openssh unix dev - Mar 2013 - Announce: OpenSSH 6.2 released

Changes since OpenSSH 6.1
========================
This release introduces a number of new features:

Features:

 * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
   SSH protocol 2. The new cipher is available as aes128-gcm at openssh.com
   and aes256-gcm at openssh.com. It uses an identical packet format to the
   AES-GCM mode specified in RFC 5647, but uses simpler and different
   selection rules during key exchange.

 * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes
   for SSH protocol 2. These modes alter the packet format and compute
   the MAC over the packet length and encrypted packet rather than over
   the plaintext data. These modes are considered more secure and are
   used by default when available.

 * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as
   "umac-128 at openssh.com" and "umac-128-etm at
openssh.com". The latter
   being an encrypt-then-mac mode.

 * sshd(8): Added support for multiple required authentication in SSH
   protocol 2 via an AuthenticationMethods option. This option lists
   one or more comma-separated lists of authentication method names.
   Successful completion of all the methods in any list is required for
   authentication to complete. This allows, for example, requiring a
   user having to authenticate via public key or GSSAPI before they
   are offered password authentication.

 * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists
   (KRLs), a compact binary format to represent lists of revoked keys
   and certificates that take as little as one bit per certificate when
   revoking by serial number. KRLs may be generated using ssh-keygen(1)
   and are loaded into sshd(8) via the existing RevokedKeys sshd_config
   option.

 * ssh(1): IdentitiesOnly now applies to keys obtained from a
   PKCS11Provider. This allows control of which keys are offered from
   tokens using IdentityFile.

 * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts
"local"
   and "remote" in addition to its previous
"yes"/"no" keywords to allow
   the server to specify whether just local or remote TCP forwarding is
   enabled.

 * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
   support fetching authorized_keys from a command in addition to (or
   instead of) from the filesystem. The command is run under an account
   specified by an AuthorizedKeysCommandUser sshd_config(5) option.

 * sftp-server(8): Now supports a -d option to allow the starting
   directory to be something other than the user's home directory.

 * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11
   tokens using "ssh-keygen -lD pkcs11_provider".

 * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1)
   now immediately sends its SSH protocol banner to the server without
   waiting to receive the server's banner, saving time when connecting.

 * ssh(1): Added ~v and ~V escape sequences to raise and lower the
   logging level respectively.

 * ssh(1): Made the escape command help (~?) context sensitive so that
   only commands that will work in the current session are shown.

 * ssh-keygen(1): When deleting host lines from known_hosts using
   "ssh-keygen -R host", ssh-keygen(1) now prints details of which
lines
   were removed.
    
Bugfixes:

 * ssh(1): Force a clean shutdown of ControlMaster client sessions when
   the ~. escape sequence is used. This means that ~. should now work in
   mux clients even if the server is no longer responding.

 * ssh(1): Correctly detect errors during local TCP forward setup in
   multiplexed clients. bz#2055

 * ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with
   adding keys with respect to certificates. It now tries to delete the
   corresponding certificate and respects the -k option to allow deleting
   of the key only.

 * sftp(1): Fix a number of parsing and command-editing bugs, including
   bz#1956

 * ssh(1): When muxmaster is run with -N, ensured that it shuts down
   gracefully when a client sends it "-O stop" rather than hanging
around.
   bz#1985

 * ssh-keygen(1): When screening moduli candidates, append to the file
   rather than overwriting to allow resumption. bz#1957

 * ssh(1): Record "Received disconnect" messages at ERROR rather than
   INFO priority. bz#2057.

 * ssh(1): Loudly warn if explicitly-provided private key is unreadable.
   bz#1981

Portable OpenSSH:

 * sshd(8): The Linux seccomp-filter sandbox is now supported on ARM
   platforms where the kernel supports it.

 * sshd(8): The seccomp-filter sandbox will not be enabled if the system
   headers support it at compile time, regardless of whether it can be
   enabled then. If the run-time system does not support seccomp-filter,
   sshd will fall back to the rlimit pseudo-sandbox.

 * ssh(1): Don't link in the Kerberos libraries. They aren't necessary
   on the client, just on sshd(8). bz#2072

 * Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI
   library. bz#2073

 * Fix compilation on systems with openssl-1.0.0-fips.

 * Fix a number of errors in the RPM spec files.

Checksums:
=========
 - SHA1 (openssh-6.2.tar.gz) = b3f6cd774d345f22f6d0038cc9464cce131a0676
 - SHA1 (openssh-6.2p1.tar.gz) = 8824708c617cc781b2bb29fa20bd905fd3d2a43d

Reporting Bugs:
==============
- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh at openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

> * sshd(8): Added support for multiple required authentication in SSH
>   protocol 2 via an AuthenticationMethods option. This option lists
>   one or more comma-separated lists of authentication method names.
>   Successful completion of all the methods in any list is required for
>   authentication to complete. This allows, for example, requiring a
>   user having to authenticate via public key or GSSAPI before they
>   are offered password authentication.
I have compiled and installed openssh-6.2, and configured it to use

AuthenticationMethods publickey,password

It works well but it returns a message "Authenticated with partial 
success." after the key is accepted.  If I change the order of 
authentication to be `password,publickey', the same message is returned 
after password is accepted.  IMHO, no message should be printed until full 
authentication is completed, because "partial success" will give an 
attacker a clue as to what is going on.  Can this message be suppressed? 
If so, does it require a patch, or just some config option?

Regards,

Andy

Dr Andy Tsouladze
Sr Unix/Storage SysAdmin

There are some _really_ nice features in this release. Thanks to the
OpenSSH developers for all their effort!

-- 
Iain Morgan

On Thu, Mar 21, 2013 at 19:38:43 -0500, Damien Miller
wrote:
> 
> Changes since OpenSSH 6.1
> ========================> 
> This release introduces a number of new features:
> 
> Features:
> 
>  * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
>    SSH protocol 2. The new cipher is available as aes128-gcm at openssh.com
>    and aes256-gcm at openssh.com. It uses an identical packet format to the
>    AES-GCM mode specified in RFC 5647, but uses simpler and different
>    selection rules during key exchange.
> 
>  * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes
>    for SSH protocol 2. These modes alter the packet format and compute
>    the MAC over the packet length and encrypted packet rather than over
>    the plaintext data. These modes are considered more secure and are
>    used by default when available.
> 
>  * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as
>    "umac-128 at openssh.com" and "umac-128-etm at
openssh.com". The latter
>    being an encrypt-then-mac mode.
> 
>  * sshd(8): Added support for multiple required authentication in SSH
>    protocol 2 via an AuthenticationMethods option. This option lists
>    one or more comma-separated lists of authentication method names.
>    Successful completion of all the methods in any list is required for
>    authentication to complete. This allows, for example, requiring a
>    user having to authenticate via public key or GSSAPI before they
>    are offered password authentication.
> 
>  * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists
>    (KRLs), a compact binary format to represent lists of revoked keys
>    and certificates that take as little as one bit per certificate when
>    revoking by serial number. KRLs may be generated using ssh-keygen(1)
>    and are loaded into sshd(8) via the existing RevokedKeys sshd_config
>    option.
> 
>  * ssh(1): IdentitiesOnly now applies to keys obtained from a
>    PKCS11Provider. This allows control of which keys are offered from
>    tokens using IdentityFile.
> 
>  * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts
"local"
>    and "remote" in addition to its previous
"yes"/"no" keywords to allow
>    the server to specify whether just local or remote TCP forwarding is
>    enabled.
> 
>  * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to
>    support fetching authorized_keys from a command in addition to (or
>    instead of) from the filesystem. The command is run under an account
>    specified by an AuthorizedKeysCommandUser sshd_config(5) option.
> 
>  * sftp-server(8): Now supports a -d option to allow the starting
>    directory to be something other than the user's home directory.
> 
>  * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11
>    tokens using "ssh-keygen -lD pkcs11_provider".
> 
>  * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1)
>    now immediately sends its SSH protocol banner to the server without
>    waiting to receive the server's banner, saving time when connecting.
> 
>  * ssh(1): Added ~v and ~V escape sequences to raise and lower the
>    logging level respectively.
> 
>  * ssh(1): Made the escape command help (~?) context sensitive so that
>    only commands that will work in the current session are shown.
> 
>  * ssh-keygen(1): When deleting host lines from known_hosts using
>    "ssh-keygen -R host", ssh-keygen(1) now prints details of
which lines
>    were removed.
>     
> Bugfixes:
> 
>  * ssh(1): Force a clean shutdown of ControlMaster client sessions when
>    the ~. escape sequence is used. This means that ~. should now work in
>    mux clients even if the server is no longer responding.
> 
>  * ssh(1): Correctly detect errors during local TCP forward setup in
>    multiplexed clients. bz#2055
> 
>  * ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric
with
>    adding keys with respect to certificates. It now tries to delete the
>    corresponding certificate and respects the -k option to allow deleting
>    of the key only.
> 
>  * sftp(1): Fix a number of parsing and command-editing bugs, including
>    bz#1956
> 
>  * ssh(1): When muxmaster is run with -N, ensured that it shuts down
>    gracefully when a client sends it "-O stop" rather than
hanging around.
>    bz#1985
> 
>  * ssh-keygen(1): When screening moduli candidates, append to the file
>    rather than overwriting to allow resumption. bz#1957
> 
>  * ssh(1): Record "Received disconnect" messages at ERROR rather
than
>    INFO priority. bz#2057.
> 
>  * ssh(1): Loudly warn if explicitly-provided private key is unreadable.
>    bz#1981
> 
> Portable OpenSSH:
> 
>  * sshd(8): The Linux seccomp-filter sandbox is now supported on ARM
>    platforms where the kernel supports it.
> 
>  * sshd(8): The seccomp-filter sandbox will not be enabled if the system
>    headers support it at compile time, regardless of whether it can be
>    enabled then. If the run-time system does not support seccomp-filter,
>    sshd will fall back to the rlimit pseudo-sandbox.
> 
>  * ssh(1): Don't link in the Kerberos libraries. They aren't
necessary
>    on the client, just on sshd(8). bz#2072
> 
>  * Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI
>    library. bz#2073
> 
>  * Fix compilation on systems with openssl-1.0.0-fips.
> 
>  * Fix a number of errors in the RPM spec files.
> 
> Checksums:
> =========> 
>  - SHA1 (openssh-6.2.tar.gz) = b3f6cd774d345f22f6d0038cc9464cce131a0676
>  - SHA1 (openssh-6.2p1.tar.gz) = 8824708c617cc781b2bb29fa20bd905fd3d2a43d
> 
> Reporting Bugs:
> ==============> 
> - Please read http://www.openssh.com/report.html
>   Security bugs should be reported directly to openssh at openssh.com
> 
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 
Iain Morgan

