OpenSSH clients have new features pertaining to keyboard-interactive authentication, connection sharing, known-hosts handling, port forwarding, and command-line editing and history.
The KbdInteractiveDevices keyword was
undocumented in OpenSSH 3.9, but now it's officially supported. It
determines the devices that the client will try for
keyboard-interactive authentication.
KbdInteractiveDevices = pam,skey,bsdauth
If you're using the connection-sharing feature of ssh, you can now control the master process of that connection with the -O option. To check whether you're using connection sharing, run the following:
$ ssh -O check server.example.com
To request the master process to exit, run the following:
$ ssh -O exit server.example.com
In previous versions of OpenSSH, known_host files contain the hostnames and
IP addresses of the computer's you've visited via SSH. If you'd like
to keep this information more private, use the new HashKnownHosts configuration keyword in your
client configuration file:
HashKnownHosts yes
SSH clients will now hash the hostnames so they look like random strings—for example:
|1|Un5Q61BdVPCq65Yj3ec/HH6r+zI=|2pPQE/qjP7rrPLblvS1epjYbUOs=
This feature is experimental at the moment, so use it at your own risk.
When you construct a port forwarding, you can now specify a bind address: the address on which the accepting side of the forwarding will listen. This is useful either for controlling whether a forwarding is available off-host (not listening on only on the loopback), or distinguishing among multiple addresses if the listening host is multi-homed. You give the bind address on the command line, preceding the usual -L or -R value. For example, to set up a local forwarding from local port 2001 to remote server port 143 (IMAP), listening on 192.168.100.66:
$ ssh -L 192.168.100.66:2001:localhost:143 server.example.com
or for a remote forwarding:
$ ssh -R 192.168.100.66:2001:localhost:143 server.example.com
You can also do this with the LocalForward and RemoteForward configuration keywords,
prepending the bind address to the second argument:
LocalForward 2001 192.168.100.66:localhost:143
RemoteForward 2001 192.168.100.66:localhost:143Note that this forwarding will not be listening on the loopback address. You need to connect to 192.168.100.66:2001, even on the server itself; trying to connect to localhost:2001 will result in "connection refused." Also note that the bind address refers to the client for local forwarding and to the server for remote forwarding.
For local forwarding, the default binding is determined by the
GatewayPorts keyword. For remote
forwarding, the server may choose to honor or ignore a client's
binding request using a new GatewayPorts value, clientspecified:
GatewayPorts clientspecified
This means the SSH client can select the binding address for the forwarding. This permits clients to bind addresses for remote forwardings
An empty binding address, or the special value *, indicates that the client or server
should listen on all interfaces (including real ones and the loopback
interface for localhost).
The sftp client now supports
command-line history and editing using Emacs-like keystrokes. You'll
need the libedit library
installed on your computer, available from http://sourceforge.net/projects/libedit. This feature
is controlled at compile time with the flag
--with-libedit.