Hi,
OpenSSH 8.5p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable
Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:
$ ./configure && make tests
Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev at mindrot.org. Security bugs should be reported
directly to openssh at openssh.com.
Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.
Thanks to the many people who contributed to this release.
Security
=======
* Portable sshd(8): Prevent excessively long username going to PAM.
This is a mitigation for a buffer overflow in Solaris' PAM username
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
implementations. This is not a problem in sshd itself, it only
prevents sshd from being used as a vector to attack Solaris' PAM.
It does not prevent the bug in PAM from being exploited via some
other PAM application. GHPR#212
Potentially-incompatible changes
===============================
This release includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): this release changes the first-preference signature
algorithm from ECDSA to ED25519.
* ssh(1), sshd(8): set the TOS/DSCP specified in the configuration
for interactive use prior to TCP connect. The connection phase of
the SSH session is time-sensitive and often explicitly interactive.
The ultimate interactive/bulk TOS/DSCP will be set after
authentication completes.
* ssh(1), sshd(8): remove the pre-standardization cipher
rijndael-cbc at lysator.liu.se. It is an alias for aes256-cbc before
it was standardized in RFC4253 (2006), has been deprecated and
disabled by default since OpenSSH 7.2 (2016) and was only briefly
documented in ssh.1 in 2001.
* ssh(1), sshd(8): update/replace the experimental post-quantum
hybrid key exchange method based on Streamlined NTRU Prime coupled
with X25519.
The previous sntrup4591761x25519-sha512 at tinyssh.org method is
replaced with sntrup761x25519-sha512 at openssh.com. Per its
designers, the sntrup4591761 algorithm was superseded almost two
years ago by sntrup761.
(note this both the updated method and the one that it replaced are
disabled by default)
* ssh(1): disable CheckHostIP by default. It provides insignificant
benefits while making key rotation significantly more difficult,
especially for hosts behind IP-based load-balancers.
Changes since OpenSSH 8.4
========================
New features
------------
* ssh(1): this release enables UpdateHostkeys by default subject to
some conservative preconditions:
- The key was matched in the UserKnownHostsFile (and not in the
GlobalKnownHostsFile).
- The same key does not exist under another name.
- A certificate host key is not in use.
- known_hosts contains no matching wildcard hostname pattern.
- VerifyHostKeyDNS is not enabled.
We expect some of these conditions will be modified or relaxed in
future.
* ssh(1), sshd(8): add a new LogVerbose configuration directive for
that allows forcing maximum debug logging by file/function/line
pattern-lists.
* ssh(1): when prompting the user to accept a new hostkey, display
any other host names/addresses already associated with the key.
* ssh(1): allow UserKnownHostsFile=none to indicate that no
known_hosts file should be used to identify host keys.
* ssh(1): add a ssh_config KnownHostsCommand that allows the client
to obtain known_hosts data from a command in addition to the usual
files.
* ssh(1): for FIDO keys, if a signature operation fails with a
"incorrect PIN" reason and no PIN was initially requested from the
user, then request a PIN and retry the operation. This supports
some biometric devices that fall back to requiring PIN when reading
of the biometric failed, and devices that require PINs for all
hosted credentials.
* sshd(8): implement client address-based rate-limiting via new
sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize
directives that fine-grained control than the global MaxStartups
limit.
Bugfixes
--------
* ssh(1): Prefix keyboard interactive prompts with "(user at host)"
to
make it easier to determine which connection they are associated
with in cases like scp -3, ProxyJump, etc. bz#3224
* sshd(8): fix sshd_config SetEnv directives located inside Match
blocks. GHPR#201
* ssh(1): when requesting a FIDO token touch on stderr, inform the
user once the touch has been recorded.
* ssh(1): prevent integer overflow when ridiculously large
ConnectTimeout values are specified, capping the effective value
(for most platforms) at 24 days. bz#3229
* ssh(1): consider the ECDSA key subtype when ordering host key
algorithms in the client,
* ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
that it control allowed key algorithms, when this option actually
specifies the signature algorithms that are accepted. The previous
name remains available as an alias. bz#3253
* ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.
* sftp-server(8): add missing lsetstat at openssh.com documentation
and advertisement in the server's SSH2_FXP_VERSION hello packet.
