Enable indirect branch tracking (IBT) on amd64 and branch target identification (BTI) on arm64 in both the kernel and in userland. On hardware that supports this feature, it helps enforcing control flow integrity by making sure malicious code cannot jump into the middle of a function.
On the arm64 architecture, enable pointer authentication (PAC) in userland on those machines where it works correctly. It helps enforcing control flow integrity by making sure malicious code cannot manipulate a function’s return address.
Together with retguard these two features protect against ROP attacks. Compiler defaults for base clang, ports clang and ports gcc (as well as some other non-C language family compilers in ports) have been changed to enable these features by default. As a result the vast majority of programs on OpenBSD (and all programs in the base system) run with these security features enabled.
OpenSSH 9.5 and OpenSSH 9.4
Potentially incompatible changes
ssh-keygen(1): generate Ed25519 keys by default. Ed25519 public keys are very convenient due to their small size. Ed25519 keys are specified in RFC 8709 and OpenSSH has supported them since version 6.5 (January 2014).
New features
ssh(1): add keystroke timing obfuscation to the client. This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake “chaff” keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword.
Personal favourites:
Security improvements:
OpenSSH 9.5 and OpenSSH 9.4