Open SSH 5.9 Released

Sep 10, 2011

OpenSSH (or OpenBSD Secure Shell), the network communications security utility suite has been updated to version 5.9. Here’s the complete changelog since OpenSSH 5.8.


  • Sandboxing of the pre-authorized privilege separated child: An optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode has been introduced that enables mandatory restrictions on the syscalls the privsep child can perform. You can select from three concrete sandbox implementations at the time of configuration.
  • New SHA256-based HMAC transport integrity modes. You can add these modes from
  • No need to maintain /dev/log inside the chroot for the pre-authentication sshd(8) privilege separation slave process anymore. It now logs automatically via a socket shared with the master process.
  • Warning from ssh(1) when a server refuses X11 forwarding.
  • Multiple paths for sshd_config(5)'s AuthorizedKeysFile, UserKnownHostsFile and GlobalKnownHostsFile. AuthorizedKeysFile2, UserKnownHostsFile2 and GlobalKnownHostsFile2 are belittled.
  • Retention of key comments when loading v.2 keys, visible in "ssh-add -l".
  • Set IPv6 traffic class from IPQoS as well as IPv4 ToS/DSCP in ssh(1) and sshd(8).
  • Expanding ControlPath option for ssh_config(5).
  • Support for negated Host matching by ssh_config(5).
  • Introduction of a new RequestTTY option for ssh_config(5).
  • sshd(8) now allows GSSAPI authentication to detect a server failures.
  • Option to generate the host keys for each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys do not exist.
  • ssh(1) now allows shutdown of multiplexing without killing the existing documents.
  • ssh-add(1) now accepts keys through standard input.
  • Removed support for ssh-rand-helper. OpenSSH now obtains its random numbers directly from OpenSSL or from a PRNGd/EGD instance specified at configure time.
  • Updated .spec and init files for Linux.
  • Added ECDSA key generation to the Cygwin ssh-{host,user}-config scripts.

Bug Fixes

  • SELinux support code compilation error.
  • Fix build errors on platforms without dlopen().
  • Improved SELinux error messages in context change failures.
  • Improved suppress error messages when attempting to change from the "unconfined_t" type.
  • sshd(8) now resets the SELinux process execution context before executing passwd for password changes.
  • gcc 4 or higher now tests only the corresponding “-W-option”.

So this is a huge changelog and that means SSH has worked big time to improve network security. However, there always remains room for improvement and correspondingly, it is possible that there still remains some bugs in this latest bulid. OpenSSH welcomes constructive feedback and if you find any bugs, you can report them directly to OpenSSH.

Leave a Reply

Your email address will not be published.


About us

IoT Gadgets is dedicated to bring you all the Internet of Things IoT news that pertains to gadgets. Simple. We love for you to join us on this journey.

Contact us: [email protected]


linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram