openssh unix dev - Feb 2020 - Call for testing: OpenSSH 8.2

Hi,

OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a feature release.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev at mindrot.org. Security bugs should be reported
directly to openssh at openssh.com.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Future deprecation notice
========================
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The ssh-ed25519 signature algorithm. It has been supported in
   OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostBasedKeyTypes=-ssh-rsa user at host

If the host key verification fails and no other supported host key
types are available, the the server software on that host should be
upgraded.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

Security
=======
 * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
   (RSA/SHA1) algorithm from those accepted for certificate signatures
   (i.e. the client and server CASignatureAlgorithms option) and will
   use the rsa-sha2-512 signature algorithm by default when the
   ssh-keygen(1) CA signs new certificates.

   Certificates are at special risk to the aforementioned SHA1
   collision vulnerability as an attacker has effectively unlimited
   time in which to craft a collision that yields them a valid
   certificate, far more than the relatively brief LoginGraceTime
   window that they have to forge a host key signature.

   OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
   algorithms and will refuse to accept certificates signed by an
   OpenSSH 8.2+ CA using RSA keys. Older clients/servers may use
   another CA key type such as ssh-ed25519 (supported since OpenSSH
   6.5) or one of the ecdsa-sha2-nistp256/384/521 types (supported
   since OpenSSH 5.7) instead if they cannot be upgraded.

Potentially-incompatible changes
===============================
This release includes a number of changes that may affect existing
configurations:

 * ssh(1), sshd(8): the above removal of "ssh-rsa" from the accepted
   CASignatureAlgorithms list.

 * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
   from the default key exchange proposal for both the client and
   server.

 * ssh-keygen(1): the command-line options related to the generation
   and screening of safe prime numbers used by the
   diffie-hellman-group-exchange-* key exchange algorithms have
   changed. Most options have been folded under the -O flag.

 * sshd(8): the sshd listener process title visible to ps(1) has
   changed to include information about the number of connections that
   are currently attempting authentication and the limits configured
   by MaxStartups.

Changes since OpenSSH 8.1
========================
This release contains some significant new features.

FIDO/U2F Support
----------------

This release adds support for FIDO/U2F hardware authenticators to
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
authentication hardware that are widely used for website
authentication.  In OpenSSH FIDO devices are supported by new public
key types "ecdsa-sk" and "ed25519-sk", along with
corresponding
certificate types.

ssh-keygen(1) may be used to generate a FIDO token-backed key, after
which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
used. FIDO token also generally require the user explicitly authorise
operations by touching or tapping them.

Generating a FIDO key requires the token be attached, and will usually
require the user tap the token to confirm the operation:

  $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
  Generating public/private ecdsa-sk key pair.
  You may need to touch your security key to authorize key generation.
  Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): 
  Enter passphrase (empty for no passphrase): 
  Enter same passphrase again: 
  Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
  Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

This will yield a public and private key-pair. The private key file
should be useless to an attacker who does not have access to the
physical token. After generation, this key may be used like any other
supported key in OpenSSH and may be listed in authorized_keys, added
to ssh-agent(1), etc. The only additional stipulation is that the FIDO
token that the key belongs to must be attached when the key is used.

FIDO tokens are most commonly connected via USB but may be attached
via other means such as Bluetooth or NFC. In OpenSSH, communication
with the token is managed via a middleware library, specified by the
SecurityKeyProvider directive in ssh/sshd_config(5). OpenSSH includes
a middleware with support for USB tokens that is may be enabled in
portable OpenSSH via the --with-security-key-builtin configure flag
(it is enabled automatically in OpenBSD). This internal middleware
requires that libfido2 (https://github.com/Yubico/libfido2) and its
dependencies be installed. If the built-in middleware is enabled then
it will be used by default.

Note: FIDO/U2F tokens are required to implement the ECDSA-P256
"ecdsa-sk" key type, but hardware support for Ed25519
"ed25519-sk" is
less common. Similarly, not all hardware tokens support some of the
optional features such as resident keys.

The protocol-level changes to support FIDO/U2F keys in SSH are
documented in the PROTOCOL.u2f file in the OpenSSH source
distribution.

There are a number of supporting changes to this feature:

 * ssh-keygen(1): add a "no-touch-required" option when generating
   FIDO-hosted keys, that disables their default behaviour of
   requiring a physical touch/tap on the token during authentication.
   Note: not all tokens support disabling the touch requirement.

 * sshd(8): add a sshd_config PubkeyAuthOptions directive that
   collects miscellaneous public key authentication-related options
   for sshd(8). At present it supports only a single option
   "no-touch-required". This causes sshd to skip its default check for
   FIDO/U2F keys that the signature was authorised by a touch or press
   event on the token hardware.

 * ssh(1), sshd(8), ssh-keygen(1): add a "no-touch-required" option
   for authorized_keys and a similar extension for certificates. This
   option disables the default requirement that FIDO key signatures
   attest that the user touched their key to authorize them, mirroring
   the similar PubkeyAuthOptions sshd_config option.

 * ssh-keygen(1): add support for the writing the FIDO attestation
   information that is returned when new keys are generated via the
   "-O write-attestation=/path" option. FIDO attestation certificates
   may be used to verify that a FIDO key is hosted in trusted
   hardware. OpenSSH does not currently make use of this information,
   beyond optionally writing it to disk.

FIDO2 resident keys
-------------------

FIDO/U2F OpenSSH keys consist of two parts: a "key handle" part stored
in the private key file on disk, and a per-device private key that is
unique to each FIDO/U2F token and that cannot be exported. These are
combined by the hardware at authentication time to derive the real key
that is used to sign authentication challenges.

For tokens that are required to move between computers, it can be
cumbersome to have to move the private key file first. To avoid this
requirement, tokens implementing the newer FIDO2 standard support
"resident keys", where it is possible to effectively retrieve the key
handle part of the key from the hardware.

OpenSSH supports this feature, allowing resident keys to be generated
using the ssh-keygen(1) "-O resident" flag. This will produce a
public/private key pair as usual, but it will be possible to retrieve
the private key part from the token later. This may be done using
"ssh-keygen -K", which will download all available resident keys from
the tokens attached to the host and write public/private key files
for them. It is also possible to download and add resident keys
directly to ssh-agent(1) without writing files to the file-system
using "ssh-add -K".

Resident keys are indexed on the token by the application string and
user ID. By default, OpenSSH uses an application string of "ssh:" and
an empty user ID. If multiple resident keys on a single token are
desired then it may be necessary to override one or both of these
defaults using the ssh-keygen(1) "-O application=" or "-O
user="
options. Note: OpenSSH will only download and use resident keys whose
application string begins with "ssh:"

Storing both parts of a key on a FIDO token increases the likelihood
of an attacker being able to use a stolen token device. For this
reason, tokens should enforce PIN authentication before allowing
download of keys, and users should set a PIN on their tokens before
creating any resident keys.

Other New Features
------------------

 * sshd(8): add an Include sshd_config keyword that allows including
   additional configuration files via glob(3) patterns. bz2468

 * ssh(1)/sshd(8): make the LE (low effort) DSCP code point available
   via the IPQoS directive; bz2986,

 * ssh(1): when AddKeysToAgent=yes is set and the key contains no
   comment, add the key to the agent with the key's path as the
   comment. bz2564
    
 * ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509
   subjects as key comments, rather than simply listing the PKCS#11
   provider library path. PR138

 * ssh-keygen(1): allow PEM export of DSA and ECDSA keys; bz3091

 * ssh(1), sshd(8): make zlib compile-time optional, available via the
   Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure
   option for OpenSSH portable.

 * sshd(8): when clients get denied by MaxStartups, send a
   notification prior to the SSH2 protocol banner according to
   RFC4253 section 4.2.

 * ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt
   program, pass a hint to the program to describe the type of
   desired prompt.  The possible values are "confirm" (indicating
   that a yes/no confirmation dialog with no text entry should be
   shown), "none" (to indicate an informational message only), or
   blank for the original ssh-askpass behaviour of requesting a
   password/phrase.

 * ssh(1): allow forwarding a different agent socket to the path
   specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
   option to accepting an explicit path or the name of an environment
   variable in addition to yes/no.
   
 * ssh-keygen(1): add a new signature operations "find-principals" to
   look up the principal associated with a signature from an allowed-
   signers file.
    
 * sshd(8): expose the number of currently-authenticating connections
   along with the MaxStartups limit in the process title visible to
   "ps".

Bugfixes
--------

 * sshd(8): make ClientAliveCountMax=0 have sensible semantics: it
   will now disable connection killing entirely rather than the
   current behaviour of instantly killing the connection after the
   first liveness test regardless of success. bz2627
    
 * sshd(8): clarify order of AllowUsers / DenyUsers vs AllowGroups /
   DenyGroups in the sshd(8) manual page. bz1690

 * sshd(8): better describe HashKnownHosts in the manual page. bz2560

 * sshd(8): clarify that that permitopen=/PermitOpen do no name or
   address translation in the manual page. bz3099

 * sshd(8): allow the UpdateHostKeys feature to function when
   multiple known_hosts files are in use. When updating host keys,
   ssh will now search subsequent known_hosts files, but will add
   updated host keys to the first specified file only. bz2738
    
 * All: replace all calls to signal(2) with a wrapper around
   sigaction(2). This wrapper blocks all other signals during the
   handler preventing races between handlers, and sets SA_RESTART
   which should reduce the potential for short read/write operations.
    
 * sftp(1): fix a race condition in the SIGCHILD handler that could
   turn in to a kill(-1); bz3084

 * sshd(8): fix a case where valid (but extremely large) SSH channel
   IDs were being incorrectly rejected. bz3098

 * ssh(1): when checking host key fingerprints as answers to new
   hostkey prompts, ignore whitespace surrounding the fingerprint
   itself.

 * All: wait for file descriptors to be readable or writeable during
   non-blocking connect, not just readable. Prevents a timeout when
   the server doesn't immediately send a banner (e.g. multiplexers
   like sslh)
 
 * sshd_config(5): document the sntrup4591761x25519-sha512 at tinyssh.org
   key exchange algorithm. PR#151

Portability
-----------

 * sshd(8): multiple adjustments to the Linux seccomp sandbox:
   - Non-fatally deny IPC syscalls in sandbox
   - Allow clock_gettime64() in sandbox (MIPS / glibc >= 2.31)
   - Allow clock_nanosleep_time64 in sandbox (ARM) bz3100
   - Allow clock_nanosleep() in sandbox (recent glibc) bz3093

 * Explicit check for memmem declaration and fix up declaration if the
   system headers lack it. bz3102
 
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.

On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a feature release.
>  * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
Confirmed with building openssh-SNAP-20200206.tar.gz in an alpine 3.11.2
release that there's something a bit strange going on.

ssh_config(5) describes for `HostKeyAlgorithms` that:
} The list of available key types may also be obtained using "ssh -Q
key"

Running `ssh -Q key`, the output does not include these proposed
replacements.

Only in sshd_config(5):
  rsa-sha2-512-cert-v01 at openssh.com
  rsa-sha2-256-cert-v01 at openssh.com
  rsa-sha2-512
  rsa-sha2-256

Only in `ssh -Q key`:
  ssh-dss
  ssh-dss-cert-v01 at openssh.com

Regards,
-Phil

(
This actually affects me: github.com has very limited HostKeyAlgorithms
advertised and my attempts to filter acceptable algorithms are based
around lines from `ssh -Q key` (since before the newer - support for
filtering) so I've been re-enabling ssh-rsa for github.com, missing that
there was another option.  I think I've stopped using clients old enough
to not have -tag support for this option, so I'll switch over away from
explicit enumeration.
)

On 2020-02-05 at 20:39 -0500, Phil Pennock wrote:
> On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> > OpenSSH 8.2p1 is almost ready for release, so we would appreciate
testing
> > on as many platforms and systems as possible. This is a feature
release.
> 
> >  * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
> This actually affects me: github.com has very limited HostKeyAlgorithms
> advertised and my attempts to filter acceptable algorithms are based
> around lines from `ssh -Q key` (since before the newer - support for
> filtering) so I've been re-enabling ssh-rsa for github.com, missing
that
> there was another option.  I think I've stopped using clients old
enough
> to not have -tag support for this option, so I'll switch over away from
> explicit enumeration.
Rediscovered part of why I was doing this: HostKeyAlgorithms is not
cumulative across rules, instead still being the "first match", even
when subsequent entries start with "+" or "-".

