UpdateHostKeys option by default to assist
the client by automatically migrating to better algorithms.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T


 * ssh-agent(1): fixed a double-free memory corruption that was
   introduced in OpenSSH 8.2 . We treat all such memory faults as
   potentially exploitable. This bug could be reached by an attacker
   with access to the agent socket.

   On modern operating systems where the OS can provide information
   about the user identity connected to a socket, OpenSSH ssh-agent
   and sshd limit agent socket access only to the originating user
   and root. Additional mitigation may be afforded by the system's
   malloc(3)/free(3) implementation, if it detects double-free

   The most likely scenario for exploitation is a user forwarding an
   agent either to an account shared with a malicious user or to a
   host with an attacker holding root access.

 * Portable sshd(8): Prevent excessively long username going to PAM.
   This is a mitigation for a buffer overflow in Solaris' PAM username
   handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
   implementations.  This is not a problem in sshd itself, it only
   prevents sshd from being used as a vector to attack Solaris' PAM.
   It does not prevent the bug in PAM from being exploited via some
   other PAM application. GHPR#212

Potentially-incompatible changes

This release includes a number of changes that may affect existing

 * ssh(1), sshd(8): this release changes the first-preference signature
   algorithm from ECDSA to ED25519.

 * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration
   for interactive use prior to TCP connect. The connection phase of
   the SSH session is time-sensitive and often explicitly interactive.
   The ultimate interactive/bulk TOS/DSCP will be set after
   authentication completes.

 * ssh(1), sshd(8): remove the pre-standardization cipher It is an alias for aes256-cbc before
   it was standardized in RFC4253 (2006), has been deprecated and
   disabled by default since OpenSSH 7.2 (2016) and was only briefly
   documented in ssh.1 in 2001.

 * ssh(1), sshd(8): update/replace the experimental post-quantum
   hybrid key exchange method based on Streamlined NTRU Prime coupled
   with X25519.

   The previous method is
   replaced with Per its
   designers, the sntrup4591761 algorithm was superseded almost two
   years ago by sntrup761.

   (note this both the updated method and the one that it replaced are
   disabled by default)

 * ssh(1): disable CheckHostIP by default. It provides insignificant
   benefits while making key rotation significantly more difficult,
   especially for hosts behind IP-based load-balancers.

Changes since OpenSSH 8.4

New features

 * ssh(1): this release enables UpdateHostkeys by default subject to
   some conservative preconditions:
    - The key was matched in the UserKnownHostsFile (and not in the
    - The same key does not exist under another name.
    - A certificate host key is not in use.
    - known_hosts contains no matching wildcard hostname pattern.
    - VerifyHostKeyDNS is not enabled.
    - The default UserKnownHostsFile is in use.

   We expect some of these conditions will be modified or relaxed in

 * ssh(1), sshd(8): add a new LogVerbose configuration directive for
   that allows forcing maximum debug logging by file/function/line

 * ssh(1): when prompting the user to accept a new hostkey, display
   any other host names/addresses already associated with the key.

 * ssh(1): allow UserKnownHostsFile=none to indicate that no
   known_hosts file should be used to identify host keys.

 * ssh(1): add a ssh_config KnownHostsCommand option that allows the
   client to obtain known_hosts data from a command in addition to
   the usual files.

 * ssh(1): add a ssh_config PermitRemoteOpen option that allows the
   client to restrict the destination when RemoteForward is used
   with SOCKS.

 * ssh(1): for FIDO keys, if a signature operation fails with a
   "incorrect PIN" reason and no PIN was initially requested from the
   user, then request a PIN and retry the operation. This supports
   some biometric devices that fall back to requiring PIN when reading
   of the biometric failed, and devices that require PINs for all
   hosted credentials.

 * sshd(8): implement client address-based rate-limiting via new
   sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize
   directives that provide more fine-grained control on a per-origin
   address basis than the global MaxStartups limit.


 * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to
   make it easier to determine which connection they are associated
   with in cases like scp -3, ProxyJump, etc. bz#3224

 * sshd(8): fix sshd_config SetEnv directives located inside Match
   blocks. GHPR#201

 * ssh(1): when requesting a FIDO token touch on stderr, inform the
   user once the touch has been recorded.

 * ssh(1): prevent integer overflow when ridiculously large
   ConnectTimeout values are specified, capping the effective value
   (for most platforms) at 24 days. bz#3229

 * ssh(1): consider the ECDSA key subtype when ordering host key
   algorithms in the client.

 * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
   PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
   that it control allowed key algorithms, when this option actually
   specifies the signature algorithms that are accepted. The previous
   name remains available as an alias. bz#3253

 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
   HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.

 * sftp-server(8): add missing documentation
   and advertisement in the server's SSH2_FXP_VERSION hello packet.

 * ssh(1), sshd(8): more strictly enforce KEX state-machine by
   banning packet types once they are received. Fixes memleak caused
   by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).

 * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
   platforms instead of being limited by LONG_MAX. bz#3206

 * Minor man page fixes (capitalization, commas, etc.) bz#3223

 * sftp(1): when doing an sftp recursive upload or download of a
   read-only directory, ensure that the directory is created with
   write and execute permissions in the interim so that the transfer
   can actually complete, then set the directory permission as the
   final step. bz#3222

 * ssh-keygen(1): document the -Z, check the validity of its argument
   earlier and provide a better error message if it's not correct.

 * ssh(1): ignore comments at the end of config lines in ssh_config,
   similar to what we already do for sshd_config. bz#2320

 * sshd_config(5): mention that DisableForwarding is valid in a
   sshd_config Match block. bz3239

 * sftp(1): fix incorrect sorting of "ls -ltr" under some
   circumstances. bz3248.

 * ssh(1), sshd(8): fix potential integer truncation of (unlikely)
   timeout values. bz#3250

 * ssh(1): make hostbased authentication send the signature algorithm
   in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
   This make HostbasedAcceptedAlgorithms do what it is supposed to -
   filter on signature algorithm and not key type.


 * sshd(8): add a number of platform-specific syscalls to the Linux
   seccomp-bpf sandbox. bz#3232 bz#3260

 * sshd(8): remove debug message from sigchld handler that could cause
   deadlock on some platforms. bz#3259

 * Sync contrib/ssh-copy-id with upstream.

 * unittests: add a hostname function for systems that don't have it.
   Some systems don't have a hostname command (it's not required by
   POSIX). The do have uname -n (which is), but not all of those have
   it report the FQDN.


 - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e
 - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU=

 - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e
 - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:

Please note that the OpenPGP key used to sign releases has been
rotated for this release. The new key has been signed by the previous
key to provide continuity.

Reporting Bugs:

- Please read
  Security bugs should be reported directly to

Read more

OpenSSH 8.5 released

  • OpenSSH 8.5 released

    OpenSSH 8.5 has been released. It includes fixes for a couple of potential security problems (one of which only applies to Solaris hosts); it also enables UpdateHostKeys by default, allowing hosts with insecure keys to upgrade them without creating scary warnings for users. There are a lot of other small changes; see the announcement for details.

Announce: OpenSSH 8.5 released

  • Announce: OpenSSH 8.5 released

    OpenSSH 8.5 has just been released. It will be available from the mirrors listed at shortly.

    OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support.

    Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at:

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Elephant and Its Ivory

Elephant and Its Ivory

LIVES at risk. This is a travesty. REPUBLIC OF NAMIBIA'S MINISTRY OF ENVIRONMENT, FORESTRY AND TOURISM: "We should manage elephants based on science and not emotions." By auctioning/selling off 170 live elephants? Give us a break. Oftentimes, animals were to make a sacrifice over humans because they are just "animals", so they can't speak to us, and can't protest. We're asked to assume they're just the least important, therefore we can eradicate (or "cull") them -- as simple as that. How I wish the the Animal Kingdom will become a force and burn this kind of society just to make a statement -- and then, maybe, humans will truly realise the value of animal rights. Shame on those African countries which don't give a shit about all those people who tirelessly devoted their time and life to protecting the wild animals, and specifically the elephants. Animals can't speak, but they can see you and they can feel you; just look into and gaze at their eyes, doesn't that give you a goosebumps? Burn.

