Hi,
OpenSSH 9.8p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable
Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:
$ ./configure && make tests
Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev at mindrot.org. Security bugs should be reported
directly to openssh at openssh.com.
Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.
Thanks to the many people who contributed to this release.
Future deprecation notice
========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025. This release disables DSA by default at compile time.
DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs, mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.
This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA
in OpenSSH to be justified and hope that removing it from OpenSSH
can accelerate its wider deprecation in supporting cryptography
libraries.
This release, and its deactivation of DSA by default at compile-time,
marks the second step in our timeline to finally deprecate DSA. The
final step of removing DSA support entirely is planned for the first
OpenSSH release of 2025.
Potentially-incompatible changes
--------------------------------
* all: as mentioned above, the DSA signature algorithm is now
disabled at compile time.
* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.
* sshd(8): the server has been split into a listener binary, sshd(8),
and a per-session binary "sshd-session". This allows for a much
smaller listener binary, as it no longer needs to support the SSH
protocol. As part of this work, support for disabling privilege
separation (which previously required code changes to disable) and
disabling re-execution of sshd(8) has been removed. Further
separation of sshd-session into additional, minimal binaries is
planned for the future.
* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".
* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard error.
This release now emits them to standard output, but adds a new
"-q" flag to silence them altogether.
* sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
as the PAM service name. A new "PAMServiceName" sshd_config(5)
directive allows selecting the service name at runtime. This
defaults to "sshd". bz2101
Changes since OpenSSH 9.7
========================
This release contains mostly bugfixes.
New features
------------
* sshd(8): add the ability to penalise client addresses that, for
various reasons, do not successfully complete authentication.
sshd(8) will now identify situations where the session did not
authenticate as expected. These conditions include when the client
repeatedly attempted authentication unsucessfully (possibly
indicating an attack against one or more accounts, e.g. password
guessing), or when client behaviour caused sshd to crash (possibly
indicating attempts to exploit sshd).
When such a condition is observed, sshd will record a penalty of
some duration (e.g. 30 seconds) against the client's address. If
this time is above a minimum configurable threshold, then all
connections from the client address will be refused (along with any
others in the same PerSourceNetBlockSize CIDR range).
Repeated offenses by the same client address will accrue greater
penalties, up to a configurable maximum. Address ranges may be
exempted from penalties using the PerSourcePenaltyExemptList
option.
We hope these options will make it significantly more difficult for
attackers to find accounts with weak/guessable passwords or exploit
bugs in sshd(8) itself. This option is enabled by default.
* ssh(8): allow the HostkeyAlgorithms directive to disable the
implicit fallback from certificate host key to plain host keys.
Bugfixes
--------
* misc: fix a number of inaccuracies in the PROTOCOL.*
documentation. GHPR430 GHPR487
* all: switch to strtonum(3) for more robust integer parsing in most
places.
* ssh(1), sshd(8): correctly restore sigprocmask around ppoll()
* ssh-keysign(8): stricter validation of messaging socket fd GHPR492
* sftp(1): flush stdout after writing "sftp>" prompt when not
using
editline. GHPR480
* sftp-server(8): fix home-directory extension implementation, it
previously always returned the current user's home directory
contrary to the spec. GHPR477
* ssh-keyscan(1): do not close stdin in any case to prevent error
messages when stdin is read multiple times. E.g.
echo localhost | ssh-keyscan -f - -f -
* regression tests: fix rekey test that was testing the same KEX
algorithm repeatedly instead of testing all of them. bz3692
* ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive
documentation, especially around what is supported vs available.
bz3701.
Portability
-----------
* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
unconditionally. The previous behaviour was to expose it only when
particular authentication methods were in use.
* build: fix OpenSSL ED25519 support detection. An incorrect function
signature in configure.ac previously prevented enabling the recently
added support for ED25519 private keys in PEM PKCS8 format.
* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
environment variable to enable SSH_ASKPASS, similarly to the X11
DISPLAY environment variable. GHPR479
* build: improve detection of the -fzero-call-used-regs compiler
flag. bz3673.
* build: relax OpenSSL version check to accept all OpenSSL 3.x
versions.
* sshd(8): add support for notifying systemd on server listen and
reload, using a standalone implementation that doesn't depend on
libsystemd. bz2641
OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
On 6/17/24 19:46, Damien Miller wrote:> Hi, > > OpenSSH 9.8p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ >The latest snap: openssh-SNAP-20240618.tar.gz compiles, passes all tests, and sftp transports files at an acceptable rate on Debian GNU/Linux 12 (bookworm), but $ ./ssh -V gives: ??? OpenSSH_9.7p1-snap20240618, OpenSSL 3.0.11 19 Sep 2023 -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at GMail.com> */
Hi all, It compiles on OpenIndiana, GCC 13, with custom OpenSSL 3.2: :; ssh -V OpenSSH_9.7p1-snap20240618, OpenSSL 3.2.1 30 Jan 2024 Did not checked everything yet... Thanks On 2024-06-18 04:46, Damien Miller wrote:> Hi, > > OpenSSH 9.8p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via git using the > instructions at http://www.openssh.com/portable.html#cvs > At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github: > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Security bugs should be reported > directly to openssh at openssh.com. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Future deprecation notice > ========================> > OpenSSH plans to remove support for the DSA signature algorithm in > early 2025. This release disables DSA by default at compile time. > > DSA, as specified in the SSHv2 protocol, is inherently weak - being > limited to a 160 bit private key and use of the SHA1 digest. Its > estimated security level is only 80 bits symmetric equivalent. > > OpenSSH has disabled DSA keys by default since 2015 but has retained > run-time optional support for them. DSA was the only mandatory-to- > implement algorithm in the SSHv2 RFCs, mostly because alternative > algorithms were encumbered by patents when the SSHv2 protocol was > specified. > > This has not been the case for decades at this point and better > algorithms are well supported by all actively-maintained SSH > implementations. We do not consider the costs of maintaining DSA > in OpenSSH to be justified and hope that removing it from OpenSSH > can accelerate its wider deprecation in supporting cryptography > libraries. > > This release, and its deactivation of DSA by default at compile-time, > marks the second step in our timeline to finally deprecate DSA. The > final step of removing DSA support entirely is planned for the first > OpenSSH release of 2025. > > Potentially-incompatible changes > -------------------------------- > > * all: as mentioned above, the DSA signature algorithm is now > disabled at compile time. > > * sshd(8): the server will now block client addresses that > repeatedly fail authentication, repeatedly connect without ever > completing authentication or that crash the server. See the > discussion of PerSourcePenalties below for more information. > Operators of servers that accept connections from many users, or > servers that accept connections from addresses behind NAT or > proxies may need to consider these settings. > > * sshd(8): the server has been split into a listener binary, sshd(8), > and a per-session binary "sshd-session". This allows for a much > smaller listener binary, as it no longer needs to support the SSH > protocol. As part of this work, support for disabling privilege > separation (which previously required code changes to disable) and > disabling re-execution of sshd(8) has been removed. Further > separation of sshd-session into additional, minimal binaries is > planned for the future. > > * sshd(8): several log messages have changed. In particular, some > log messages will be tagged with as originating from a process > named "sshd-session" rather than "sshd". > > * ssh-keyscan(1): this tool previously emitted comment lines > containing the hostname and SSH protocol banner to standard error. > This release now emits them to standard output, but adds a new > "-q" flag to silence them altogether. > > * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] > as the PAM service name. A new "PAMServiceName" sshd_config(5) > directive allows selecting the service name at runtime. This > defaults to "sshd". bz2101 > > Changes since OpenSSH 9.7 > ========================> > This release contains mostly bugfixes. > > New features > ------------ > > * sshd(8): add the ability to penalise client addresses that, for > various reasons, do not successfully complete authentication. > sshd(8) will now identify situations where the session did not > authenticate as expected. These conditions include when the client > repeatedly attempted authentication unsucessfully (possibly > indicating an attack against one or more accounts, e.g. password > guessing), or when client behaviour caused sshd to crash (possibly > indicating attempts to exploit sshd). > > When such a condition is observed, sshd will record a penalty of > some duration (e.g. 30 seconds) against the client's address. If > this time is above a minimum configurable threshold, then all > connections from the client address will be refused (along with any > others in the same PerSourceNetBlockSize CIDR range). > > Repeated offenses by the same client address will accrue greater > penalties, up to a configurable maximum. Address ranges may be > exempted from penalties using the PerSourcePenaltyExemptList > option. > > We hope these options will make it significantly more difficult for > attackers to find accounts with weak/guessable passwords or exploit > bugs in sshd(8) itself. This option is enabled by default. > > * ssh(8): allow the HostkeyAlgorithms directive to disable the > implicit fallback from certificate host key to plain host keys. > > Bugfixes > -------- > > * misc: fix a number of inaccuracies in the PROTOCOL.* > documentation. GHPR430 GHPR487 > > * all: switch to strtonum(3) for more robust integer parsing in most > places. > > * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() > > * ssh-keysign(8): stricter validation of messaging socket fd GHPR492 > > * sftp(1): flush stdout after writing "sftp>" prompt when not using > editline. GHPR480 > > * sftp-server(8): fix home-directory extension implementation, it > previously always returned the current user's home directory > contrary to the spec. GHPR477 > > * ssh-keyscan(1): do not close stdin in any case to prevent error > messages when stdin is read multiple times. E.g. > echo localhost | ssh-keyscan -f - -f - > > * regression tests: fix rekey test that was testing the same KEX > algorithm repeatedly instead of testing all of them. bz3692 > > * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms directive > documentation, especially around what is supported vs available. > bz3701. > > Portability > ----------- > > * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules > unconditionally. The previous behaviour was to expose it only when > particular authentication methods were in use. > > * build: fix OpenSSL ED25519 support detection. An incorrect function > signature in configure.ac previously prevented enabling the recently > added support for ED25519 private keys in PEM PKCS8 format. > > * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY > environment variable to enable SSH_ASKPASS, similarly to the X11 > DISPLAY environment variable. GHPR479 > > * build: improve detection of the -fzero-call-used-regs compiler > flag. bz3673. > > * build: relax OpenSSL version check to accept all OpenSSL 3.x > versions. > > * sshd(8): add support for notifying systemd on server listen and > reload, using a standalone implementation that doesn't depend on > libsystemd. bz2641 > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Predrag Ze?evi?