IMO the easiest way for people to safely test and discover what works
still is to have ssh config which looks like:

  Host *
    HostKeyAlgorithms -ssh-rsa*,ssh-dss*

  Host legacy
    HostKeyAlgorithms +ssh-rsa

Is changing to support this, as long as subsequent rules start +/-,
something sufficiently compatible that you'd consider it?

Yes, we can put the "HostKeyAlgorithms -ssh-rsa*,ssh-dss*" at the end
of
the file, but then every host where we explicitly enable ssh-rsa, we
then have to also re-disable the things we don't intend to re-enable.

So I contend that the behavior of this is only obvious to OpenSSH
experts and it will cause me pain helping folks:

  Host legacy
    HostKeyAlgorithms +ssh-rsa
  Host *
    HostKeyAlgorithms -ssh-rsa*,ssh-dss*

  # net result: host legacy has ssh-dss* algorithms enabled, plus any
  # ssh-rsa* glob matches beyond ssh-rsa itself

Thanks,
-Phil

On Wed, 5 Feb 2020, Phil Pennock wrote:
> On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> > OpenSSH 8.2p1 is almost ready for release, so we would appreciate
testing
> > on as many platforms and systems as possible. This is a feature
release.
> 
> >  * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
> 
> Confirmed with building openssh-SNAP-20200206.tar.gz in an alpine 3.11.2
> release that there's something a bit strange going on.
> 
> ssh_config(5) describes for `HostKeyAlgorithms` that:
> } The list of available key types may also be obtained using "ssh -Q
key"
> 
> Running `ssh -Q key`, the output does not include these proposed
> replacements.
That's a bug in the email :) The correct command is "ssh -Q sig":

$ ssh -Q sig
ssh-ed25519
sk-ssh-ed25519 at openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256 at openssh.com

On Thu, 6 Feb 2020 at 12:46, Phil Pennock <phil.pennock at globnix.org>
wrote:
[...]
> ssh_config(5) describes for `HostKeyAlgorithms` that:
> } The list of available key types may also be obtained using "ssh -Q
key"
>
> Running `ssh -Q key`, the output does not include these proposed
> replacements.
>
> Only in sshd_config(5):
>   rsa-sha2-512-cert-v01 at openssh.com
>   rsa-sha2-256-cert-v01 at openssh.com
>   rsa-sha2-512
>   rsa-sha2-256
Those are "sign only" algorithms that use the same RSA keys but with a
stronger signature algorithms.  It looks like the advice in
sshd_config(5) is not accurate (I think ssh -Q needs an option that
calls sshkey_alg_list with certs_only=0, plain_only=0 and
include_sigonly=1 for this case).
> Only in `ssh -Q key`:
>   ssh-dss
>   ssh-dss-cert-v01 at openssh.com
The list in sshd_config(5) is the types allowed by default, and DSA
(aka ssh-dss) keys are no longer allowed by default.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
>  * sshd(8): allow the UpdateHostKeys feature to function when
>    multiple known_hosts files are in use. When updating host keys,
>    ssh will now search subsequent known_hosts files, but will add
>    updated host keys to the first specified file only. bz2738
In testing this, when the impact is to _remove_ a known_hosts entry then
all the existing entries are deleted from the subsequent files, and the
remaining entries are added to the first file.

I initially assumed, on reading the email, that the logic was to not
assume that subsequent files are writable, but it seems that's not it.

Is this just a corner case that wasn't considered?

For myself I can live with this, as it fits my workflow:
~/.ssh/known_hosts is a small file of cruft and staging entries, and a
second file is in a shared git repo, so I usually migrate entries
manually.

-Phil

On Wed, 5 Feb 2020, Phil Pennock wrote:
> On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> >  * sshd(8): allow the UpdateHostKeys feature to function when
> >    multiple known_hosts files are in use. When updating host keys,
> >    ssh will now search subsequent known_hosts files, but will add
> >    updated host keys to the first specified file only. bz2738
> 
> In testing this, when the impact is to _remove_ a known_hosts entry then
> all the existing entries are deleted from the subsequent files, and the
> remaining entries are added to the first file.
> 
> I initially assumed, on reading the email, that the logic was to not
> assume that subsequent files are writable, but it seems that's not it.
> 
> Is this just a corner case that wasn't considered?
No, that's pretty much the intended behaviour. Tracking which entries go
where and trying to match it while making updates is just too fiddly.

I hope to automatically enable UpdateHostKeys in a future release when
the user is using the default UserKnownHostsFiles, so if people are
using something custom then they can choose themselves whether the above
behaviour is something they can live with.

The previous behaviour was quite broken: AFAIK it wouldn't even search
beyond the first known_hosts file when looking for keys.

-d

On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> Generating a FIDO key requires the token be attached, and will usually
> require the user tap the token to confirm the operation:
Pretending first that I didn't have Damien's original post to the list,
to debug this as a non-subscriber would ...

ssh-keygen doesn't document SecurityKeyProvider, only $SSH_SK_PROVIDER,
and when people search for that variable in the public docs there's
nothing much.

SecurityKeyProvider has better text and a pointer to the entry in
ssh_config(5) might help.

I found one line in README.md (nit: "dependenciesi" has an extra
"i"
there) and doesn't mention --with-security-key-builtin (or is this not
needed now?)

Nothing outside of Damien's post seems to mention libsk-libfido2.so; the
libfido2 git log shows that the middleware moved into OpenSSH instead.
I'm guessing this is where --with-security-key-builtin comes from.
With libfido2 having removed the anchor, should the build even be
succeeding to create SK stuff without the --with-security-key-builtin
flag passed to configure?

Builds with PKG_CONFIG_PATH set for picking up libfido2.pc don't
propagate paths into DT_RUNPATH, but I guess folks using non-standard
install locations for custom stuff get what they deserve.  :)  Adjusting
to pass -Wl,-R through, it works.

When an ECDSA-SK handle has been loaded into ssh-agent, and you connect
to a host, there is no prompt to touch the token beyond a light on the
token starting to blink.

No ssh-agent:
  % ssh -p 24 fullerene
  Enter passphrase for key '/home/pdp/.ssh/id_ecdsa_sk':
  Confirm user presence for key ECDSA-SK
SHA256:Agweaa0e8uWR2UAqW/0ETHTPvawOdR1mu0DAk2r27Dw

Agent:
  % ssh-add ~/.ssh/id_ecdsa_sk
  Enter passphrase for /home/pdp/.ssh/id_ecdsa_sk: 
  Identity added: /home/pdp/.ssh/id_ecdsa_sk (pdp at fullerene)
Later:
  % ssh -p 24 fullerene
  [hangs, no output]

Can that "Confirm user presence" nudge be made to happen with the
agent
in play too?  It's nice.

Thanks for the wonderful work on supporting FIDO and everything else in
OpenSSH.  I hope this snapshot testing helps.

Regards,
-Phil

Damien Miller <djm at mindrot.org> writes:
> OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a feature release.
[ .. ]
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
>
PIN check when enrolling a key segfaults after three attempts for me,
also if the last entry is actually correct since it asks for the pin at
the end of the for-loop but then exists the for-loop before attempting
to use it:

$ ssh-keygen -t ecdsa-sk -vvvv
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
[ .. ]
debug1: ssh_sk_enroll: using device /dev/fido/0
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_REQUIRED
debug1: sshsk_enroll: provider "internal" returned failure -3
debug1: ssh-sk-helper: Enrollment failed: incorrect passphrase supplied to
decrypt private key
[ .. ]
Enter PIN for security key:
[ .. ]
debug1: ssh_sk_enroll: using device /dev/fido/0
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_INVALID
debug1: sshsk_enroll: provider "internal" returned failure -3
debug1: ssh-sk-helper: Enrollment failed: incorrect passphrase supplied to
decrypt private key
[ .. ]
Enter PIN for security key:
[ .. ]
debug1: ssh_sk_enroll: using device /dev/fido/0
debug1: ssh_sk_enroll: fido_dev_make_cred: FIDO_ERR_PIN_INVALID
debug1: sshsk_enroll: provider "internal" returned failure -3
debug1: ssh-sk-helper: Enrollment failed: incorrect passphrase supplied to
decrypt private key
[ .. ]
Enter PIN for security key:
Segmentation fault (core dumped)
$

$ gdb --quiet /usr/bin/ssh-keygen ssh-keygen.core 
[ .. ]
#0  sshkey_from_private (k=0x0, pkp=0x7f7ffffe9070) at
/usr/src/usr.bin/ssh/ssh-keygen/../sshkey.c:1813
1813            if ((n = sshkey_new(k->type)) == NULL) {
(gdb) p k
$1 = (const struct sshkey *) 0x0
Current language:  auto; currently minimal
(gdb) bt
#0  sshkey_from_private (k=0x0, pkp=0x7f7ffffe9070) at
/usr/src/usr.bin/ssh/ssh-keygen/../sshkey.c:1813
#1  0x00000054b0a507aa in main (argc=0, argv=0x7f7f0000000a) at
/usr/src/usr.bin/ssh/ssh-keygen/../ssh-keygen.c:3591
(gdb) 

Here is a diff which fixes the segfault and allows you to to have
three pin attempts instead of just two as it was previously:

Index: ssh-keygen.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/ssh-keygen.c,v
retrieving revision 1.396
diff -u -p -u -r1.396 ssh-keygen.c
--- ssh-keygen.c	4 Feb 2020 09:58:04 -0000	1.396
+++ ssh-keygen.c	6 Feb 2020 17:05:37 -0000
@@ -3563,25 +3563,23 @@ main(int argc, char **argv)
 		passphrase = NULL;
 		if ((attest = sshbuf_new()) == NULL)
 			fatal("sshbuf_new failed");
-		for (i = 0 ; i < 3; i++) {
+		for (i = 0 ; i < 4; i++) {
 			fflush(stdout);
 			r = sshsk_enroll(type, sk_provider, sk_device,
 			    sk_application == NULL ? "ssh:" : sk_application,
 			    sk_user, sk_flags, passphrase, challenge,
 			    &private, attest);
+			if (passphrase != NULL)
+				freezero(passphrase, strlen(passphrase));
 			if (r == 0)
 				break;
 			if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
 				fatal("Key enrollment failed: %s", ssh_err(r));
-			if (passphrase != NULL)
-				freezero(passphrase, strlen(passphrase));
+			if (i == 3)
+				fatal("Too many incorrect PINs");
 			passphrase = read_passphrase("Enter PIN for security "
 			    "key: ", RP_ALLOW_STDIN);
 		}
-		if (passphrase != NULL)
-			freezero(passphrase, strlen(passphrase));
-		if (i > 3)
-			fatal("Too many incorrect PINs");
 		break;
 	default:
 		if ((r = sshkey_generate(type, bits, &private)) != 0)


/gabriel

On Feb  6 10:29, Damien Miller wrote:
> Hi,
> 
> OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a feature release.
Built from git master on upcoming Cygwin 3.1.3, build runs fine and all
tests pass.


