After three months of development Release , an open implementation of the client and server for working over the SSH 2.0 and SFTP protocols.
The new release adds protection against an attack on scp that allows the server to pass different filenames than requested (as opposed to , the attack does not make it possible to change the user-selected directory or glob mask). Recall that in SCP, the server decides which files and directories to send to the client, and the client only checks the correctness of the returned object names. The essence of the identified problem is that if the utimes system call fails, then the contents of the file are interpreted as file metadata.
This feature, when connected to a server controlled by an attacker, can be used to save other file names and other contents in the user's FS when copying using scp in configurations that lead to a failure when calling utimes (for example, when utimes is prohibited by SELinux policy or a system call filter) . The likelihood of real attacks is estimated to be minimal, since in typical configurations, a call to utimes does not fail. In addition, the attack does not go unnoticed - when calling scp, a data transfer error is shown.
General changes:
- sftp stopped handling the "-1" argument, similar to ssh and scp, which used to be accepted but ignored;
- sshd now provides three choices when using IgnoreRhosts: "yes" to ignore rhosts/shosts, "no" to honor rhosts/shosts, and "shosts-only" to allow ".shosts" but disallow ".rhosts";
- ssh handles %TOKEN substitution in the LocalFoward and RemoteForward settings used to redirect Unix sockets;
- Allow loading public keys from an unencrypted private key file if there is no separate public key file;
- With libcrypto on the system in ssh and sshd now uses the implementation of the chacha20 algorithm from this library, instead of the built-in portable implementation, which lags behind in performance;
- Implemented the ability to dump the contents of the binary list of revoked certificates when executing the command "ssh-keygen -lQf /path";
- The portable version implements system definitions where signals with the SA_RESTART option abort select;
- Fixed build issues on HP/UX and AIX systems;
- Fixed build issues with seccomp sandbox on some Linux configurations.
- Improved libfido2 library definition and resolved build issues with "--with-security-key-builtin" option.
The OpenSSH developers have also once again warned about the impending deprecation of algorithms using SHA-1 hashes due to the effectiveness of collision attacks with a given prefix (the cost of selecting a collision is estimated at about 45 thousand dollars). In one of the upcoming releases, they plan to disable by default the ability to use the ssh-rsa public key digital signature algorithm, which is mentioned in the original RFC for the SSH protocol and remains widespread in practice (to check the use of ssh-rsa in your systems, you can try to connect via ssh with "-oHostKeyAlgorithms=-ssh-rsa" option).
To smooth the transition to new algorithms in OpenSSH, in one of the next releases, the UpdateHostKeys setting will be enabled by default, which will automatically migrate clients to more reliable algorithms. Recommended algorithms for migration include rsa-sha2-256/512 based on RFC8332 RSA SHA-2 (supported since OpenSSH 7.2 and used by default), ssh-ed25519 (supported since OpenSSH 6.5) and ecdsa-sha2-nistp256/384/521 based on RFC5656 ECDSA (supported since OpenSSH 5.7).
As of the last release, "ssh-rsa" and "diffie-hellman-group14-sha1" have been removed from the CASignatureAlgorithms list that defines the algorithms allowed for digitally signing new certificates, as the use of SHA-1 in certificates comes with additional risk due to that the attacker has unlimited time to find a collision for an existing certificate, while the time to attack host keys is limited by the connection timeout (LoginGraceTime).
Source: opennet.ru