14 DAY TRIAL // OpenSSH 7.4 has been released today, December 19, 2016, as the latest and most advanced stable release of the open-source and portable 100% complete SSH protocol 2.0 implementation used on Linux, BSD, and other Unix-like platforms.
OpenSSH 7.4 is here four and a half months after the release of OpenSSH 7.3, and it promises to be primarily a bugfix release that addresses many of the security issues discovered since OpenSSH 7.3. But first, it looks like this version includes various under-the-hood changes that may affect existing configurations.
For example, it removes support for the SSH version 1 protocol as SSH2 is a more secure, efficient, and portable version of SSH (Secure Shell), which delivers SSH-encrypted SFTP functionality. It also removes 3des-cbc from the client's default proposal, as well as support for pre-authentication compression.
"Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client," explained the devs in the release notes.
Here's what's new in OpenSSH 7.4
Prominent new features of OpenSSH 7.4 include the addition of a proxy multiplexing mode to the ssh command, which is inspired by the version used in the Putty application, and a sshd_config DisableForwaring option that can be used for disabling of TCP, X11, tunnel, agent, and Unix domain socket forwarding.
Furthermore, OpenSSH 7.4 adds support for the "curve25519-sha256" key exchange method to the sshd and ssh commands, improves handling of SIGHUP, allows the ClientAliveCountMax and ClientAliveInterval directives to be present in sshd_config Match blocks, and adds %-escapes to AuthorizedPrincipalsCommand.
Other than that, OpenSSH 7.4 comes with regression tests for string matching, string sanitisation functions, as well as address matching, improves the key exchange fuzzer harness, and addresses many bugs reported by users since OpenSSH 7.3. The full changelog is attached below, and you can download OpenSSH 7.4 right now.