OpenSSH 7.5 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support. OpenSSH also includes
transitional support for the legacy SSH 1.3 and 1.5 protocols
that may be enabled at compile-time.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html
Future deprecation notice
========================
We plan on retiring more legacy cryptography in future releases,
specifically:
* In the next major release (expected June-August), removing remaining
support for the SSH v.1 protocol (currently client-only and compile-
time disabled).
* In the same release, removing support for Blowfish and RC4 ciphers
and the RIPE-MD160 HMAC. (These are currently run-time disabled).
* In the same release, removing the remaining CBC ciphers from being
offered by default in the client (These have not been offered in
sshd by default for several years).
* Refusing all RSA keys smaller than 1024 bits (the current minimum
is 768 bits)
This list reflects our current intentions, but please check the final
release notes for future releases.
Potentially-incompatible changes
===============================
This release includes a number of changes that may affect existing
configurations:
* This release deprecates the sshd_config UsePrivilegeSeparation
option, thereby making privilege separation mandatory. Privilege
separation has been on by default for almost 15 years and
sandboxing has been on by default for almost the last five.
* The format of several log messages emitted by the packet code has
changed to include additional information about the user and
their authentication state. Software that monitors ssh/sshd logs
may need to account for these changes. For example:
Connection closed by user x 1.1.1.1 port 1234 [preauth]
Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
Affected messages include connection closure, timeout, remote
disconnection, negotiation failure and some other fatal messages
generated by the packet code.
* [Portable OpenSSH only] This version removes support for building
against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting
versions prior to 1.0.1 over 12 months ago (i.e. they no longer
receive fixes for security bugs).
Changes since OpenSSH 7.4
========================
This is a bugfix release.
Security
--------
* ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
Note that the OpenSSH client disables CBC ciphers by default, sshd
offers them as lowest-preference options and will remove them by
default entriely in the next release. Reported by Jean Paul
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
Royal Holloway, University of London.
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
a recursive file transfer could be maniuplated by a hostile server to
perform a path-traversal attack. creating or modifying files outside
of the intended target directory. Reported by Jann Horn of Google
Project Zero.
New Features
------------
* ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
algorithm lists, e.g. Ciphers=-*cbc. bz#2671
Bugfixes
--------
* sshd(1): Fix NULL dereference crash when key exchange start
messages are sent out of sequence.
* ssh(1), sshd(8): Allow form-feed characters to appear in
configuration files.
* sshd(8): Fix regression in OpenSSH 7.4 support for the
server-sig-algs extension, where SHA2 RSA signature methods were
not being correctly advertised. bz#2680
* ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
known_hosts processing. bz#2591 bz#2685
* ssh(1): Allow ssh to use certificates accompanied by a private key
file but no corresponding plain *.pub public key. bz#2617
* ssh(1): When updating hostkeys using the UpdateHostKeys option,
accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
method. bz#2650
* ssh(1): Detect and report excessively long configuration file
lines. bz#2651
* Merge a number of fixes found by Coverity and reported via Redhat
and FreeBSD. Includes fixes for some memory and file descriptor
leaks in error paths. bz#2687
* ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692
* ssh(1), sshd(8): When logging long messages to stderr, don't truncate
"\r\n" if the length of the message exceeds the buffer. bz#2688
* ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
line; avoid confusion over IPv6 addresses and shells that treat
square bracket characters specially.
* ssh-keygen(1): Fix corruption of known_hosts when running
"ssh-keygen -H" on a known_hosts containing already-hashed entries.
* Fix various fallout and sharp edges caused by removing SSH protocol
1 support from the server, including the server banner string being
incorrectly terminated with only \n (instead of \r\n), confusing
error messages from ssh-keyscan bz#2583 and a segfault in sshd
if protocol v.1 was enabled for the client and sshd_config
contained references to legacy keys bz#2686.
* ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
* sshd(8): Fix Unix domain socket forwarding for root (regression in
OpenSSH 7.4).
* sftp(1): Fix division by zero crash in "df" output when server
returns zero total filesystem blocks/inodes.
* ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
encountered during key loading to more meaningful error codes.
bz#2522 bz#2523
* ssh-keygen(1): Sanitise escape sequences in key comments sent to
printf but preserve valid UTF-8 when the locale supports it;
bz#2520
* ssh(1), sshd(8): Return reason for port forwarding failures where
feasible rather than always "administratively prohibited". bz#2674
* sshd(8): Fix deadlock when AuthorizedKeysCommand or
AuthorizedPrincipalsCommand produces a lot of output and a key is
matched early. bz#2655
* Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659
* ssh(1): Fix typo in ~C error message for bad port forward
cancellation. bz#2672
* ssh(1): Show a useful error message when included config files
can't be opened; bz#2653
* sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
(previously incorrectly) advertised. bz#2637
* sshd_config(5): Repair accidentally-deleted mention of %k token
in AuthorizedKeysCommand; bz#2656
* sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bz#2665
* ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
common 32-bit compatibility library directories.
* sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
response handling.
* ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
keys. It was not possible to delete them except by specifying
their full physical path. bz#2682
Portability
-----------
* sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
crypto coprocessor.
* sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
inspection.
* ssh(1): Fix X11 forwarding on OSX where X11 was being started by
launchd. bz#2341
* ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
contain non-printable characters where the codeset in use is ASCII.
* build: Fix builds that attempt to link a kerberised libldns. bz#2603
* build: Fix compilation problems caused by unconditionally defining
_XOPEN_SOURCE in wide character detection.
* sshd(8): Fix sandbox violations for clock_gettime VSDO syscall
fallback on some Linux/X32 kernels. bz#2142
Checksums:
=========
- SHA1 (openssh-7.5.tar.gz) = 81384df377e38551f7659a4c250383d0bbd25341
- SHA1 (openssh-7.5p1.tar.gz) = 5e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd
- SHA256 (openssh-7.5.tar.gz) = Gmk8jOdGdKa7NixUN5J+bTMfeum5Vx8Nv+leAdQNq3U -
SHA256 (openssh-7.5p1.tar.gz) = mEbjxfq58FR0ALTSwBeZL5FCIrP9H47ubH3GvF5Z+fA
Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available as RELEASE_KEY.asc from
the mirror sites.
Reporting Bugs:
==============
- Please read http://www.openssh.com/report.html
Security bugs should be reported directly to openssh at openssh.com
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
20.03.2017, 16:41, Damien Miller:> OpenSSH 7.5 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly.API/ABI changes review for 7.5p1 vs 7.4p1: https://abi-laboratory.pro/tracker/compat_report/openssh/7.4p1/7.5p1/96f83/abi_compat_report.html API/ABI changes timeline: https://abi-laboratory.pro/tracker/timeline/openssh/ Thank you.
On 03/20/2017 02:31 PM, Damien Miller wrote:> OpenSSH 7.5 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly. > > > Security > -------- > > * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures > that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. > Note that the OpenSSH client disables CBC ciphers by default, sshd > offers them as lowest-preference options and will remove them by > default entriely in the next release. Reported by Jean Paul > Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of > Royal Holloway, University of London.Can we get some clarification on this CBC weakness from you or from the reporters? There is no update in the security page according to this security issue. So far I understood that the CBC modes are disabled because we have better ciphers to choose from. Also I still have understanding that any of the attacks presented so far were not feasible. Did it change? If I see right, the change related to this record is below, but the real effects are not clear even from the commit message: https://github.com/openssh/openssh-portable/commit/0fb1a617 Thanks, -- Jakub Jelen Software Engineer Security Technologies Red Hat
On Tue, 21 Mar 2017, Jakub Jelen wrote:> On 03/20/2017 02:31 PM, Damien Miller wrote: > > OpenSSH 7.5 has just been released. It will be available from the > > mirrors listed at http://www.openssh.com/ shortly. > > > > > > Security > > -------- > > > > * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures > > that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. > > Note that the OpenSSH client disables CBC ciphers by default, sshd > > offers them as lowest-preference options and will remove them by > > default entriely in the next release. Reported by Jean Paul > > Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of > > Royal Holloway, University of London. > > Can we get some clarification on this CBC weakness from you or from the > reporters? There is no update in the security page according to this security > issue.I've asked Kenny Paterson if he has some details he can share. Otherwise I'll write something up. The impact is similar to the original CBC padding attack: http://www.openssh.com/txt/cbc.adv http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf> So far I understood that the CBC modes are disabled because we have better > ciphers to choose from. Also I still have understanding that any of the > attacks presented so far were not feasible. Did it change?They're borderline feasible in the case of client/server pairs that retry endlessly and carry private data. IIRC the cost of mounting the attack is in the order of hundreds of thousands of disrupted connections per word pilfered. The main thing that convinced us to un-default the remaining CBC ciphers in the next release is that the countermeasures code has needed repair multiple times. IMO this is a signal that we're wasting effort on something that is 1) providing a false sense of security and 2) keeping CBC on life-support in the wider SSH ecosystem when we should be pulling the plug. -d
On 2017-03-21, Andrey Ponomarenko <andrewponomarenko at yandex.ru> wrote:> 20.03.2017, 16:41, Damien Miller: >> OpenSSH 7.5 has just been released. It will be available from the >> mirrors listed at http://www.openssh.com/ shortly. > > API/ABI changes review for 7.5p1 vs 7.4p1: https://abi-laboratory.pro/tracker/compat_report/openssh/7.4p1/7.5p1/96f83/abi_compat_report.html > > API/ABI changes timeline: https://abi-laboratory.pro/tracker/timeline/openssh/ > > Thank you.This is an internal-only library, on OpenBSD only the static libssh.a is built and it's not installed... Is some OS providing this as a shared library?