today's howtos

  • Virtualization Performance on an Intel NUC 11 Enthusiast Phantom Canyon NUC11PHKi7C

    I've previously looked at Windows and Linux performance on the NUC11PHKi7C Enthusiast Phantom Canyon which is Intel’s latest NUC 11 flagship product specifically targeting gamers as it includes an NVIDIA RTX 2060 GPU. One usage aspect I didn't test was virtualization and this brief article looks at the performance running VirtualBox and WSL2 on the NUC11PHKi7C and comparing it to Intel’s previous NUC with a discrete GPU: the NUC 9 Extreme Ghost Canyon.

  • How To Install and Configure Apache SVN Server On Linux Desktop

    The Apache server is widely used for running servers and sites over the internet. If you own a distributed server where many administrators work together on the same project, you probably face problems keeping a record of who made the server changes. Here comes the Apache SVN server that you can install on your Linux machine to keep the log of your server’s activity and changes. It can maintain the login data, documentation data, source code, and other revisions. The Apache subversion system allows users and contributors to make changes, add features, revise and modify the repository with keeping the change records. You can also backup, revert, override, update your repository and delete revisions through the Apache SVN tool.

  • How to Create a Self-Signed SSL Certificate

    SSL certificates are used to facilitate authentication and encryption on the internet. Normally, these certificates are issued by trusted third-party certificate authorities such as Let’s Encrypt. A self-signed certificate is one that is obtained without going through any third-party certificate authority. TLS/SSL is a combination of a public certificate and a private key. The private key is stored securely on the server or on the load balancer, whereas the certificate is publicly accessible. In this tutorial, we explain how to create a self-signed SSL certificate by using the OpenSSL tool.

  • How to install and configure pCloud on Fedora | FOSS Linux

    You might have heard and used cloud services like DropBox, OneDrive, Google Drive, iCloud, and many others. These have already integrated into various applications as an additional cloud storage option. However, one more cloud service seems to be taking the market by a storm due to its amazing features and plans. That’s the pCloud Service. pCloud is a cloud storage service from Switzerland and first launched in 2013. It is a cross-platform application with a desktop client available for Windows, Linux, macOS, IOS, and Android. When you first sign-up on pCloud, you are given 10GB of storage completely free. One of their amazing and competitive features is the security implemented on their systems. They even went ahead to hold a pCloud Crypto challenge that brought hackers worldwide to try and break their client-side encryption, but none of them succeeded. To ensure reliability in the availability of data, pCloud uses a distributed system architecture. All users’ data are distributed across five (5) servers stored in different locations. Therefore, when one server goes down, you are still assured of data availability. To ensure data security in transit (data being transmitted from your device to pCloud servers and vice versa), pCloud uses SSL/TLS protocols (Secure Socket Layer and Transport layer security. Like most cloud services available, pCloud comes with both free and paid plans. As you would expect, the latter comes with a lot more amazing features, including a lifetime plan.

GNOME 41 Desktop Environment Slated for Release on September 22nd, 2021

While some of you out there are still waiting for the GNOME 40 desktop environment to arrive in the stable software repositories of your favorite GNU/Linux distribution, the GNOME Project is already working on the next major version, GNOME 41. Development on the GNOME 41 release will kick out soon and it will stick to the same routine as in the GNOME 40 development cycle, meaning that public testers will be able to test drive only an Alpha, a Beta, and a Release Candidate. Read more

This week in KDE: Activities on Wayland

This week the Wayland train continued barreling on, full speed ahead! We picked up a bunch of nice fixes and a big feature... The “Activities” feature now mostly works on Wayland! There are a few remaining things to implement to make it 100% comparable to the X11 version, but that should get done in time for the next Major Plasma release (Kevin Ottens, Plasma 5.22) Sticky Note widgets now have an option to change the font size (Shantanu Tushar, Plasma 5.22)... Read more