OpenSSH 8.5 Release Highlights and New Features

OpenSSH 8.5 has been released. OpenSSH is a 100% complete implementation of the SSH protocol 2.0, including SFTP client and server support, and serves as the primary tool for remote login. It encrypts all traffic to prevent eavesdropping, connection hijacking, and similar attacks, and provides a full suite of secure tunneling features, multiple authentication methods, and extensive configuration options.

Main updates

Security ssh-agent(1): Fixed a double‑free memory issue introduced in OpenSSH 8.2. Portable sshd(8): Prevents overly long usernames from reaching PAM, mitigating a buffer‑overflow vulnerability in Solaris PAM handling (CVE‑2020‑14871). This mitigation is enabled only for Sun‑derived PAM implementations and does not fix the underlying PAM bug.

Compatibility related ssh(1), sshd(8): The default first‑preferred signature algorithm is changed from ECDSA to ED25519. ssh(1), sshd(8): Sets the TOS/DSCP value specified in the configuration before establishing a TCP connection for interactive use; the final bulk TOS/DSCP is applied after authentication. ssh(1), sshd(8): Updates/replaces experimental post‑quantum hybrid key‑exchange methods based on streamlined NTRU Prime and X25519. ssh(1): Disables CheckHostIP by default, which offers minimal benefit but makes key rotation harder, especially behind IP‑based load balancers.

New features ssh(1): Enables UpdateHostkeys by default under conservative assumptions. ssh(1), sshd(8): Introduces a new LogVerbose configuration directive, allowing maximum‑level debugging logs via file‑function‑line pattern lists. ssh(1): When prompting the user to accept a new host key, displays other hostnames/addresses associated with that key. ssh(1): Allows UserKnownHostsFile=none to indicate that the known_hosts file should not be used for host‑key identification. ssh(1): Adds a KnownHostsCommand option to ssh_config , permitting the client to obtain known_hosts data from a command. ssh(1): Adds a PermitRemoteOpen option to ssh_config , enabling the client to restrict destinations when RemoteForward is used together with SOCKS.