Andy Tsouladze wrote:
> "partial success" will give an attacker a clue
..
> Can this message be suppressed? If so, does it require a patch, or
> just some config option?
The message can be removed, but as Markus pointed out the information
is part of the wire protocol, so there is no way to stop the attacker
from clue.


//Peter

Hi guys,

On Mar 21 18:38, Damien Miller wrote:
> 
> Changes since OpenSSH 6.1
> ========================> 
> This release introduces a number of new features:
> 
> Features:
> 
>  * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in
>    SSH protocol 2. The new cipher is available as aes128-gcm at openssh.com
>    and aes256-gcm at openssh.com. It uses an identical packet format to the
>    AES-GCM mode specified in RFC 5647, but uses simpler and different
>    selection rules during key exchange.
> 
>  * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes
>    for SSH protocol 2. These modes alter the packet format and compute
>    the MAC over the packet length and encrypted packet rather than over
>    the plaintext data. These modes are considered more secure and are
>    used by default when available.
> 
>  * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as
>    "umac-128 at openssh.com" and "umac-128-etm at
openssh.com". The latter
>    being an encrypt-then-mac mode.
while I can build openssh-6.2p1 fine on Cygwin for i686, I just found
that it doesn't build on the yet-to-be-released Cygwin for x86_64.

The reason is a clash of the UINT64 type.  It gets defined in umac.c as
well as in the Windows headers.  The Windows headers define it like
this:

  typedef unsigned __int64 UINT64,*PUINT64;

The interesting thing here is that the same clash occurs in the i686
version, but gcc does not complain.  It only complains when building
for x86_64 for some reason.  It could be a result of using different
gcc versions (4.5.3 on i686, 4.8.0 on x86_64), but I'm not sure.

For the time being, I applied the following patch:

Index: openbsd-compat/bsd-cygwin_util.h
==================================================================RCS file:
/cvs/openssh/openbsd-compat/bsd-cygwin_util.h,v
retrieving revision 1.15
diff -u -p -r1.15 bsd-cygwin_util.h
--- openbsd-compat/bsd-cygwin_util.h	28 Aug 2012 09:57:19 -0000	1.15
+++ openbsd-compat/bsd-cygwin_util.h	26 Mar 2013 19:45:01 -0000
@@ -37,10 +37,13 @@
 #undef ERROR
 
 #define WIN32_LEAN_AND_MEAN
+#define UINT64 __UINT64
 
 #include <windows.h>
 #include <sys/cygwin.h>
 #include <io.h>
+
+#undef UINT64
 
 /* Make sure _WIN32 isn't defined later in the code, otherwise headers from
    other packages might get the wrong idea about the target system. */

Is that ok to apply?


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat