After six months of development, OpenSSH 8.9 is released, an open client and server implementation for SSH 2.0 and SFTP protocols. The new version fixes a vulnerability in sshd that could potentially allow access without authentication. The problem is caused by an integer overflow in the authentication code, but exploitation is possible only in combination with other logical errors in the code.
In its current form, the vulnerability is not exploitable when privilege splitting is enabled, as its manifestation is blocked by separate checks performed in the privilege split tracking code. Privilege sharing mode is enabled by default in 2002 starting with OpenSSH 3.2.2 and has been mandatory since the 7.5 release of OpenSSH 2017. In addition, in portable versions of OpenSSH since release 6.5 (2014), the vulnerability is blocked by compiling with the inclusion of flags to protect against integer overflows.
Other changes:
- In the portable version of OpenSSH, sshd removed native support for password hashing using the MD5 algorithm (linking to external libraries such as libxcrypt is allowed to return).
- ssh, sshd, ssh-add and ssh-agent implement a subsystem for restricting the transfer and use of keys added to ssh-agent. The subsystem allows you to set rules that determine how and where keys can be used in ssh-agent. For example, to add a key that can only be used to authenticate when any user connects to the host scylla.example.org, the user perseus to the host cetus.example.org, and the user medea to the host charybdis.example.org with redirection through the intermediate host scylla.example.org, you can use the following command: $ ssh-add -h "perseus@cetus.example.org" \ -h "scylla.example.org" \ -h "scylla.example.org>medea@charybdis.example.org" \ ~/.ssh/id_ed25519
- In ssh and sshd, the hybrid algorithm "sntrup761x25519-sha512@openssh.com" (ECDH/x25519 + NTRU Prime), resistant to brute force on quantum computers, has been added by default to the KexAlgorithms list, which determines the order of choosing key exchange methods. In OpenSSH 8.9, this negotiation method was added between the ECDH and DH methods, but it is planned to be used by default in the next release.
- ssh-keygen, ssh, and ssh-agent have improved handling of FIDO token keys used for device verification, including keys for biometric authentication.
- Added "ssh-keygen -Y match-principals" command to ssh-keygen to check usernames in a file with a list of allowed names.
- ssh-add and ssh-agent provide the ability to add PIN-protected FIDO keys to ssh-agent (a PIN request is displayed at the time of authentication).
- ssh-keygen allows the choice of hashing algorithm (sha512 or sha256) during signing.
- To improve performance, ssh and sshd read network data directly into the incoming packet buffer, bypassing intermediate buffering in the stack. The direct placement of the received data into the channel buffer is similarly implemented.
- In ssh, the PubkeyAuthentication directive has expanded the list of supported parameters (yes|no|unbound|host-bound) to provide the ability to select which protocol extension to use.
In a future release, the scp utility is planned to switch to SFTP by default, replacing the legacy SCP/RCP protocol. SFTP uses more predictable name handling methods and avoids the security-prone handling of glob patterns in filenames via the shell on the other host. Specifically, when using SCP and RCP, the server decides which files and directories to send to the client, while the client only checks the returned object names for correctness. This allows for security breaches if proper checks are not performed on the client side. server Transfer filenames other than those requested. The SFTP protocol is free of these problems, but it does not support the expansion of special paths such as "~/." To address this difference, a new SFTP protocol extension for expanding the ~/ and ~user/ paths was proposed in the previous OpenSSH release of the SFTP server implementation.
Source: opennet.ru