Hi, This is my first post here, I'm trying my best. I am admin and not a developer but as such I am heavily dependent on openssh. On Tue, 2024-06-18 at 12:46 +1000, Damien Miller wrote:> OpenSSH 9.8p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release. >While all tests on my host were OK ("all tests passed"), I get a number of compile warnings, e.g: ssh-keygen.c: In function ?do_gen_all_hostkeys?: ssh-keygen.c:1133:55: warning: ?%s? directive output may be truncated writing up to 1024 bytes into a region of size 1023 [-Wformat-truncation=] 1133 | snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, | ^~ 1134 | hostname); | ~~~~~~~~ In function ?snprintf?, inlined from ?do_gen_all_hostkeys? at ssh-keygen.c:1133:3: Is it worth it to fix this? I asked a helpful friend (thanks Uwe) and he suggests something like: diff --git a/ssh-keygen.c b/ssh-keygen.c index 97c6d134a16f..69431bbc3084 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -3385,6 +3385,12 @@ main(int argc, char **argv) pw = pwcopy(pw); if (gethostname(hostname, sizeof(hostname)) == -1) fatal("gethostname: %s", strerror(errno)); + /* + * According to POSIX hostname might have been trunctated without + * returning an error and that in this case it's unspecified if hostname + * is terminated by a null byte. + */ + hostname[sizeof(hostname) - 1] = '\0'; sk_provider = getenv("SSH_SK_PROVIDER"); @@ -3918,7 +3924,8 @@ main(int argc, char **argv) strlcpy(comment, identity_comment, sizeof(comment)); } else { /* Create default comment field for the passphrase. */ - snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname); + if (snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname) >= sizeof comment) + comment[sizeof comment - 1] = '\0'; } /* Save the key with the given passphrase and comment. */ Have a nice day Bj?rn L?ssig
On 2024/06/18 12:46, Damien Miller wrote:> OpenSSH plans to remove support for the DSA signature algorithm in > early 2025. This release disables DSA by default at compile time.Not sure whether anything should be done with it, but I noticed so thought I'd mention: if you pass ssh-keygen -R a known_hosts file with DSA sigs, you get "invalid line" warnings.
On 6/17/2024 22:46, Damien Miller wrote:> This release contains mostly bugfixes. > > New features > ------------ > > * sshd(8): add the ability to penalise client addresses that, for > various reasons, do not successfully complete authentication. > sshd(8) will now identify situations where the session did not > authenticate as expected. These conditions include when the client > repeatedly attempted authentication unsucessfully (possibly > indicating an attack against one or more accounts, e.g. password > guessing), or when client behaviour caused sshd to crash (possibly > indicating attempts to exploit sshd).Just curious, has this been tested at scale? I see that there are, by default, a maximum number of hosts it can track (default of 64k it seems). At that point I think one of two things happen - sshd stops allowing all connections until some of the banned IPs age out (with the exception of those IPs on an approved list) or it drops banned IPs from the head. I'm just wondering what happens in the event of a sustained attack from, say, a large botnet with more than 64K hosts. I think this is a good idea if people aren't using fail2ban but being that this is a relatively impactful change that could, unintentionally, lock out valid users (especially in attack scenarios) I'm somewhat hesitant to deploy in production without understanding this mechanism and testing results in a little more detail if available. Chris
Any chance PAMServiceName could be added as a Match option? It would be great to have a different PAM config (MFA, etc.) based on source address. -- Carson
Hi Damien, On Jun 18 12:46, Damien Miller wrote:> Hi, > > OpenSSH 9.8p1 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a bugfix release.Builds on current Cygwin and all tests pass, except a single command in a single test: run test sftp-cmds.sh ... sftp commands: lls lls failed Every other test in sftp-cmds.sh works, just this one lls test constantly fails for me. I found that the current working directory when starting sftp -D is the regress source dir, in my case: /home/corinna/openssh-9.8p0-1.x86_64/src/openssh-portable/regress When calling sftp in the lls test, it's asked to change the working dir to the build regress dir, i.e.: printf "cd ${OBJ}\nlls\n" | ${SFTP} -D ${SFTPSERVER} 2>&1 | grep copy.dd >/dev/null || fail "lls failed" That's correct, because the copy.dd file is created in ${OBJ}. In my case of building outside the source dir, $OBJ is /home/corinna/openssh-9.8p0-1.x86_64/build/regress However, `cd' only changes the remote dir. This doesn't affect the subsequent `lls' command which still has its local working dir set to the source dir. Consequentially, lls fails. Shouldn't `cd' actually be `lcd' in this test to be independent of building inside or outside the source dir? Thanks, Corinna