OpenSSH 7.5 has just been released. It will be available from the mirrors listed at openssh.com shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. OpenSSH also includes transitional support for the legacy SSH 1.3 and 1.5 protocols that may be enabled at compile-time. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: openssh.com/donations.html Future deprecation notice ======================== We plan on retiring more legacy cryptography in future releases, specifically: * In the next major release (expected June-August), removing remaining support for the SSH v.1 protocol (currently client-only and compile- time disabled). * In the same release, removing support for Blowfish and RC4 ciphers and the RIPE-MD160 HMAC. (These are currently run-time disabled). * In the same release, removing the remaining CBC ciphers from being offered by default in the client (These have not been offered in sshd by default for several years). * Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits) This list reflects our current intentions, but please check the final release notes for future releases. Potentially-incompatible changes =============================== This release includes a number of changes that may affect existing configurations: * This release deprecates the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. Privilege separation has been on by default for almost 15 years and sandboxing has been on by default for almost the last five. * The format of several log messages emitted by the packet code has changed to include additional information about the user and their authentication state. Software that monitors ssh/sshd logs may need to account for these changes. For example: Connection closed by user x 1.1.1.1 port 1234 [preauth] Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth] Connection closed by invalid user x 1.1.1.1 port 1234 [preauth] Affected messages include connection closure, timeout, remote disconnection, negotiation failure and some other fatal messages generated by the packet code. * [Portable OpenSSH only] This version removes support for building against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting versions prior to 1.0.1 over 12 months ago (i.e. they no longer receive fixes for security bugs). Changes since OpenSSH 7.4 ======================== This is a bugfix release. Security -------- * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by default, sshd offers them as lowest-preference options and will remove them by default entriely in the next release. Reported by Jean Paul Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of Royal Holloway, University of London. * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making a recursive file transfer could be maniuplated by a hostile server to perform a path-traversal attack. creating or modifying files outside of the intended target directory. Reported by Jann Horn of Google Project Zero. New Features ------------ * ssh(1), sshd(8): Support "=-" syntax to easily remove methods from algorithm lists, e.g. Ciphers=-*cbc. bz#2671 Bugfixes -------- * sshd(1): Fix NULL dereference crash when key exchange start messages are sent out of sequence. * ssh(1), sshd(8): Allow form-feed characters to appear in configuration files. * sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs extension, where SHA2 RSA signature methods were not being correctly advertised. bz#2680 * ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in known_hosts processing. bz#2591 bz#2685 * ssh(1): Allow ssh to use certificates accompanied by a private key file but no corresponding plain *.pub public key. bz#2617 * ssh(1): When updating hostkeys using the UpdateHostKeys option, accept RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and not the old ssh-rsa method. bz#2650 * ssh(1): Detect and report excessively long configuration file lines. bz#2651 * Merge a number of fixes found by Coverity and reported via Redhat and FreeBSD. Includes fixes for some memory and file descriptor leaks in error paths. bz#2687 * ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692 * ssh(1), sshd(8): When logging long messages to stderr, don't truncate "\r\n" if the length of the message exceeds the buffer. bz#2688 * ssh(1): Fully quote [host]:port in generated ProxyJump/-J command- line; avoid confusion over IPv6 addresses and shells that treat square bracket characters specially. * ssh-keygen(1): Fix corruption of known_hosts when running "ssh-keygen -H" on a known_hosts containing already-hashed entries. * Fix various fallout and sharp edges caused by removing SSH protocol 1 support from the server, including the server banner string being incorrectly terminated with only \n (instead of \r\n), confusing error messages from ssh-keyscan bz#2583 and a segfault in sshd if protocol v.1 was enabled for the client and sshd_config contained references to legacy keys bz#2686. * ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683 * sshd(8): Fix Unix domain socket forwarding for root (regression in OpenSSH 7.4). * sftp(1): Fix division by zero crash in "df" output when server returns zero total filesystem blocks/inodes. * ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors encountered during key loading to more meaningful error codes. bz#2522 bz#2523 * ssh-keygen(1): Sanitise escape sequences in key comments sent to printf but preserve valid UTF-8 when the locale supports it; bz#2520 * ssh(1), sshd(8): Return reason for port forwarding failures where feasible rather than always "administratively prohibited". bz#2674 * sshd(8): Fix deadlock when AuthorizedKeysCommand or AuthorizedPrincipalsCommand produces a lot of output and a key is matched early. bz#2655 * Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659 * ssh(1): Fix typo in ~C error message for bad port forward cancellation. bz#2672 * ssh(1): Show a useful error message when included config files can't be opened; bz#2653 * sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page (previously incorrectly) advertised. bz#2637 * sshd_config(5): Repair accidentally-deleted mention of %k token in AuthorizedKeysCommand; bz#2656 * sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bz#2665 * ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common 32-bit compatibility library directories. * sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME response handling. * ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys. It was not possible to delete them except by specifying their full physical path. bz#2682 Portability ----------- * sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA crypto coprocessor. * sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg inspection. * ssh(1): Fix X11 forwarding on OSX where X11 was being started by launchd. bz#2341 * ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that contain non-printable characters where the codeset in use is ASCII. * build: Fix builds that attempt to link a kerberised libldns. bz#2603 * build: Fix compilation problems caused by unconditionally defining _XOPEN_SOURCE in wide character detection. * sshd(8): Fix sandbox violations for clock_gettime VSDO syscall fallback on some Linux/X32 kernels. bz#2142 Checksums: ========= - SHA1 (openssh-7.5.tar.gz) = 81384df377e38551f7659a4c250383d0bbd25341 - SHA1 (openssh-7.5p1.tar.gz) = 5e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd - SHA256 (openssh-7.5.tar.gz) = Gmk8jOdGdKa7NixUN5J+bTMfeum5Vx8Nv+leAdQNq3U - SHA256 (openssh-7.5p1.tar.gz) = mEbjxfq58FR0ALTSwBeZL5FCIrP9H47ubH3GvF5Z+fA Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available as RELEASE_KEY.asc from the mirror sites. Reporting Bugs: ============== - Please read openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
20.03.2017, 16:41, Damien Miller:> OpenSSH 7.5 has just been released. It will be available from the > mirrors listed at openssh.com shortly.API/ABI changes review for 7.5p1 vs 7.4p1: abi-laboratory.pro/tracker/compat_report/openssh/7.4p1/7.5p1/96f83/abi_compat_report.html API/ABI changes timeline: abi-laboratory.pro/tracker/timeline/openssh Thank you.
On 03/20/2017 02:31 PM, Damien Miller wrote:> OpenSSH 7.5 has just been released. It will be available from the > mirrors listed at openssh.com shortly. > > > Security > -------- > > * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures > that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. > Note that the OpenSSH client disables CBC ciphers by default, sshd > offers them as lowest-preference options and will remove them by > default entriely in the next release. Reported by Jean Paul > Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of > Royal Holloway, University of London.Can we get some clarification on this CBC weakness from you or from the reporters? There is no update in the security page according to this security issue. So far I understood that the CBC modes are disabled because we have better ciphers to choose from. Also I still have understanding that any of the attacks presented so far were not feasible. Did it change? If I see right, the change related to this record is below, but the real effects are not clear even from the commit message: github.com/openssh/openssh-portable/commit/0fb1a617 Thanks, -- Jakub Jelen Software Engineer Security Technologies Red Hat
On Tue, 21 Mar 2017, Jakub Jelen wrote:> On 03/20/2017 02:31 PM, Damien Miller wrote: > > OpenSSH 7.5 has just been released. It will be available from the > > mirrors listed at openssh.com shortly. > > > > > > Security > > -------- > > > > * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures > > that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. > > Note that the OpenSSH client disables CBC ciphers by default, sshd > > offers them as lowest-preference options and will remove them by > > default entriely in the next release. Reported by Jean Paul > > Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of > > Royal Holloway, University of London. > > Can we get some clarification on this CBC weakness from you or from the > reporters? There is no update in the security page according to this security > issue.I've asked Kenny Paterson if he has some details he can share. Otherwise I'll write something up. The impact is similar to the original CBC padding attack: openssh.com/txt/cbc.adv isg.rhul.ac.uk/~kp/SandPfinal.pdf> So far I understood that the CBC modes are disabled because we have better > ciphers to choose from. Also I still have understanding that any of the > attacks presented so far were not feasible. Did it change?They're borderline feasible in the case of client/server pairs that retry endlessly and carry private data. IIRC the cost of mounting the attack is in the order of hundreds of thousands of disrupted connections per word pilfered. The main thing that convinced us to un-default the remaining CBC ciphers in the next release is that the countermeasures code has needed repair multiple times. IMO this is a signal that we're wasting effort on something that is 1) providing a false sense of security and 2) keeping CBC on life-support in the wider SSH ecosystem when we should be pulling the plug. -d
On 2017-03-21, Andrey Ponomarenko <andrewponomarenko at yandex.ru> wrote:> 20.03.2017, 16:41, Damien Miller: >> OpenSSH 7.5 has just been released. It will be available from the >> mirrors listed at openssh.com shortly. > > API/ABI changes review for 7.5p1 vs 7.4p1: abi-laboratory.pro/tracker/compat_report/openssh/7.4p1/7.5p1/96f83/abi_compat_report.html > > API/ABI changes timeline: abi-laboratory.pro/tracker/timeline/openssh > > Thank you.This is an internal-only library, on OpenBSD only the static libssh.a is built and it's not installed... Is some OS providing this as a shared library?
On Mon, Mar 20, 2017 at 07:31:35AM -0600, Damien Miller wrote:> OpenSSH 7.5 has just been released. It will be available from the > mirrors listed at openssh.com shortly.I don't see the usual V_7_5_P1 tag in git. Did somebody forget to push that? Thanks as ever, -- Colin Watson [cjwatson at debian.org]
Hi, I got a report on the Cygwin mailing list in terms of deprecating the privsep option. It seems one consequence is that you can't run sshd under a non-privileged account for personal use anymore: ----- Forwarded message from Lionel Fourquaux -----> * This release deprecates the sshd_config UsePrivilegeSeparation > option, thereby making privilege separation mandatory.This has (probably not wholly intended) consequences when running sshd in single user (non root) mode: $ /usr/sbin/sshd -D -f ~/.ssh/sshd_config Privilege separation user sshd does not exist The problem is not limited to Cygwin, but is unlikely to happen in a typical Unix, since ssh is probably installed globally. If Cygwin was installed without administrative privileges, creating a dedicated sshd user would be impossible (and makes little sense if sshd runs in single user mode, anyway). I guess it would be possible to add a fake user account in /etc/passwd. Since user sshd and chroot /var/empty are not used in single user mode, it might be better to remove the check in this case: === cut after ==diff --git a/sshd.c b/sshd.c index 010a2c3..4f9b2c8 100644 --- a/sshd.c +++ b/sshd.c @@ -1641,7 +1641,8 @@ main(int ac, char **av) /* Store privilege separation user for later use if required. */ if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { - if (use_privsep || options.kerberos_authentication) + if ((use_privsep || options.kerberos_authentication) + && (getuid() == 0 || geteuid() == 0)) fatal("Privilege separation user %s does not exist", SSH_PRIVSEP_USER); } else { @@ -1767,7 +1768,7 @@ main(int ac, char **av) key_type(key)); } - if (use_privsep) { + if (use_privsep && (getuid() == 0 || geteuid() == 0)) { struct stat st; if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || === cut before == Best regards, -- Lionel ----- End forwarded message ----- Is there a chance this could be reenabled again? Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170324/09b912fb/attachment.bin>
Hello, You seem to be saying that in 7.5, sshd can no longer be run under an ordinary user account. Is that accurate? I use sshd running under a user account in Debian Jessie to allow tunnels from remote devices. That capability is crucial to my application. Any comments would be appreciated. Jack Dodds Corinna Vinschen <vinschen at redhat.com> wrote:> Hi, > > I got a report on the Cygwin mailing list in terms of > deprecating the privsep option. It seems one consequence is > that you can't run sshd under a non-privileged account for > personal use anymore: > > ----- Forwarded message from Lionel Fourquaux ----- > > * This release deprecates the sshd_config UsePrivilegeSeparation > > option, thereby making privilege separation mandatory. > > This has (probably not wholly intended) consequences when > running sshd in single user (non root) mode: > > $ /usr/sbin/sshd -D -f ~/.ssh/sshd_config > Privilege separation user sshd does not exist > > The problem is not limited to Cygwin, but is unlikely to happen > in a typical Unix, since ssh is probably installed globally. > > If Cygwin was installed without administrative privileges, > creating a dedicated sshd user would be impossible (and makes > little sense if sshd runs in single user mode, anyway). I guess > it would be possible to add a fake user account in /etc/passwd. > > Since user sshd and chroot /var/empty are not used in single > user mode, it might be better to remove the check in this case: > > === cut after ==> diff --git a/sshd.c b/sshd.c > index 010a2c3..4f9b2c8 100644 > --- a/sshd.c > +++ b/sshd.c > @@ -1641,7 +1641,8 @@ main(int ac, char **av) > > /* Store privilege separation user for later use if required. */ > if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { > - if (use_privsep || options.kerberos_authentication) > + if ((use_privsep || options.kerberos_authentication) > + && (getuid() == 0 || geteuid() == 0)) > fatal("Privilege separation user %s does not exist", > SSH_PRIVSEP_USER); > } else { > @@ -1767,7 +1768,7 @@ main(int ac, char **av) > key_type(key)); > } > > - if (use_privsep) { > + if (use_privsep && (getuid() == 0 || geteuid() == 0)) { > struct stat st; > > if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || > === cut before ==> > Best regards, > > -- Lionel > ----- End forwarded message ----- > > Is there a chance this could be reenabled again? > > > Thanks, > Corinna > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > lists.mindrot.org/mailman/listinfo/openssh-unix-dev-------------- next part -------------- A non-text attachment was scrubbed... Name: Encryption key for Jack Dodds.asc Type: application/pgp-keys Size: 1702 bytes Desc: not available URL: <lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170324/2441bf19/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP Digital Signature URL: <lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170324/2441bf19/attachment-0001.bin>
On 03/20/2017 02:31 PM, Damien Miller wrote:> OpenSSH 7.5 has just been released. It will be available from the > mirrors listed at openssh.com shortly. > [...] > * [Portable OpenSSH only] This version removes support for building > against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting > versions prior to 1.0.1 over 12 months ago (i.e. they no longer > receive fixes for security bugs).This causes configure to fail on SLES 11 sp3 LTSS. SUSE backports security fixes for openssl 0.9.8 until 2019. I have found the corresponding git commit which changes configure.ac, and would like to undo it. Apart from the concern that upstream at openssl stopped supporting 0.9.8, are there any other reasons behind this change (new dependencies on 1.0.1 which are not checked elsewhere)? kind regards, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5254 bytes Desc: S/MIME Cryptographic Signature URL: <lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170327/8e6a71bb/attachment-0001.bin>
On Mon, Mar 27, 2017 at 9:20 PM, Martin Hecht <hecht at hlrs.de> wrote:> [...] > This causes configure to fail on SLES 11 sp3 LTSS. SUSE backports > security fixes for openssl 0.9.8 until 2019. > I have found the corresponding git commit which changes configure.ac, > and would like to undo it.You're welcome to do so however if it breaks you get to keep both pieces.> Apart from the concern that upstream at > openssl stopped supporting 0.9.8, are there any other reasons behind > this change (new dependencies on 1.0.1 which are not checked elsewhere)? >Given that support was removed late in the development cycle and it was tested with older versions up until then I would guess 7.5p1 might still work. Beyond that, there's a bunch of compatibility shims in openbsd-compat/openssl-compat.{c,h} and a couple of ifdef OPENSSL_VERSION_NUMBER sprinkled in the code which I would expect to be removed in future. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 20/03/17 14:31, Damien Miller wrote:> OpenSSH 7.5 has just been released. It will be available from the > mirrors listed at openssh.com shortly. >I'm seeing an error in the testsuite on Solaris 2.6: test_utf8: ........................ regress/unittests/utf8/tests.c:48 test #25 "c_esc" ASSERT_INT_EQ(len, wantlen) failed: len = -1 wantlen = 5 I seems this might be related to the fact that on Solaris < 7 nl_langinfo(CODESET) returns an empty string when the codeset is ASCII. To verify I put together a small testprogram that does a setlocale followed by nl_langinfo(CODESET) and for the 'C' locale it returns an empty string while 'da' returns ISO8859-1 as expected. -tgc
On Fri, 24 Mar 2017, Colin Watson wrote:> On Mon, Mar 20, 2017 at 07:31:35AM -0600, Damien Miller wrote: > > OpenSSH 7.5 has just been released. It will be available from the > > mirrors listed at openssh.com shortly. > > I don't see the usual V_7_5_P1 tag in git. Did somebody forget to push > that?Yes, I forgot. Pushed now.
Tom G. Christensen
2017-Mar-31 19:30 UTC
testsuite error on Solaris 2.6 [Re: Announce: OpenSSH 7.5 released]
On 27/03/17 17:06, Tom G. Christensen wrote:> On 20/03/17 14:31, Damien Miller wrote: >> OpenSSH 7.5 has just been released. It will be available from the >> mirrors listed at openssh.com shortly. >> > > I'm seeing an error in the testsuite on Solaris 2.6: > test_utf8: ........................ > regress/unittests/utf8/tests.c:48 test #25 "c_esc" > ASSERT_INT_EQ(len, wantlen) failed: > len = -1 > wantlen = 5 > > > It seems this might be related to the fact that on Solaris < 7 > nl_langinfo(CODESET) returns an empty string when the codeset is ASCII. > > To verify I put together a small testprogram that does a setlocale > followed by nl_langinfo(CODESET) and for the 'C' locale it returns an > empty string while 'da' returns ISO8859-1 as expected. >I worked some more on this and comparing locales and their codesets between Solaris 2.6 and 7 I'm reasonably sure that an empty codeset value means ascii on Solaris 2.6. So to ensure proper operation and get rid of the error in the testsuite I've added "" as a valid alias for ascii in dangerous_locales(). With this change in place the testsuite runs with no errors. -tgc