On Mon, Mar 20, 2017 at 07:31:35AM -0600, Damien Miller wrote:> OpenSSH 7.5 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly.I don't see the usual V_7_5_P1 tag in git. Did somebody forget to push that? Thanks as ever, -- Colin Watson [cjwatson at debian.org]
Hi, I got a report on the Cygwin mailing list in terms of deprecating the privsep option. It seems one consequence is that you can't run sshd under a non-privileged account for personal use anymore: ----- Forwarded message from Lionel Fourquaux -----> * This release deprecates the sshd_config UsePrivilegeSeparation > option, thereby making privilege separation mandatory.This has (probably not wholly intended) consequences when running sshd in single user (non root) mode: $ /usr/sbin/sshd -D -f ~/.ssh/sshd_config Privilege separation user sshd does not exist The problem is not limited to Cygwin, but is unlikely to happen in a typical Unix, since ssh is probably installed globally. If Cygwin was installed without administrative privileges, creating a dedicated sshd user would be impossible (and makes little sense if sshd runs in single user mode, anyway). I guess it would be possible to add a fake user account in /etc/passwd. Since user sshd and chroot /var/empty are not used in single user mode, it might be better to remove the check in this case: === cut after ==diff --git a/sshd.c b/sshd.c index 010a2c3..4f9b2c8 100644 --- a/sshd.c +++ b/sshd.c @@ -1641,7 +1641,8 @@ main(int ac, char **av) /* Store privilege separation user for later use if required. */ if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { - if (use_privsep || options.kerberos_authentication) + if ((use_privsep || options.kerberos_authentication) + && (getuid() == 0 || geteuid() == 0)) fatal("Privilege separation user %s does not exist", SSH_PRIVSEP_USER); } else { @@ -1767,7 +1768,7 @@ main(int ac, char **av) key_type(key)); } - if (use_privsep) { + if (use_privsep && (getuid() == 0 || geteuid() == 0)) { struct stat st; if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || === cut before == Best regards, -- Lionel ----- End forwarded message ----- Is there a chance this could be reenabled again? Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170324/09b912fb/attachment.bin>
Hello, You seem to be saying that in 7.5, sshd can no longer be run under an ordinary user account. Is that accurate? I use sshd running under a user account in Debian Jessie to allow tunnels from remote devices. That capability is crucial to my application. Any comments would be appreciated. Jack Dodds Corinna Vinschen <vinschen at redhat.com> wrote:> Hi, > > I got a report on the Cygwin mailing list in terms of > deprecating the privsep option. It seems one consequence is > that you can't run sshd under a non-privileged account for > personal use anymore: > > ----- Forwarded message from Lionel Fourquaux ----- > > * This release deprecates the sshd_config UsePrivilegeSeparation > > option, thereby making privilege separation mandatory. > > This has (probably not wholly intended) consequences when > running sshd in single user (non root) mode: > > $ /usr/sbin/sshd -D -f ~/.ssh/sshd_config > Privilege separation user sshd does not exist > > The problem is not limited to Cygwin, but is unlikely to happen > in a typical Unix, since ssh is probably installed globally. > > If Cygwin was installed without administrative privileges, > creating a dedicated sshd user would be impossible (and makes > little sense if sshd runs in single user mode, anyway). I guess > it would be possible to add a fake user account in /etc/passwd. > > Since user sshd and chroot /var/empty are not used in single > user mode, it might be better to remove the check in this case: > > === cut after ==> diff --git a/sshd.c b/sshd.c > index 010a2c3..4f9b2c8 100644 > --- a/sshd.c > +++ b/sshd.c > @@ -1641,7 +1641,8 @@ main(int ac, char **av) > > /* Store privilege separation user for later use if required. */ > if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { > - if (use_privsep || options.kerberos_authentication) > + if ((use_privsep || options.kerberos_authentication) > + && (getuid() == 0 || geteuid() == 0)) > fatal("Privilege separation user %s does not exist", > SSH_PRIVSEP_USER); > } else { > @@ -1767,7 +1768,7 @@ main(int ac, char **av) > key_type(key)); > } > > - if (use_privsep) { > + if (use_privsep && (getuid() == 0 || geteuid() == 0)) { > struct stat st; > > if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || > === cut before ==> > Best regards, > > -- Lionel > ----- End forwarded message ----- > > Is there a chance this could be reenabled again? > > > Thanks, > Corinna > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-------------- next part -------------- A non-text attachment was scrubbed... Name: Encryption key for Jack Dodds.asc Type: application/pgp-keys Size: 1702 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170324/2441bf19/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP Digital Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170324/2441bf19/attachment-0001.bin>