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200206/1df95df5/attachment-0001.asc>

Built and passed tests on NetBSD-9_RC2 on amd64 and on NetBSD-current on
amd64. Issues with MacOS Catalina:
configure: error: *** working libcrypto not found, check config.log

-- 
Hisashi T Fujinaka - htodd at twofifty.com
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee

On Thu, Feb 6, 2020 at 11:16 AM Hisashi T Fujinaka <htodd at twofifty.com>
wrote:
> amd64. Issues with MacOS Catalina:
> configure: error: *** working libcrypto not found, check config.log
./configure --with-ssl-dir=/usr/local/Cellar/openssl at 1.1/1.1.1d

worked for me

For MacOS Catalina, with MacPorts:

    LDFLAGS=-L/opt/local/lib CPPFLAGS=-I/opt/local/include ./configure

With brew:

    LDFLAGS=-L/usr/local/opt/openssl at 1.1/lib
CPPFLAGS=-I/usr/local/opt/openssl at 1.1/include ./configure

(slightly more ?correct? than using /usr/local/Cellar/openssl at 1.1/1.1.1d
- never know where brew will put the files but the links should always
work).

But after that I get a hang with ?make tests? at

    run test conch-ciphers.sh ...
    conch ciphers: cipher aes256-ctr

I'll try a newer snap.

? Larry

On 2020-02-06 11:12 :03, Hisashi T Fujinaka wrote:
> Built and passed tests on NetBSD-9_RC2 on amd64 and on NetBSD-current on
> amd64. Issues with MacOS Catalina:
> configure: error: *** working libcrypto not found, check config.log
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 3147 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200206/8d85b518/attachment.bin>

On Thu, 6 Feb 2020, Gabriel Kihlman wrote:
> PIN check when enrolling a key segfaults after three attempts for me,
> also if the last entry is actually correct since it asks for the pin at
> the end of the for-loop but then exists the for-loop before attempting
> to use it:
Thanks - I committed a slightly tweaked version of your patch.

-d

On Thu, 6 Feb 2020, Hisashi T Fujinaka wrote:
> Built and passed tests on NetBSD-9_RC2 on amd64 and on NetBSD-current on
> amd64. Issues with MacOS Catalina:
> configure: error: *** working libcrypto not found, check config.log
AFAIK MacOS no longer includes libcrypto or headers in the base operating
system, so you'll either need to compile them yourself or install them
via macports/brew/etc.

-d

On Thu, 6 Feb 2020, Phil Pennock wrote:
> On 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> > Generating a FIDO key requires the token be attached, and will usually
> > require the user tap the token to confirm the operation:
> 
> Pretending first that I didn't have Damien's original post to the
list,
> to debug this as a non-subscriber would ...
> 
> ssh-keygen doesn't document SecurityKeyProvider, only $SSH_SK_PROVIDER,
> and when people search for that variable in the public docs there's
> nothing much.
I'll mention $SSH_SK_PROVIDER in the release notes for ssh-keygen(1).
Naturally ssh-keygen doesn't use SecurityKeyProvider as it doesn't 
read any config files.
> SecurityKeyProvider has better text and a pointer to the entry in
> ssh_config(5) might help.
I've synced the manual page text for $SSH_SK_PROVIDER in ssh-keygen.1
and ssh-add.1 to match SecurityKeyProvider in ssh_config.5, thanks.
> I found one line in README.md (nit: "dependenciesi" has an extra
"i"
> there) and doesn't mention --with-security-key-builtin (or is this not
> needed now?)
Fixed - thanks.
> Nothing outside of Damien's post seems to mention libsk-libfido2.so;
the
> libfido2 git log shows that the middleware moved into OpenSSH instead.
> I'm guessing this is where --with-security-key-builtin comes from.
> With libfido2 having removed the anchor, should the build even be
> succeeding to create SK stuff without the --with-security-key-builtin
> flag passed to configure?
Yes, the motivation is that users might want to supply their own FIDO
middleware instead of the built-in one.
> Builds with PKG_CONFIG_PATH set for picking up libfido2.pc don't
> propagate paths into DT_RUNPATH, but I guess folks using non-standard
> install locations for custom stuff get what they deserve.  :)  Adjusting
> to pass -Wl,-R through, it works.
AFAIK that might be a bug in the generated libfido2.pc
> When an ECDSA-SK handle has been loaded into ssh-agent, and you connect
> to a host, there is no prompt to touch the token beyond a light on the
> token starting to blink.
> 
> No ssh-agent:
>   % ssh -p 24 fullerene
>   Enter passphrase for key '/home/pdp/.ssh/id_ecdsa_sk':
>   Confirm user presence for key ECDSA-SK
SHA256:Agweaa0e8uWR2UAqW/0ETHTPvawOdR1mu0DAk2r27Dw
> 
> Agent:
>   % ssh-add ~/.ssh/id_ecdsa_sk
>   Enter passphrase for /home/pdp/.ssh/id_ecdsa_sk: 
>   Identity added: /home/pdp/.ssh/id_ecdsa_sk (pdp at fullerene)
> Later:
>   % ssh -p 24 fullerene
>   [hangs, no output]
> 
> Can that "Confirm user presence" nudge be made to happen with the
agent
> in play too?  It's nice.
So, that should work if the agent has $DISPLAY set and access to
SSH_ASKPASS - it should pop up a confirmation box that will go away
as soon as you touch the key.

-d

For some odd reason - the current build did not pick up /usr/lib|incldue as the
place for libcrypto on OSX 10.15.3 with standard clang from Xcode by default.

But apart from that - no issues; including test with a wide range of pin-pad and
non-pin pad smartcards and USB tokens.

We do occasionally see a segfault when the pin is wrongly entered several times;
but that issue is one I've mean meaning to track down and was present in
earlier versions too. We think it is libccd.

Dw.

AIX 7.1 SP5. "configure" OpenSSH 8.2p1
==============================
Command line:
./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/openssl
--with-zlib=/usr/local/zlib --without-openssl-header-check --with-cflags=-q64
--with-ldflags=-q64

Error:
checking for getpagesize... (cached) yes
checking whether snprintf correctly terminates long strings... yes
checking whether snprintf understands %zu... yes
checking whether vsnprintf returns correct values on overflow... yes
checking whether snprintf can declare const char *fmt... yes
checking for (overly) strict mkstemp... no
checking if getaddrinfo seems to work... yes
checking whether AI_NUMERICSERV is declared... yes
checking for getpgrp... yes
checking if getpgrp accepts zero args... yes
configure: error: *** working libcrypto not found, check config.log

  ========================================================
     Configure OpenSSH ver. 7.9p1 on the same host does not produce any errors:
checking for getpagesize... (cached) yes
checking whether snprintf correctly terminates long strings... yes
checking whether snprintf understands %zu... yes
checking whether vsnprintf returns correct values on overflow... yes
checking whether snprintf can declare const char *fmt... yes
checking for (overly) strict mkstemp... no
checking if getaddrinfo seems to work... yes
checking whether AI_NUMERICSERV is declared... yes
checking for getpgrp... yes
checking if getpgrp accepts zero args... yes
checking openssl/opensslv.h usability... yes
checking openssl/opensslv.h presence... yes
checking for openssl/opensslv.h... yes
<skip>
<skip>
              Host: powerpc-ibm-aix7.1.5.0
          Compiler: cc -qlanglvl=extc89
    Compiler flags: -g -q64
Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/zlib/include
      Linker flags: -L/usr/local/ssl/lib -L/usr/local/zlib/lib  -q64
-blibpath:/usr/lib:/lib
         Libraries: -lcrypto -lz
(ended w/ no errors).

Is it something with "configure" specifically with OpenSSH 8.2?  My
last build was for 7.9p1, did not try (yet) 8.0 or 8.1.

Pls advise.
Txs. Val


-----Original Message-----
From: openssh-unix-dev <openssh-unix-dev-bounces+val.baranov=duke.edu at
mindrot.org> On Behalf Of Damien Miller
Sent: Wednesday, February 5, 2020 6:29 PM
To: openssh-unix-dev at mindrot.org
Subject: Call for testing: OpenSSH 8.2

Hi,

OpenSSH 8.2p1 is almost ready for release, so we would appreciate testing on as
many platforms and systems as possible. This is a feature release.

Snapshot releases for portable OpenSSH are available from
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mindrot.org_openssh-5Fsnap_&d=DwICAg&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=WByI7P-KKX1fiwfQLr8yiK76wnsb1nMN70RGY4qj1d8&m=p8nhV44A0whqWehrzuZDoXCEctWcVYkMM9-zJr_i2JE&s=xdW2-ZHXV4zqej5D5F38wlY8czGDRKk6GoCDnADr9Rs&e=

The OpenBSD version is available in CVS HEAD:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openbsd.org_anoncvs.html&d=DwICAg&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=WByI7P-KKX1fiwfQLr8yiK76wnsb1nMN70RGY4qj1d8&m=p8nhV44A0whqWehrzuZDoXCEctWcVYkMM9-zJr_i2JE&s=Jj2ds6WNG5qXhnZaL4jSak1iGJRmLktCBDsnnK1hwEE&e=

Portable OpenSSH is also available via git using the instructions at
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openssh.com_portable.html-23cvs&d=DwICAg&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=WByI7P-KKX1fiwfQLr8yiK76wnsb1nMN70RGY4qj1d8&m=p8nhV44A0whqWehrzuZDoXCEctWcVYkMM9-zJr_i2JE&s=yyZA2ztQqhLDucKM9oSr6MIIu1NLEEsRM95C_tCfdHA&eAt
https://urldefense.proofpoint.com/v2/url?u=https-3A__anongit.mindrot.org_openssh.git_&d=DwICAg&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=WByI7P-KKX1fiwfQLr8yiK76wnsb1nMN70RGY4qj1d8&m=p8nhV44A0whqWehrzuZDoXCEctWcVYkMM9-zJr_i2JE&s=xE5ug-58iMv6VxHNWUTcA8HqLOVMuvSlyoJ0EozCWfM&e=
or via a mirror at Github:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openssh_openssh-2Dportable&d=DwICAg&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=WByI7P-KKX1fiwfQLr8yiK76wnsb1nMN70RGY4qj1d8&m=p8nhV44A0whqWehrzuZDoXCEctWcVYkMM9-zJr_i2JE&s=XxmSwM6zyBUJ5TxaSLfgDCFXnV5pvHM0aIQk6CEMlng&e=

Running the regression tests supplied with Portable OpenSSH does not require
installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to openssh-unix-dev at mindrot.org.
Security bugs should be reported directly to openssh at openssh.com.

Below is a summary of changes. More detail may be found in the ChangeLog in the
portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Future deprecation notice
========================
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the
"ssh-rsa" public key signature algorithm by default in a near-future
release.

This algorithm is unfortunately still used widely despite the existence of
better alternatives, being the only remaining public key signature algorithm
specified by the original SSH RFCs.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The ssh-ed25519 signature algorithm. It has been supported in
   OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key algorithm, for
host authentication, try to connect to it after removing the ssh-rsa algorithm
from ssh(1)'s allowed list:

    ssh -oHostBasedKeyTypes=-ssh-rsa user at host

If the host key verification fails and no other supported host key types are
available, the the server software on that host should be upgraded.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020)
https://urldefense.proofpoint.com/v2/url?u=https-3A__eprint.iacr.org_2020_014.pdf&d=DwICAg&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=WByI7P-KKX1fiwfQLr8yiK76wnsb1nMN70RGY4qj1d8&m=p8nhV44A0whqWehrzuZDoXCEctWcVYkMM9-zJr_i2JE&s=_BIx00juKbWLAE9fSam1E3YozrFuE4aEP8mDbQc3JqU&e=

Security
=======
 * ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
   (RSA/SHA1) algorithm from those accepted for certificate signatures
   (i.e. the client and server CASignatureAlgorithms option) and will
   use the rsa-sha2-512 signature algorithm by default when the
   ssh-keygen(1) CA signs new certificates.

   Certificates are at special risk to the aforementioned SHA1
   collision vulnerability as an attacker has effectively unlimited
   time in which to craft a collision that yields them a valid
   certificate, far more than the relatively brief LoginGraceTime
   window that they have to forge a host key signature.

   OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
   algorithms and will refuse to accept certificates signed by an
   OpenSSH 8.2+ CA using RSA keys. Older clients/servers may use
   another CA key type such as ssh-ed25519 (supported since OpenSSH
   6.5) or one of the ecdsa-sha2-nistp256/384/521 types (supported
   since OpenSSH 5.7) instead if they cannot be upgraded.

Potentially-incompatible changes
===============================
This release includes a number of changes that may affect existing
configurations:

 * ssh(1), sshd(8): the above removal of "ssh-rsa" from the accepted
   CASignatureAlgorithms list.

 * ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
   from the default key exchange proposal for both the client and
   server.

 * ssh-keygen(1): the command-line options related to the generation
   and screening of safe prime numbers used by the
   diffie-hellman-group-exchange-* key exchange algorithms have
   changed. Most options have been folded under the -O flag.

 * sshd(8): the sshd listener process title visible to ps(1) has
   changed to include information about the number of connections that
   are currently attempting authentication and the limits configured
   by MaxStartups.

Changes since OpenSSH 8.1
========================
This release contains some significant new features.

FIDO/U2F Support
----------------

This release adds support for FIDO/U2F hardware authenticators to OpenSSH.
U2F/FIDO are open standards for inexpensive two-factor authentication hardware
that are widely used for website authentication.  In OpenSSH FIDO devices are
supported by new public key types "ecdsa-sk" and
"ed25519-sk", along with corresponding certificate types.

ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they
may be used much like any other key type supported by OpenSSH, so long as the
hardware token is attached when the keys are used. FIDO token also generally
require the user explicitly authorise operations by touching or tapping them.

Generating a FIDO key requires the token be attached, and will usually require
the user tap the token to confirm the operation:

  $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
  Generating public/private ecdsa-sk key pair.
  You may need to touch your security key to authorize key generation.
  Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): 
  Enter passphrase (empty for no passphrase): 
  Enter same passphrase again: 
  Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
  Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

This will yield a public and private key-pair. The private key file should be
useless to an attacker who does not have access to the physical token. After
generation, this key may be used like any other supported key in OpenSSH and may
be listed in authorized_keys, added to ssh-agent(1), etc. The only additional
stipulation is that the FIDO token that the key belongs to must be attached when
the key is used.

FIDO tokens are most commonly connected via USB but may be attached via other
means such as Bluetooth or NFC. In OpenSSH, communication with the token is
managed via a middleware library, specified by the SecurityKeyProvider directive
in ssh/sshd_config(5). OpenSSH includes a middleware with support for USB tokens
that is may be enabled in portable OpenSSH via the --with-security-key-builtin
configure flag (it is enabled automatically in OpenBSD). This internal
middleware requires that libfido2
(https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Yubico_libfido2&d=DwICAg&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=WByI7P-KKX1fiwfQLr8yiK76wnsb1nMN70RGY4qj1d8&m=p8nhV44A0whqWehrzuZDoXCEctWcVYkMM9-zJr_i2JE&s=2Vo5ZoJZVERFyDvCihb6idkt8gPem-4rqLsPLFnoua4&e=
) and its dependencies be installed. If the built-in middleware is enabled then
it will be used by default.

Note: FIDO/U2F tokens are required to implement the ECDSA-P256
"ecdsa-sk" key type, but hardware support for Ed25519
"ed25519-sk" is less common. Similarly, not all hardware tokens
support some of the optional features such as resident keys.

The protocol-level changes to support FIDO/U2F keys in SSH are documented in the
PROTOCOL.u2f file in the OpenSSH source distribution.

There are a number of supporting changes to this feature:

 * ssh-keygen(1): add a "no-touch-required" option when generating
   FIDO-hosted keys, that disables their default behaviour of
   requiring a physical touch/tap on the token during authentication.
   Note: not all tokens support disabling the touch requirement.

 * sshd(8): add a sshd_config PubkeyAuthOptions directive that
   collects miscellaneous public key authentication-related options
   for sshd(8). At present it supports only a single option
   "no-touch-required". This causes sshd to skip its default check for
   FIDO/U2F keys that the signature was authorised by a touch or press
   event on the token hardware.

 * ssh(1), sshd(8), ssh-keygen(1): add a "no-touch-required" option
   for authorized_keys and a similar extension for certificates. This
   option disables the default requirement that FIDO key signatures
   attest that the user touched their key to authorize them, mirroring
   the similar PubkeyAuthOptions sshd_config option.

 * ssh-keygen(1): add support for the writing the FIDO attestation
   information that is returned when new keys are generated via the
   "-O write-attestation=/path" option. FIDO attestation certificates
   may be used to verify that a FIDO key is hosted in trusted
   hardware. OpenSSH does not currently make use of this information,
   beyond optionally writing it to disk.

FIDO2 resident keys
-------------------

FIDO/U2F OpenSSH keys consist of two parts: a "key handle" part stored
in the private key file on disk, and a per-device private key that is unique to
each FIDO/U2F token and that cannot be exported. These are combined by the
hardware at authentication time to derive the real key that is used to sign
authentication challenges.

For tokens that are required to move between computers, it can be cumbersome to
have to move the private key file first. To avoid this requirement, tokens
implementing the newer FIDO2 standard support "resident keys", where
it is possible to effectively retrieve the key handle part of the key from the
hardware.

OpenSSH supports this feature, allowing resident keys to be generated using the
ssh-keygen(1) "-O resident" flag. This will produce a public/private
key pair as usual, but it will be possible to retrieve the private key part from
the token later. This may be done using "ssh-keygen -K", which will
download all available resident keys from the tokens attached to the host and
write public/private key files for them. It is also possible to download and add
resident keys directly to ssh-agent(1) without writing files to the file-system
using "ssh-add -K".

Resident keys are indexed on the token by the application string and user ID. By
default, OpenSSH uses an application string of "ssh:" and an empty
user ID. If multiple resident keys on a single token are desired then it may be
necessary to override one or both of these defaults using the ssh-keygen(1)
"-O application=" or "-O user="
options. Note: OpenSSH will only download and use resident keys whose
application string begins with "ssh:"

Storing both parts of a key on a FIDO token increases the likelihood of an
attacker being able to use a stolen token device. For this reason, tokens should
enforce PIN authentication before allowing download of keys, and users should
set a PIN on their tokens before creating any resident keys.

Other New Features
------------------

 * sshd(8): add an Include sshd_config keyword that allows including
   additional configuration files via glob(3) patterns. bz2468

 * ssh(1)/sshd(8): make the LE (low effort) DSCP code point available
   via the IPQoS directive; bz2986,

 * ssh(1): when AddKeysToAgent=yes is set and the key contains no
   comment, add the key to the agent with the key's path as the
   comment. bz2564
    
 * ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509
   subjects as key comments, rather than simply listing the PKCS#11
   provider library path. PR138

 * ssh-keygen(1): allow PEM export of DSA and ECDSA keys; bz3091

 * ssh(1), sshd(8): make zlib compile-time optional, available via the
   Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure
   option for OpenSSH portable.

 * sshd(8): when clients get denied by MaxStartups, send a
   notification prior to the SSH2 protocol banner according to
   RFC4253 section 4.2.

 * ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt
   program, pass a hint to the program to describe the type of
   desired prompt.  The possible values are "confirm" (indicating
   that a yes/no confirmation dialog with no text entry should be
   shown), "none" (to indicate an informational message only), or
   blank for the original ssh-askpass behaviour of requesting a
   password/phrase.

 * ssh(1): allow forwarding a different agent socket to the path
   specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
   option to accepting an explicit path or the name of an environment
   variable in addition to yes/no.
   
 * ssh-keygen(1): add a new signature operations "find-principals" to
   look up the principal associated with a signature from an allowed-
   signers file.
    
 * sshd(8): expose the number of currently-authenticating connections
   along with the MaxStartups limit in the process title visible to
   "ps".

Bugfixes
--------

 * sshd(8): make ClientAliveCountMax=0 have sensible semantics: it
   will now disable connection killing entirely rather than the
   current behaviour of instantly killing the connection after the
   first liveness test regardless of success. bz2627
    
 * sshd(8): clarify order of AllowUsers / DenyUsers vs AllowGroups /
   DenyGroups in the sshd(8) manual page. bz1690

 * sshd(8): better describe HashKnownHosts in the manual page. bz2560

 * sshd(8): clarify that that permitopen=/PermitOpen do no name or
   address translation in the manual page. bz3099

 * sshd(8): allow the UpdateHostKeys feature to function when
   multiple known_hosts files are in use. When updating host keys,
   ssh will now search subsequent known_hosts files, but will add
   updated host keys to the first specified file only. bz2738
    
 * All: replace all calls to signal(2) with a wrapper around
   sigaction(2). This wrapper blocks all other signals during the
   handler preventing races between handlers, and sets SA_RESTART
   which should reduce the potential for short read/write operations.
    
 * sftp(1): fix a race condition in the SIGCHILD handler that could
   turn in to a kill(-1); bz3084

 * sshd(8): fix a case where valid (but extremely large) SSH channel
   IDs were being incorrectly rejected. bz3098

 * ssh(1): when checking host key fingerprints as answers to new
   hostkey prompts, ignore whitespace surrounding the fingerprint
   itself.

 * All: wait for file descriptors to be readable or writeable during
   non-blocking connect, not just readable. Prevents a timeout when
   the server doesn't immediately send a banner (e.g. multiplexers
   like sslh)
 
 * sshd_config(5): document the sntrup4591761x25519-sha512 at tinyssh.org
   key exchange algorithm. PR#151

Portability
-----------

 * sshd(8): multiple adjustments to the Linux seccomp sandbox:
   - Non-fatally deny IPC syscalls in sandbox
   - Allow clock_gettime64() in sandbox (MIPS / glibc >= 2.31)
   - Allow clock_nanosleep_time64 in sandbox (ARM) bz3100
   - Allow clock_nanosleep() in sandbox (recent glibc) bz3093

 * Explicit check for memmem declaration and fix up declaration if the
   system headers lack it. bz3102
 
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin
Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben
Lindstrom.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mindrot.org_mailman_listinfo_openssh-2Dunix-2Ddev&d=DwICAg&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=WByI7P-KKX1fiwfQLr8yiK76wnsb1nMN70RGY4qj1d8&m=p8nhV44A0whqWehrzuZDoXCEctWcVYkMM9-zJr_i2JE&s=P-fsxuRvSinHJfHGzd-n4kyNe6u_jcxjPKltcqr_sK0&e=

On Thu, 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> Hi,
> 
> OpenSSH 8.2p1 is almost ready for release, so we would appreciate
> testing
> on as many platforms and systems as possible. This is a feature
> release.
We are building openssh with -fvisibility=hidden and it is breaking
tests. The build of sk-dummy.so does not list the public function as
explicitly visible, which would be a good habit when writing shared
libraries.

I see that as long as OpenSSH does not provide public library, there is
no need to care generally for the API and visibility, but this is
something  that will need to be addressed in the end if you decide to
make ssh_api.h public.

My proposal would be to specify __attribute__((visibility("default")))
to the exported functions in sk-dummy.c or whatever else compiler
alternatives need to be provided. I think something similar should go
also to the ssh_api.h

Regards,
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

On Tue, 2020-02-11 at 11:40 +0100, Jakub Jelen wrote:
> On Thu, 2020-02-06 at 10:29 +1100, Damien Miller wrote:
> > Hi,
> > 
> > OpenSSH 8.2p1 is almost ready for release, so we would appreciate
> > testing
> > on as many platforms and systems as possible. This is a feature
> > release.
> 
> We are building openssh with -fvisibility=hidden and it is breaking
> tests. The build of sk-dummy.so does not list the public function as
> explicitly visible, which would be a good habit when writing shared
> libraries.
> 
> I see that as long as OpenSSH does not provide public library, there
> is
> no need to care generally for the API and visibility, but this is
> something  that will need to be addressed in the end if you decide to
> make ssh_api.h public.
> 
> My proposal would be to specify
> __attribute__((visibility("default")))
> to the exported functions in sk-dummy.c or whatever else compiler
> alternatives need to be provided. I think something similar should go
> also to the ssh_api.h
Otherwise all our tests look good on current Fedora.

Best regards,
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.