ProHoster > Blog > internet news > OpenSSH 9.1 release

OpenSSH 9.1 release

After six months of development, the release of OpenSSH 9.1, an open implementation of the client and server for working over the SSH 2.0 and SFTP protocols, has been published. The release is characterized as containing mostly bug fixes, including fixes for several potential vulnerabilities caused by memory issues:

  • Single-byte overflow in the SSH banner processing code in the ssh-keyscan utility.
  • A double call to the free() function in case of an error while calculating hashes for files in the code for creating and verifying digital signatures in the ssh-keygen utility.
  • Double call to free() when handling errors in ssh-keysign utility.

Major changes:

  • The RequiredRSASize directive has been added to ssh and sshd, which allows you to define the minimum allowable size of RSA keys. In sshd, keys smaller than this will be ignored, while in ssh, they will terminate the connection.
  • The portable edition of OpenSSH has been converted to use SSH keys to digitally sign commits and tags in Git.
  • The SetEnv directives in the ssh_config and sshd_config configuration files now apply the value from the first occurrence of an environment variable if it is defined multiple times in the configuration (before that, the last occurrence was used).
  • When calling the ssh-keygen utility with the "-A" flag (generating all types of host keys supported by default), the generation of DSA keys, which have not been used by default for several years, is disabled.
  • sftp-server and sftp implement the "[email protected]”, allowing the client to request the names of users and groups corresponding to the specified set of numeric identifiers (uid and gid). In sftp, this extension is used to display names when listing the contents of a directory.
  • sftp-server implements "home-directory" extension to expand ~/ and ~user/ paths, as an alternative to "[email protected]' (the 'home-directory' extension is proposed for standardization and is already supported by some customers).
  • Added the ability for ssh-keygen and sshd to specify UTC time when determining certificate and key validity intervals, in addition to the system time.
  • In sftp, additional arguments are allowed in the "-D" option (for example, "/usr/libexec/sftp-server -el debug3").
  • ssh-keygen allows the use of the "-U" flag (using ssh-agent) along with "-Y sign" operations to determine that private keys are placed in ssh-agent.

    Source: opennet.ru

Add a comment