The release of OpenSSH 8.8, an open implementation of the client and server for working over the SSH 2.0 and SFTP protocols, has been published. The release is notable for disabling by default the ability to use digital signatures based on RSA keys with a SHA-1 hash ("ssh-rsa").
The termination of support for "ssh-rsa" signatures is due to an increase in the effectiveness of collision attacks with a given prefix (the cost of choosing a collision is estimated at about 50 thousand dollars). To test if ssh-rsa is being used on your systems, you can try connecting via ssh with the "-oHostKeyAlgorithms=-ssh-rsa" option. Support for RSA signatures with SHA-256 and SHA-512 hashes (rsa-sha2-256/512), which are supported since OpenSSH 7.2, has been left unchanged.
In most cases, deprecating ssh-rsa support will not require any manual action from users, as OpenSSH previously had the UpdateHostKeys setting enabled by default, automatically migrating clients to more secure algorithms. The migration uses the "hostkeys@openssh.com" protocol extension, which allows server After authentication, inform the client of all available host keys. When connecting to hosts with very old versions of OpenSSH on the client side, you can selectively enable the use of "ssh-rsa" signatures by adding the following line to ~/.ssh/config: Host old_hostname HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
The new version also fixes a security issue caused by sshd, since the release of OpenSSH 6.2, incorrectly initializing the user's group when executing commands specified in the AuthorizedKeysCommand and AuthorizedPrincipalsCommand directives. These directives are supposed to ensure that commands are run under a different user, but in fact they inherited the list of groups used when starting sshd. Potentially, this behavior, in the presence of certain system settings, allowed the running handler to gain additional privileges in the system.
The new release notes also contain a warning about the intention to migrate the scp utility to SFTP by default, replacing the legacy SCP/RCP protocol. SFTP uses more predictable name handling methods and does not handle glob patterns in filenames via the shell on the other host, which creates security issues. This is particularly true when using SCP and RCP. server The server decides which files and directories to send to the client, while the client only checks the returned object names for correctness. This, if proper checks are not performed on the client side, allows the server to send file names different from those requested. The SFTP protocol is free of these problems, but does not support the expansion of special paths such as "~/." To address this difference, a new SFTP protocol extension for expanding the ~/ and ~user/ paths was proposed in the previous OpenSSH SFTP server implementation.
Source: opennet.ru
