We are thrilled to announce libssh 0.11.0! This latest version brings exciting new features such as better async SFTP IO, PKCS#11 provider support for OpenSSL 3.0, testing for GSSAPI authentication, and proxy jump, along with many other enhancements and features detailed in the changelog.
A big thank you to all the contributors who made this release possible!
For those new to libssh, we recommend checking out our getting started tutorial. If you have any questions, feel free to join our mailing list or visit our Matrix channel.
You can download libssh-0.11.0 here.
Note: This release is using a new release key for signing tarballs. The public key can be downloaded here.
Changelog:
Deprecations and Removals:
- Dropped support for DSA
- Deprecated Blowfish cipher (will be removed in next release)
- Deprecated SSH_BIND_OPTIONS_{RSA,ECDSA}KEY in favor of generic HOSTKEY
- Removed the usage of deprecated OpenSSL APIs (Note: Minimum supported OpenSSL version is 1.1.1)
- Disabled preauth compression (zlib) by default
- Support for pkcs#11 engines are deprecated, pkcs11-provider is used instead
- Deprecation of old partial async SFTP API
- libgcrypt cryptographic backend is deprecated
- Deprecation of knownhosts hashing
SFTP Improvements:
- Added support for async SFTP IO
- Added support for sftp_limits() and applied capping to SFTP read/write operations accordingly
- Added sftp_home_directory() API support for sftp extension “home-directory”
- Added sftp_lsetstat() API for lsetstat extensions
- Added sftp_expand_path() to canonicalize path using expand-path@openssh.com extension
- Implemented stat and realpath in sftpserver
- Added sftp_readlink() API to support hardlink@openssh.com
- New extensible callback based SFTP server
- Introduced the posix-rename@openssh.com extension
New functions and features:
- Added support for PKCS #11 provider for OpenSSL 3.0
- Added testing for GSSAPI Authentication
- Implemented proxy jump using libssh
- Recategorized loglevels to show fatal errors and alignment with OpenSSH log levels
- Added ssh_channel_request_pty_size_modes() API to set terminal modes for PTYs
- Added function to check username syntax
- Added support to check all keys in authorized_keys instead of one in example server implementation
- Handled hostkey similar to OpenSSH
- Added ssh_session_socket_close() API in order to not close socket passed through options on error conditions
- Added option SSH_BIND_OPTIONS_IMPORT_KEY_STR to read user-supplied key string in ssh_bind_options_set()
- Improved log handling around ssh_set_callbacks
- Added ssh_set_error_invalid in ssh_options_set()
- Prevented signature blob to start with 1 bit in libgcrypt
- Added support to unbreak key comparison of Ed25519 keys imported from PEM or OpenSSH container
- Added support to calculate missing CRT parameters when building RSA key
- Added ssh_pki_export_privkey_base64_format() and ssh_pki_export_privkey_file_format() to support exporting keys in different formats (PEM, OpenSSH)
- Added support to compare certificates and handle automatic certificate authentication
- Added support to make compile-commands generation conditional
- Built fuzzers for normal testing
- Avoided passing other events to callbacks when called recursively
- Added control master and path options
- Refactored channel_rcv_data, check for errors and report more useful errors
- Added support to connect to other host addresses than just the first one
- Terminated the server properly when the MaxAuthTries is reached
- Added support for no-more-sessions@openssh.com request in both client and server
- Added callback to support forwarded-tcpip requests
- Bumped minimal CMake version to 3.12
- Added support for MBedTLS 3.6.x
- Added support for +,-,^ modifiers in front of algorithm lists in options
- Added callbacks for channel open response, and channel request response
- Replaced chroot() from chroot_wrapper internal library with chroot() from priv_wrapper package
- Added a placeholder for non-expanded identities
- Improved handling of channel transfer window sizes