On 03/20/2017 02:31 PM, Damien Miller wrote:> OpenSSH 7.5 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly. > [...] > * [Portable OpenSSH only] This version removes support for building > against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting > versions prior to 1.0.1 over 12 months ago (i.e. they no longer > receive fixes for security bugs).This causes configure to fail on SLES 11 sp3 LTSS. SUSE backports security fixes for openssl 0.9.8 until 2019. I have found the corresponding git commit which changes configure.ac, and would like to undo it. Apart from the concern that upstream at openssl stopped supporting 0.9.8, are there any other reasons behind this change (new dependencies on 1.0.1 which are not checked elsewhere)? kind regards, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5254 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170327/8e6a71bb/attachment-0001.bin>
On Mon, Mar 27, 2017 at 9:20 PM, Martin Hecht <hecht at hlrs.de> wrote:> [...] > This causes configure to fail on SLES 11 sp3 LTSS. SUSE backports > security fixes for openssl 0.9.8 until 2019. > I have found the corresponding git commit which changes configure.ac, > and would like to undo it.You're welcome to do so however if it breaks you get to keep both pieces.> Apart from the concern that upstream at > openssl stopped supporting 0.9.8, are there any other reasons behind > this change (new dependencies on 1.0.1 which are not checked elsewhere)? >Given that support was removed late in the development cycle and it was tested with older versions up until then I would guess 7.5p1 might still work. Beyond that, there's a bunch of compatibility shims in openbsd-compat/openssl-compat.{c,h} and a couple of ifdef OPENSSL_VERSION_NUMBER sprinkled in the code which I would expect to be removed in future. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 20/03/17 14:31, Damien Miller wrote:> OpenSSH 7.5 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly. >I'm seeing an error in the testsuite on Solaris 2.6: test_utf8: ........................ regress/unittests/utf8/tests.c:48 test #25 "c_esc" ASSERT_INT_EQ(len, wantlen) failed: len = -1 wantlen = 5 I seems this might be related to the fact that on Solaris < 7 nl_langinfo(CODESET) returns an empty string when the codeset is ASCII. To verify I put together a small testprogram that does a setlocale followed by nl_langinfo(CODESET) and for the 'C' locale it returns an empty string while 'da' returns ISO8859-1 as expected. -tgc
On Fri, 24 Mar 2017, Colin Watson wrote:> On Mon, Mar 20, 2017 at 07:31:35AM -0600, Damien Miller wrote: > > OpenSSH 7.5 has just been released. It will be available from the > > mirrors listed at http://www.openssh.com/ shortly. > > I don't see the usual V_7_5_P1 tag in git. Did somebody forget to push > that?Yes, I forgot. Pushed now.
Tom G. Christensen
2017-Mar-31 19:30 UTC
testsuite error on Solaris 2.6 [Re: Announce: OpenSSH 7.5 released]
On 27/03/17 17:06, Tom G. Christensen wrote:> On 20/03/17 14:31, Damien Miller wrote: >> OpenSSH 7.5 has just been released. It will be available from the >> mirrors listed at http://www.openssh.com/ shortly. >> > > I'm seeing an error in the testsuite on Solaris 2.6: > test_utf8: ........................ > regress/unittests/utf8/tests.c:48 test #25 "c_esc" > ASSERT_INT_EQ(len, wantlen) failed: > len = -1 > wantlen = 5 > > > It seems this might be related to the fact that on Solaris < 7 > nl_langinfo(CODESET) returns an empty string when the codeset is ASCII. > > To verify I put together a small testprogram that does a setlocale > followed by nl_langinfo(CODESET) and for the 'C' locale it returns an > empty string while 'da' returns ISO8859-1 as expected. >I worked some more on this and comparing locales and their codesets between Solaris 2.6 and 7 I'm reasonably sure that an empty codeset value means ascii on Solaris 2.6. So to ensure proper operation and get rid of the error in the testsuite I've added "" as a valid alias for ascii in dangerous_locales(). With this change in place the testsuite runs with no errors. -tgc