* ssh(1), sshd(8): more strictly enforce KEX state-machine by
banning packet types once they are received. Fixes memleak caused
by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
* sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
platforms instead of being limited by LONG_MAX. bz#3206
* Minor man page fixes (capitalization, commas, etc.) bz#3223
* sftp(1): when doing an sftp recursive upload or download of a
read-only directory, ensure that the directory is created with
write and execute permissions in the interim so that the transfer
can actually complete, then set the directory permission as the
final step. bz#3222
* ssh-keygen(1): document the -Z, check the validity of its argument
earlier and provide a better error message if it's not correct.
bz#2879
* ssh(1): ignore comments at the end of config lines in ssh_config,
similar to what we already do for sshd_config. bz#2320
* sshd_config(5): mention that DisableForwarding is valid in a
sshd_config Match block. bz3239
* sftp(1): fix incorrect sorting of "ls -ltr" under some
circumstances. bz3248.
* ssh(1), sshd(8): fix potential integer truncation of (unlikely)
timeout values. bz#3250
* ssh(1): make hostbased authentication send the signature algorithm
in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
This make HostbasedAcceptedAlgorithms do what it is supposed to -
filter on signature algorithm and not key type.
Portability
-----------
* sshd(8): add a number of platform-specific syscalls to the Linux
seccomp-bpf sandbox. bz#3232 bz#3260
* sshd(8): remove debug message from sigchld handler that could cause
deadlock on some platforms. bz#3259
* Sync contrib/ssh-copy-id with upstream.
* unittests: add a hostname function for systems that don't have it.
Some systems don't have a hostname command (it's not required by
POSIX). The do have uname -n (which is), but not all of those have
it report the FQDN.
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
On 2/23/21 2:46 AM, Damien Miller wrote:> * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to > PubkeyAcceptedAlgorithms. The previous name incorrectly suggested > that it control allowed key algorithms, when this option actually > specifies the signature algorithms that are accepted. The previous > name remains available as an alias. bz#3253There is still one place in the manual page that refers to this meaning as key types in last snap: commit c0a8a29c2487a2fcf83fdcd7a76cbdbe76fa7f73 Author: Jakub Jelen <jjelen at redhat.com> Date: Tue Feb 23 21:38:24 2021 +0100 sshd_config: Fix reference to algorithms as keys diff --git a/sshd_config.5 b/sshd_config.5 index 108027b5..6376db10 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1517,7 +1517,7 @@ sk-ecdsa-sha2-nistp256 at openssh.com, rsa-sha2-512,rsa-sha2-256,ssh-rsa .Ed .Pp -The list of available key types may also be obtained using +The list of available signature algorithsm may also be obtained using .Qq ssh -Q PubkeyAcceptedAlgorithms . .It Cm PubkeyAuthOptions Sets one or more public key authentication options. Regards, -- Jakub Jelen Senior Software Engineer Crypto Team, Security Engineering Red Hat, Inc.
On 2021-02-23 at 12:46 +1100, Damien Miller wrote:> OpenSSH 8.5p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release.Ubuntu 20.04/amd64: all tests passed [openssh-SNAP-20210224.tar.gz]> * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to > PubkeyAcceptedAlgorithms. The previous name incorrectly suggested > that it control allowed key algorithms, when this option actually > specifies the signature algorithms that are accepted. The previous > name remains available as an alias. bz#3253Seeing this available in the server, something I'd somehow missed, led me to test it out. Not a regression but an existing issue (seen in 8.3p1), unknown if bug or comprehension issue but reporting now to fix either docs or code before release: # /etc/ssh/sshd_config: PubkeyAcceptedAlgorithms -ssh-rsa,-ssh-rsa-cert-*,-rsa* # command-line: sshd -T | grep -i '^PubkeyAcceptedKeyTypes' pubkeyacceptedkeytypes ssh-ed25519-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,rsa-sha2-512,rsa-sha2-256 So besides the option not being renamed or duplicated under both names for compatibility ... the glob removals don't work, and attempts to remove rsa-sha2-256 explicitly don't work here either. Something seems to be adding them back in? -Phil
On 2/23/21 2:46 AM, Damien Miller wrote:> Hi, > > OpenSSH 8.5p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release.Hi, could you also update the ssh-copy-id from Phil? https://gitlab.com/phil_hands/ssh-copy-id There were couple of commits since the last update that would be helpful to bring in. Added Phil to CC just to make sure there are no other things that he would like to merge before. There are just couple of issues related to the usage of the -s switch now. Regards, -- Jakub Jelen Senior Software Engineer Crypto Team, Security Engineering Red Hat, Inc.
