What to expect from Debian/trixie #newintrixie
July 20th, 2025
Update on 2025-07-28: added note about Debian 13/trixie support for OpenVox (thanks, Ben Ford!)
Debian v13 with codename trixie is scheduled to be published as new stable release on 9th of August 2025.
I was the driving force at several of my customers to be well prepared for the upcoming stable release (my efforts for trixie started in August 2024). On the one hand, to make sure packages we care about are available and actually make it into the release. On the other hand, to ensure there are no severe issues that make it into the release and to get proper and working upgrades. So far everything is looking pretty well and working fine, the efforts seemed to have payed off. :)
As usual with major upgrades, there are some things to be aware of, and hereby I’m starting my public notes on trixie that might be worth for other folks. My focus is primarily on server systems and looking at things from a sysadmin perspective.
Further readings
As usual start at the official Debian release notes, make sure to especially go through What’s new in Debian 13 + issues to be aware of for trixie (strongly recommended read!).
Package versions
As a starting point, let’s look at some selected packages and their versions in bookworm vs. trixie as of 2025-07-20 (mainly having amd64 in mind):
| Package | bookworm/v12 | trixie/v13 |
|---|---|---|
| ansible | 2.14.3 | 2.19.0 |
| apache | 2.4.62 | 2.4.64 |
| apt | 2.6.1 | 3.0.3 |
| bash | 5.2.15 | 5.2.37 |
| ceph | 16.2.11 | 18.2.7 |
| docker | 20.10.24 | 26.1.5 |
| dovecot | 2.3.19 | 2.4.1 |
| dpkg | 1.21.22 | 1.22.21 |
| emacs | 28.2 | 30.1 |
| gcc | 12.2.0 | 14.2.0 |
| git | 2.39.5 | 2.47.2 |
| golang | 1.19 | 1.24 |
| libc | 2.36 | 2.41 |
| linux kernel | 6.1 | 6.12 |
| llvm | 14.0 | 19.0 |
| lxc | 5.0.2 | 6.0.4 |
| mariadb | 10.11 | 11.8 |
| nginx | 1.22.1 | 1.26.3 |
| nodejs | 18.13 | 20.19 |
| openjdk | 17.0 | 21.0 |
| openssh | 9.2p1 | 10.0p1 |
| openssl | 3.0 | 3.5 |
| perl | 5.36.0 | 5.40.1 |
| php | 8.2+93 | 8.4+96 |
| podman | 4.3.1 | 5.4.2 |
| postfix | 3.7.11 | 3.10.3 |
| postgres | 15 | 17 |
| puppet | 7.23.0 | 8.10.0 |
| python3 | 3.11.2 | 3.13.5 |
| qemu/kvm | 7.2 | 10.0 |
| rsync | 3.2.7 | 3.4.1 |
| ruby | 3.1 | 3.3 |
| rust | 1.63.0 | 1.85.0 |
| samba | 4.17.12 | 4.22.3 |
| systemd | 252.36 | 257.7-1 |
| unattended-upgrades | 2.9.1 | 2.12 |
| util-linux | 2.38.1 | 2.41 |
| vagrant | 2.3.4 | 2.3.7 |
| vim | 9.0.1378 | 9.1.1230 |
| zsh | 5.9 | 5.9 |
Misc unsorted
- The asterisk package once again didn’t make it into trixie (see #1031046)
- The new debian-repro-status package provides the identically named command-line tool debian-repro-status to query the reproducibility status of your installed Debian packages
- The Grml live system project provided further of their packages into Debian. Available as of trixie are now also grml-keyring (OpenPGP certificates used for signing the Grml repositories), grml-hwinfo (a tool which collects information of the hardware ) + grml-paste (command line interface for paste.debian.net)
- If you use pacemaker, be aware that its fence-agents package is now a transitional package. All the fence-agents got split into separate packages (fence-agents-$whatever). If you want to have all the fence-agents available, make sure to install the fence-agents-all package. If you have Recommends disabled, you definitely should be aware of this.
- usrmerge is finalized (also see dpkg warning issue in release notes)
- For an overview of the XMPP/Jabber situation in trixie see xmpp-team’s blog post
- The curl package now includes the wcurl command line tool, being a simple wrapper around curl to easily download files
apt
The new apt version 3.0 brings several new features, including:
- support for colors (f.e. green for installs/upgrades, yellow for downgrades, red for removals, can be disabled via ‐‐no-color, APT_NO_COLOR=1 or NO_COLOR=1 and customized via e.g. APT::Color::Action::Install “cyan”)
- organizes output in more readable sections and shows removals more prominently
- uses sequoia to verify signatures
- includes a new solver
- the new apt modernize-sources command converts /etc/apt/sources.list.d/*.list files into the new .sources format (AKA DEB822)
- the new apt distclean command removes all files under $statedir/lists except Release, Release.gpg, and InRelease (it can be used for example, when finalizing images distributed to users)
- new configuration option APT::NeverAutoRemove::KernelCount for keeping a configurable amount of kernels, f.e. setting APT::NeverAutoRemove::KernelCount 3 will keep 3 kernels (including the running, and most recent)
- new command line option ‐‐snapshot, and configuration option APT::Snapshot, controlling the snapshot chosen for archives with Snapshot: enable
- new command line option ‐‐update to run the update command before the specified command, like apt ‐‐update install zsh,
apt ‐‐update remove foobar or apt ‐‐update safe-upgrade - apt-key is gone, and there’s no replacement for it available (if you need an interface for listing present keys)
systemd
systemd got upgraded from v252.36-1~deb12u1 to 257.7-1 and there are lots of changes.
Be aware that systemd v257 has a new net.naming_scheme, v257 being PCI slot number is now read from firmware_node/sun sysfs file. The naming scheme based on devicetree aliases was extended to support aliases for individual interfaces of controllers with multiple ports. This might affect you, see e.g. #1092176 and #1107187, the Debian Wiki provides further useful information.
There are new systemd tools available:
- run0: temporarily and interactively acquire elevated or different privileges (serves a similar purpose as sudo)
- systemd-ac-power: Report whether we are connected to an external power source
- systemd-confext: Activates System Extension Images
- systemd-vpick: Resolve paths to ‘.v/’ versioned directories
- varlinkctl: Introspect with and invoke Varlink services
The tools provided by systemd gained several new options:
- busctl: new option ‐‐limit‐messages=NUMBER (Stop monitoring after receiving the specified number of message)
- hostnamectl: new option ‐j (same as ‐‐json=pretty on tty, ‐‐json=short otherwise)
- journalctl: new options ‐‐image‐policy=POLICY (Specify disk image dissection policy), ‐‐invocation=ID (Show logs from the matching invocation ID), ‐I (Show logs from the latest invocation of unit), ‐‐exclude-identifier=STRING (Hide entries with the specified syslog identifier),‐‐truncate-newline (Truncate entries by first newline character), ‐‐list-invocations (Show invocation IDs of specified unit), ‐‐list-namespaces (Show list of journal namespaces)
- kernel-install: new commands add‐all + list and plenty of new command line options
- localectl: new option ‐‐full (Do not ellipsize output)
- loginctl: new options ‐‐json=MODE (Generate JSON output for list-sessions/users/seats) + ‐j (Same as ‐‐json=pretty on tty, ‐‐json=short otherwise)
- networkctl: new commands edit FILES|DEVICES… (Edit network configuration files), cat [FILES|DEVICES…] (Show network configuration files), mask FILES… (Mask network configuration files) + unmask FILES… (Unmask network configuration files) + persistent-storage BOOL (Notify systemd-networkd if persistent storage is ready), and new options ‐‐no-ask-password (Do not prompt for password), ‐‐no-reload (Do not reload systemd-networkd or systemd-udevd after editing network config), ‐‐drop-in=NAME (Edit specified drop-in instead of main config file), ‐‐runtime (Edit runtime config files) + ‐‐stdin (Read new contents of edited file from stdin)
- systemctl” new commands list-paths [PATTERN] (List path units currently in memory, ordered by path), whoami [PID…] (Return unit caller or specified PIDs are part of), soft-reboot (Shut down and reboot userspace) + sleep (Put the system to sleep), and new options ‐‐capsule=NAME (Connect to service manager of specified capsule), ‐‐before (Show units ordered before with ‘list-dependencies’), ‐‐after (Show units ordered after with ‘list-dependencies’), ‐‐kill-value=INT (Signal value to enqueue), ‐‐no-warn (Suppress several warnings shown by default), ‐‐message=MESSAGE (Specify human readable reason for system shutdown), ‐‐image‐policy=POLICY (Specify disk image dissection policy), ‐‐reboot‐argument=ARG (Specify argument string to pass to reboot()), ‐‐drop-in=NAME (Edit unit files using the specified drop-in file name), ‐‐when=TIME (Schedule halt/power-off/reboot/kexec action after a certain timestamp) + ‐‐stdin (Read
new contents of edited file from stdin) - systemd-analyze” new commands architectures [NAME…] (List known architectures), smbios11 (List strings passed via SMBIOS Type #11), image-policy POLICY… (Analyze image policy string), fdstore SERVICE… (Show file descriptor store contents of service), malloc [D-BUS SERVICE…] (Dump malloc stats of a D-Bus service), has-tpm2 (Report whether TPM2 support is available), pcrs [PCR…] (Show TPM2 PCRs and their names) + srk [>FILE] (Write TPM2 SRK (to FILE)) and new options ‐‐no-legend (Disable column headers and hints in plot with either ‐‐table or ‐‐json=), ‐‐instance=NAME (Specify fallback instance name for template units), ‐‐unit=UNIT (Evaluate conditions and asserts of unit), ‐‐table (Output plot’s raw time data as a table), ‐‐scale-svg=FACTOR (Stretch x-axis of plot by FACTOR (default: 1.0)), ‐‐detailed (Add more details to SVG plot), ‐‐tldr (Skip comments and empty lines), ‐‐image
-policy=POLICY (Specify disk image dissection policy) + ‐‐mask (Parse parameter as numeric capability mask) - systemd-ask-password: new options ‐‐user (Ask only our own user’s agents) + ‐‐system (Ask agents of the system and of all users)
- systemd-cat: new option ‐‐namespace=NAMESPACE (Connect to specified journal namespace)
- systemd-creds: new options ‐‐user (Select user-scoped credential encryption), ‐‐uid=UID (Select user for scoped credentials) + ‐‐allow-null (Allow decrypting credentials with empty key)
- systemd-detect-virt: new options ‐‐cvm (Only detect whether we are run in a confidential VM) + ‐‐list-cvm (List all known and detectable types of confidential virtualization)
- systemd-firstboot: new options ‐‐image-policy=POLICY (Specify disk image dissection policy), ‐‐kernel-command-line=CMDLINE (Set kernel command line) + ‐‐reset (Remove existing files)
- systemd-id128: new commands var-partition-uuid (Print the UUID for the /var/ partition) + show [NAME|UUID] (Print one or more UUIDs), and new options ‐‐no-pager (Do not pipe output into a pager), ‐‐no-legend (Do not show the headers and footers), ‐‐json=FORMAT (Output inspection data in JSON), ‐j (Equivalent to ‐‐json=pretty (on TTY) or ‐‐json=short (otherwise)) + ‐P ‐‐value (Only print the value)
- systemd-inhibit: new option ‐‐no-ask-password (Do not attempt interactive authorization)
- systemd-machine-id-setup: new option ‐‐image-policy=POLICY (Specify disk image dissection policy)
- systemd-mount: new options ‐‐json=pretty|short|off (Generate JSON output) + ‐‐tmpfs (Create a new tmpfs on the mount point)
- systemd-notify: new options ‐‐reloading (Inform the service manager about configuration reloading), ‐‐stopping (Inform the service manager about service shutdown), ‐‐exec (Execute command line separated by ‘;’ once done), ‐‐fd=FD (Pass specified file descriptor with along with message) + ‐‐fdname=NAME (Name to assign to passed file descriptor(s))
- systemd-path: new option ‐‐no-pager (Do not pipe output into a pager)
- systemd-run: new options ‐‐expand-environment=BOOL (Control expansion of environment variables), ‐‐json=pretty|short|off (Print unit name and invocation id as JSON), ‐‐ignore-failure (Ignore the exit status of the invoked process) + ‐‐background=COLOR (Set ANSI color for background)
- systemd-sysext: new options ‐‐mutable=yes|no|auto|import|ephemeral|ephemeral-import (Specify a mutability mode of the merged hierarchy), ‐‐no-reload (Do not reload the service manager), ‐‐image-policy=POLICY (Specify disk image dissection policy) + ‐‐noexec=BOOL (Whether to mount extension overlay with noexec)
- systemd-sysusers: new options ‐‐tldr (Show non-comment parts of configuration) + ‐‐image-policy=POLICY (Specify disk image dissection policy)
- systemd-tmpfiles: new command ‐‐purge(Delete files and directories marked for creation in specified configuration files (careful!)), and new options ‐‐user (Execute user configuration), ‐‐tldr (Show non-comment parts of configuration files), ‐‐graceful (Quietly ignore unknown users or groups), ‐‐image-policy=POLICY (Specify disk image dissection policy) + ‐‐dry-run (Just print what would be done)
- systemd-umount: new options ‐‐json=pretty|short|off (Generate JSON output) + ‐‐tmpfs (Create a new tmpfs on the mount point)
- timedatectl: new commands ntp-servers INTERFACE SERVER (Set the interface specific NTP servers) + revert INTERFACE (Revert the interface specific NTP servers) and new option ‐P NAME (Equivalent to ‐‐value ‐‐property=NAME)
Debian’s systemd ships new binary packages:
- systemd-boot-efi-amd64-signed (Tools to manage UEFI firmware updates (signed))
- systemd-boot-tools (simple UEFI boot manager – tools)
- systemd-cryptsetup (Provides cryptsetup, integritysetup and veritysetup utilities)
- systemd-netlogd (journal message forwarder)
- systemd-repart (Provides the systemd-repart and systemd-sbsign utilities)
- systemd-standalone-shutdown (standalone shutdown binary for use in exitrds)
- systemd-ukify (tool to build Unified Kernel Images)
Linux Kernel
The trixie release ships a Linux kernel based on latest longterm version 6.12. As usual there are lots of changes in the kernel area, including better hardware support, and this might warrant a separate blog entry. To highlight some changes with Debian trixie:
- New Debian package linux-bpf-dev, providing the header file for BPF CO-RE builds
- New Debian package intel-sdsi, Intel On Demand (SDSi) provisioning tool
- New Debian package virtme-ng, providing helper scripts to easily test a Linux kernel on a QEMU VM
- The kernel modules are installed xz compressed
- Several new syscalls, like cachestat, fchmodat2, futex_wake, futex_wait, futex_requeue, listmount, statmount, lsm_get_self_attr/lsm_set_self_attr/lsm_list_modules/, mseal + setxattrat/getxattrat/listxattrat/removexattrat
- New Integrity Policy Enforcement (IPE) LSM
- Plenty of changes in io_uring, including support for bind/listen
- support devices with a block size larger than system page sizes in the XFS filesystem + VFS
- ntfs driver was replaced by ntfs3
- Device Memory TCP for faster network device transfers
- Support for ‘perf ftrace profile’
- support for atomic write operations in the block layer
- FUSE pass-through for file I/O
- ability to prevent writes to block devices containing mounted filesystems
- support for data-type profiling in the perf tool
- Guest-first memory for KVM
- TCP Authentication Option Linux implementation [RFC5925]
- mount beneath support for filesystems
- new noswap mount option for tmpfs filesystems
- Linux NFS server gained support for RPC-with-TLS [RFC 9289 (Towards Remote Procedure Call Encryption by Default)]
- PLB (Protective Load Balancing) for IPv6 (PLB is a host based mechanism for load balancing across switch links)
See Kernelnewbies.org for further changes between kernel versions.
Configuration management
For puppet users, Debian provides the puppet-agent (v8.10.0), puppetserver (v8.7.0) and puppetdb (v8.4.1) packages. Puppet’s upstream does not provide packages for trixie, yet. Given how long it took them for Debian bookworm, and with their recent Plans for Open Source Puppet in 2025, it’s unclear when (and whether at all) we might get something. As a result of upstream behavior, also the OpenVox project evolved, and they already provide Debian 13/trixie support (https://apt.voxpupuli.org/openvox8-release-debian13.deb). FYI: the AIO puppet-agent package for bookworm (v7.34.0-1bookworm) so far works fine for me on Debian/trixie. Be aware that due to the apt-key removal you need a recent version of the puppetlabs-apt for usage with trixie. The puppetlabs-ntp module isn’t yet ready for trixie (regarding ntp/ntpsec), if you should depend on that.
ansible is available and made it with version 2.19 into trixie.
Prometheus stack
Prometheus server was updated from v2.42.0 to v2.53, and all the exporters that got shipped with bookworm are still around (in more recent versions of course). Trixie gained some new exporters:
- prometheus-dnsmasq-exporter
- prometheus-mysqlrouter-exporter
- prometheus-pgbackrest-exporter
- prometheus-pgbouncer-exporter
- prometheus-phpfpm-exporter
Virtualization
docker (v26.1.5), ganeti (v3.1.0), libvirt (v11.3.0, be aware of significant changes to libvirt packaging), lxc (v6.0.4), podman (v5.4.2), openstack (see openstack-team on Salsa), qemu/kvm (v10.0.2), xen (v4.20.0) are all still around.
Proxmox already announced their PVE 9.0 BETA, being based on trixie and providing 6.14.8-1 kernel, QEMU 10.0.2, LXC 6.0.4, OpenZFS 2.3.3.
Vagrant is available in version 2.3.7, but Vagrant upstream does not provide packages for trixie yet. Given that HashiCorp adopted the BSL, the future of vagrant in Debian is unclear.
If you’re relying on VirtualBox, be aware that upstream doesn’t provide packages for trixie, yet. VirtualBox is available from Debian/unstable (version 7.1.12-dfsg-1 as of 2025-07-20), but not shipped with stable release since quite some time (due to lack of cooperation from upstream on security support for older releases, see #794466). Be aware that starting with Linux kernel 6.12, KVM initializes virtualization on module loading by default. This prevents VirtualBox VMs from starting. In order to avoid this, either add “kvm.enable_virt_at_load=0” parameter into kernel command line or unload the corresponding kvm_intel / kvm_amd module.
If you want to use Vagrant with VirtualBox on trixie, be aware that Debian’s vagrant package as present in trixie doesn’t support the VirtualBox package version 7.1 as present in Debian/unstable (manually patching vagrant’s meta.rb and rebuilding the package without Breaks: virtualbox (>= 7.1) is known to be working).
util-linux
The are plenty of new options available in the tools provided by util-linux:
- blkdiscard: new option ‐‐quiet (suppress warning messages)
- blockdev: new options ‐‐getdiskseq (get disk sequence number) + ‐‐getzonesz (get zone size)
- dmesg: new option ‐‐kmsg-file … (use the file in kmsg format), new ‐‐time-format … argument ‘raw’
- findmnt: new options ‐‐list-columns (list the available columns), ‐‐dfi (imitate the output of df(1) with -i option), ‐‐id … (filter by mount node ID), ‐‐filter … (apply display filter) + ‐‐uniq-id … (filter by
mount node 64-bit ID) - fstrim: new option -types …. (limit the set of filesystem types)
- hardlink: new options ‐‐respect-dir (directory names have to be identical), ‐‐exclude-subtree … (regular expression to exclude directories), ‐‐prioritize-trees (files found in the earliest specified top-level directory have higher priority), ‐‐list-duplicates (print every group of duplicate files), ‐‐mount (stay within the same filesystem) + ‐‐zero (delimit output with NULs instead of newlines)
- ipcmk: new options ‐‐posix-shmem … (create POSIX shared memory segment of size), ‐‐posix-semaphore … (create POSIX semaphore), ‐‐posix-mqueue … (create POSIX message queue) + ‐‐name … (name of the POSIX resource)
- ipcrm: new options ‐‐posix-shmem … (remove POSIX shared memory segment by name), ‐‐posix-mqueue … (remove POSIX message queue by name), ‐‐posix-semaphore (remove POSIX semaphore by name) + ‐‐all=… (remove all in specified category)
- lsblk: new options ‐‐ct-filter … (restrict the next counter), ‐‐ct … (define a custom counter), ‐‐highlight … (colorize lines matching the expression), ‐‐list-columns (list the available columns), ‐‐nvme (output info about NVMe devices), ‐‐properties-by … (methods used to gather data), ‐‐filter … (print only lines matching the expression), ‐‐virtio (output info about virtio devices)
- lscpu: new options ‐‐raw (use raw output format (for -e, -p and -C)) + ‐‐hierarchic=… (use subsections in summary (auto, never, always))
- lsipc: new options ‐‐posix-shmems (POSIX shared memory segments), ‐‐posix-mqueues (POSIX message queues), ‐‐posix-semaphores (POSIX semaphores), ‐‐name … (POSIX resource identified by name)
- lslocks: new option ‐‐list-columns (list the available columns)
- lslogins: new option ‐‐lastlog2 … (set an alternate path for lastlog2)
- lsns: new options ‐‐persistent (namespaces without processes), ‐‐filter … (apply display filter) + ‐‐list-columns (list the available columns)
- mkswap: new options ‐‐endianness=… (specify the endianness to use (native, little or big)), ‐‐offset … (specify the offset in the device), ‐‐size … (specify the size of a swap file in bytes) + ‐‐file (create a swap file)
- namei: ‐‐context (print any security context of each file)
- nsenter: new options ‐‐net-socket … (enter socket’s network namespace), ‐‐user-parent (enter parent user namespace), ‐‐keep-caps (retain capabilities granted in user namespaces), ‐‐env (inherit environment variables from tar get process) + ‐‐join-cgroup (join the cgroup of the target process)
- runuser: new option ‐‐no-pty (do not create a new pseudo-terminal)
- setarch: new option ‐‐show=… (show current or specific personality and exit)
- setpriv: new options ‐‐ptracer … (allow ptracing from the given process), ‐‐landlock-access … (add Landlock access), ‐‐landlock-rule … (add Landlock rule) + ‐‐seccomp-filter … (load seccomp filter from file)
- su: new option ‐‐no-pty (do not create a new pseudo-terminal)
- unshare: new option ‐‐load-interp … ( load binfmt definition in the namespace)
- whereis: new option -g (interpret name as glob (pathnames pattern))
- wipefs: new argument option feature for ‐‐backup=… option to specify directory (instead of default $HOME)
- zramctl: new option ‐‐algorithm-params … (algorithm parameters to use)
Now no longer present in util-linux as of trixie:
- addpart (tell the kernel about the existence of a specified partition): use partx instead
- delpart (tell the kernel to forget about a specified partition): use partx instead
- last (show a listing of last logged in users, binary got moved to wtmpdb), lastb (show a listing of last logged in users), mesg (control write access of other users to your terminal), utmpdump (dump UTMP and WTMP files in raw format): see Debian release notes for details
The following binaries got moved from util-linux to the util-linux-extra package:
- ctrlaltdel (set the function of the Ctrl-Alt-Del combination)
- mkfs.bfs (make an SCO bfs filesystem)
- fsck.cramfs + mkfs.cramfs (compressed ROM file system)
- fsck.minix + mkfs.minix (Minix filesystem)
- resizepart (tell the kernel about the new size of a partition)
And the util-linux-extra package also provides new tools:
- bits: convert bit masks from/to various formats
- blkpr: manage persistent reservations on a device
- coresched: manage core scheduling cookies for tasks
- enosys: utility to make syscalls fail with ENOSYS
- exch: atomically exchanges paths between two files
- fadvise: utility to use the posix_fadvise system call
- pipesz: set or examine pipe buffer sizes and optionally execute command.
- waitpid: utility to wait for arbitrary processes
OpenSSH
OpenSSH was updated from v9.2p1 to 10.0p1-5, so if you’re interested in all the changes, check out the release notes between those versions (9.3, 9.4, 9.5, 9.6, 9.7, 9.8, 9.9 + 10.0).
Let’s highlight some notable behavior changes in Debian:
- OpenSSH no longer supports DSA keys: see Debian’s release notes for further details
- openssh-server no longer reads ~/.pam_environment: see Debian’s release notes for further details
There are some notable new features:
- allow forwarding Unix Domain sockets via ssh -W
- OpenSSH penalty behavior: visit my separate blog post for more details
- add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported.
- the new hybrid post-quantum algorithm mlkem768x25519-sha256 (based on the FIPS 203 Module-Lattice Key Encapsulation mechanism (ML-KEM) combined with X25519 ECDH) is now used by default for key agreement. This algorithm is considered to be safe against attack by quantum computers, is guaranteed to be no less strong than the popular curve25519-sha256 algorithm, has been standardised by NIST and is considerably faster than the previous default.
- the ssh-agent will now delete all loaded keys when signaled with SIGUSR1. This allows deletion of keys without having access to $SSH_AUTH_SOCK.
- support systemd-style socket activation in ssh-agent using the LISTEN_PID/LISTEN_FDS mechanism. Activated when these environment variables are set, the agent is started with the -d or -D option and no socket path is set.
- add a sshd -G option that parses and prints the effective configuration without attempting to load private keys and perform other checks. (This allows usage of the option before keys have been generated and for configuration evaluation and verification by unprivileged users.)
- add support for configuration tags to ssh(1). This adds a ssh_config(5) “Tag” directive and corresponding “Match tag” predicate that may be used to select blocks of configuration.
- add a “match localnetwork” predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location.
- add a %j token that expands to the configured ProxyJump hostname
- add support for “Match sessiontype” to ssh_config. Allows matching on the type of session initially requested, either “shell” for interactive sessions, “exec” for command execution sessions, “subsystem” for subsystem requests, such as sftp, or “none” for transport/forwarding-only sessions.
- allow glob(3) patterns to be used in sshd_config AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
Thanks to everyone involved in the release, looking forward to trixie + and happy upgrading!
Let’s continue with working towards Debian/forky. :)
