Contributed by rueda on from the token-refusal dept.
Development of important software sometimes happens without fanfare. If not for one of our editors noticing by watching commits, we would have missed the fact that Damien Miller (djm@)
recently added a couple of notable features to OpenSSH:
- First, there's a
new
ssh(1)configuration directive,RefuseConnection:CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2025/07/22 23:07:19 Modified files: usr.bin/ssh : readconf.c ssh_config.5 Log message: add a ssh_config RefuseConnection option that, when encountered while processing an active section in a configuration file, terminates ssh(1) with an error message that contains the argument to the option. This may be useful for expressing reminders or warnings in config files, for example: Match host foo RefuseConnection "foo is deprecated, use splork instead" ok djg
- Next up, it is
now
possible to use
Ed25519
keys hosted on
PKCS#11
tokens:
CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2025/07/25 19:51:44 Modified files: usr.bin/ssh : ssh-pkcs11.c Log message: Support ed25519 keys hosted on PKCS#11 tokens. Tested on Yubikeys and against SoftHSM2. feedback/ok tb@
Both important features that makes OpenSSH even more usable. We will keep watching commits, and hope that you do too, and report on new developments.