On Feb 23 12:46, Damien Miller wrote:> Hi, > > OpenSSH 8.5p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release.Builds OOTB on Cygwin, all tests pass. Thanks, Corinna
Dear Damien, Is it still possible to include the ssh_config improvements which I proposed last Sunday on this mailing list? For your convenience, I also created a pull request: https://github.com/openssh/openssh-portable/pull/231 Best regards, Volker Damien Miller wrote:> Hi, > > OpenSSH 8.5p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Security > =======> > * Portable sshd(8): Prevent excessively long username going to PAM. > > This is a mitigation for a buffer overflow in Solaris' PAM username > handling (CVE-2020-14871), and is only enabled for Sun-derived PAM > implementations. This is not a problem in sshd itself, it only > prevents sshd from being used as a vector to attack Solaris' PAM. > It does not prevent the bug in PAM from being exploited via some > other PAM application. GHPR#212 > > Potentially-incompatible changes > ===============================> > This release includes a number of changes that may affect existing > configurations: > > * ssh(1), sshd(8): this release changes the first-preference signature > algorithm from ECDSA to ED25519. > > * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration > for interactive use prior to TCP connect. The connection phase of > the SSH session is time-sensitive and often explicitly interactive. > The ultimate interactive/bulk TOS/DSCP will be set after > authentication completes. > > * ssh(1), sshd(8): remove the pre-standardization cipher > rijndael-cbc at lysator.liu.se. It is an alias for aes256-cbc before > it was standardized in RFC4253 (2006), has been deprecated and > disabled by default since OpenSSH 7.2 (2016) and was only briefly > documented in ssh.1 in 2001. > > * ssh(1), sshd(8): update/replace the experimental post-quantum > hybrid key exchange method based on Streamlined NTRU Prime coupled > with X25519. > > The previous sntrup4591761x25519-sha512 at tinyssh.org method is > replaced with sntrup761x25519-sha512 at openssh.com. Per its > designers, the sntrup4591761 algorithm was superseded almost two > years ago by sntrup761. > > (note this both the updated method and the one that it replaced are > disabled by default) > > * ssh(1): disable CheckHostIP by default. It provides insignificant > benefits while making key rotation significantly more difficult, > especially for hosts behind IP-based load-balancers. > > Changes since OpenSSH 8.4 > ========================> > New features > ------------ > > * ssh(1): this release enables UpdateHostkeys by default subject to > some conservative preconditions: > - The key was matched in the UserKnownHostsFile (and not in the > GlobalKnownHostsFile). > - The same key does not exist under another name. > - A certificate host key is not in use. > - known_hosts contains no matching wildcard hostname pattern. > - VerifyHostKeyDNS is not enabled. > > We expect some of these conditions will be modified or relaxed in > future. > > * ssh(1), sshd(8): add a new LogVerbose configuration directive for > that allows forcing maximum debug logging by file/function/line > pattern-lists. > > * ssh(1): when prompting the user to accept a new hostkey, display > any other host names/addresses already associated with the key. > > * ssh(1): allow UserKnownHostsFile=none to indicate that no > known_hosts file should be used to identify host keys. > > * ssh(1): add a ssh_config KnownHostsCommand that allows the client > to obtain known_hosts data from a command in addition to the usual > files. > > * ssh(1): for FIDO keys, if a signature operation fails with a > "incorrect PIN" reason and no PIN was initially requested from the > user, then request a PIN and retry the operation. This supports > some biometric devices that fall back to requiring PIN when reading > of the biometric failed, and devices that require PINs for all > hosted credentials. > > * sshd(8): implement client address-based rate-limiting via new > sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize > directives that fine-grained control than the global MaxStartups > limit. > > Bugfixes > -------- > > * ssh(1): Prefix keyboard interactive prompts with "(user at host)" to > make it easier to determine which connection they are associated > with in cases like scp -3, ProxyJump, etc. bz#3224 > > * sshd(8): fix sshd_config SetEnv directives located inside Match > blocks. GHPR#201 > > * ssh(1): when requesting a FIDO token touch on stderr, inform the > user once the touch has been recorded. > > * ssh(1): prevent integer overflow when ridiculously large > ConnectTimeout values are specified, capping the effective value > (for most platforms) at 24 days. bz#3229 > > * ssh(1): consider the ECDSA key subtype when ordering host key > algorithms in the client, > > * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to > PubkeyAcceptedAlgorithms. The previous name incorrectly suggested > that it control allowed key algorithms, when this option actually > specifies the signature algorithms that are accepted. The previous > name remains available as an alias. bz#3253 > > * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and > HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. > > * sftp-server(8): add missing lsetstat at openssh.com documentation > and advertisement in the server's SSH2_FXP_VERSION hello packet. > > * ssh(1), sshd(8): more strictly enforce KEX state-machine by > banning packet types once they are received. Fixes memleak caused > by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). > > * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit > platforms instead of being limited by LONG_MAX. bz#3206 > > * Minor man page fixes (capitalization, commas, etc.) bz#3223 > > * sftp(1): when doing an sftp recursive upload or download of a > read-only directory, ensure that the directory is created with > write and execute permissions in the interim so that the transfer > can actually complete, then set the directory permission as the > final step. bz#3222 > > * ssh-keygen(1): document the -Z, check the validity of its argument > earlier and provide a better error message if it's not correct. > bz#2879 > > * ssh(1): ignore comments at the end of config lines in ssh_config, > similar to what we already do for sshd_config. bz#2320 > > * sshd_config(5): mention that DisableForwarding is valid in a > sshd_config Match block. bz3239 > > * sftp(1): fix incorrect sorting of "ls -ltr" under some > circumstances. bz3248. > > * ssh(1), sshd(8): fix potential integer truncation of (unlikely) > timeout values. bz#3250 > > * ssh(1): make hostbased authentication send the signature algorithm > in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. > This make HostbasedAcceptedAlgorithms do what it is supposed to - > filter on signature algorithm and not key type. > > Portability > ----------- > > * sshd(8): add a number of platform-specific syscalls to the Linux > seccomp-bpf sandbox. bz#3232 bz#3260 > > * sshd(8): remove debug message from sigchld handler that could cause > deadlock on some platforms. bz#3259 > > * Sync contrib/ssh-copy-id with upstream. > > * unittests: add a hostname function for systems that don't have it. > Some systems don't have a hostname command (it's not required by > POSIX). The do have uname -n (which is), but not all of those have > it report the FQDN. > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Volker Diels-Grabsch ----<<<((()))>>>----
In NetBSD-current, I get the following:
ok known hosts command
all t-exec passed
BUILDDIR=`pwd`; cd ./regress || exit $?; EGREP='/usr/bin/grep -E'
make .OBJDIR="${BUILDDIR}/regress" .CURDIR="`pwd`"
BUILDDIR="${BUILDDIR}" OBJ="${BUILDDIR}/regress/"
PATH="${BUILDDIR}:${PATH}" TEST_ENV=MALLOC_OPTIONS="AJRX"
TEST_MALLOC_OPTIONS="AJRX" TEST_SSH_SCP="${BUILDDIR}/scp"
TEST_SSH_SSH="${BUILDDIR}/ssh"
TEST_SSH_SSHD="${BUILDDIR}/sshd"
TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"
TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"
TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"
TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper"
TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"
TEST_SSH_SFTP="${BUILDDIR}/sftp"
TEST_SSH_PKCS11_HELPER="${BUILDDIR}/ssh-pkcs11-helper"
TEST_SSH_SK_HELPER="${BUILDDIR}/ssh-sk-helper"
TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"
TEST_SSH_PLINK="plink" TEST_SSH_PUTTYGEN="puttygen"
TEST_SSH_CONCH="conch" TEST_SSH_IPV6="yes"
TEST_SSH_UTF8="yes" TEST_SSH_ECC="yes"
TEST_SHELL="sh" EXEEXT="" interop-tests && echo
all interop-tests pas!
sed
run test putty-transfer.sh ...
putty interop tests not enabled
run test putty-ciphers.sh ...
putty interop tests not enabled
run test putty-kex.sh ...
putty interop tests not enabled
run test conch-ciphers.sh ...
conch interop tests not enabled
all interop-tests passed
cc -o regress/misc/kexfuzz/kexfuzz -L. -Lopenbsd-compat/ -Wl,-z,relro
-Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong
regress/misc/kexfuzz/kexfuzz.o ssh-sk-client.o -lssh -lopenbsd-compat -lssh
-lopenbsd-compat -lcrypt -lcrypto -lutil -lz
ld: regress/misc/kexfuzz/kexfuzz.o: in function `do_send_and_receive':
/home/htodd/openssh/regress/misc/kexfuzz/kexfuzz.c:117: undefined reference to
`debug'
ld: /home/htodd/openssh/regress/misc/kexfuzz/kexfuzz.c:121: undefined reference
to `debug'
ld: regress/misc/kexfuzz/kexfuzz.o: in function `run_kex':
/home/htodd/openssh/regress/misc/kexfuzz/kexfuzz.c:181: undefined reference to
`debug'
ld: /home/htodd/openssh/regress/misc/kexfuzz/kexfuzz.c:185: undefined reference
to `debug'
*** Error code 1
Stop.
make: stopped in /home/htodd/git/openssh
--
Hisashi T Fujinaka - htodd at twofifty.com
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee