Openssh release 9.4

OpenSSH 9.4 Release

After five months of development, OpenSSH 9.4 has been published. OpenSSH is a client and server used to work on the protocols SSH 2.0 and SFTP.

The main changes in this release include:

• In the SSH utility, users are now allowed to redirect Unix consumers using the SSH -W command.
• The configuration file ssh_config has a new directive called “Match Tag” as well as the “G” directive, allowing users to determine certain configuration units based on tags. An example of such configuration is:

Match Address 192.168.0.*
    Tag Trusted
    Match Group Wheel
    Tag Trusted
    Match Tag Trusted
    AllowTcpForwarding YES

• The SSH utility now has a “Match Localnetwork” comparison operation for referencing local network interface addresses.
• In SSH, SSHD, and SSH-KEYGEN, support has been added for extensions in KRL format. The details of these extensions are still inaccessible in this stage of development.
• In SSHD, the directives “AuthorizedPrincipalsCommand” and “AuthorizedKeysCommand” now support “%:” for substituting the address of the gateway through which the current session is routed and the port numbers of the local and remote side connections.
• In the SSH-KEYGEN utility, the number of rounds in the BCRYPT function is increased by default when generating symmetrical encryption of files with password-protected keys.
• Support for old versions of the Libcrypto library has been discontinued. The minimum required versions now include Libressl 3.1.0 or Opensl 1.1.1.
• To block the vulnerability associated with loading PKCS#11 modules in SSH-Agent, specifying relative and incomplete paths to modules is now forbidden. The Dlopen function was previously used to search for a module named in a catalog with libraries.