Release of OpenSSH 9.8 with disabling the DSA algorithm and additional security mechanisms

The release of OpenSSH 9.8 has been published, an open implementation of a client and server for working using the SSH 2.0 and SFTP protocols. In addition to fixing a separately announced critical vulnerability (CVE-2024-6387), which allows remote code execution with root rights at the pre-authentication stage, the new version fixes another less dangerous vulnerability and proposes several significant changes aimed at improving security.

The second vulnerability allows you to bypass the protection added in OpenSSH 9.5 against side-channel attacks that analyze the delays between keystrokes on the keyboard to recreate the input. The vulnerability allows us to distinguish packets that create background activity by simulating fictitious keystrokes from packets sent when real keys are pressed, which reduces the effectiveness of the mechanism for hiding features of interactive input in traffic in ssh. Keystroke data enables attacks that recreate input by analyzing the delays between keystrokes while typing, which depend on the layout of the keys on the keyboard (for example, the response when typing the letter β€œF” is faster than when typing β€œQ” or β€œX”, so as pressing requires less finger movement).

In addition, it turned out that the implemented algorithm for sending packets with real and fictitious clicks reduced the reliability of another method of protection against side-channel attacks. Since release
OpenSSH 2.9.9 server sent packets containing dummy keystrokes for console input in echo-off mode, used, for example, when entering passwords in su or sudo. The new logic for sending dummy packets allowed passive traffic analysis to isolate packets containing real keystrokes in echo-off mode for separate analysis. However, the accuracy of the keystroke timing information is limited, since after typing, the packets are not sent immediately, but at fixed intervals (20 ms by default).

Other changes in OpenSSH 9.8:

  • At the build stage, support for digital signatures based on the DSA algorithm is disabled by default. The DSA implementation will be removed from the code base in early 2025. The reason for deletion is cited as the level of protection in DSA that does not meet modern requirements. The cost of continuing to maintain an insecure DSA algorithm is not worth it, and its removal will encourage deprecation of DSA support in other SSH implementations and cryptographic libraries.
  • To further protect against exploitation methods that require a large number of connections to sshd, a new protection mode has been implemented and enabled by default. This mode also helps block automated password guessing attacks, in which bots attempt to guess a user's password by trying various typical combinations. This protection is implemented through blocking. IP addresses, which record a large number of failed connection attempts, sshd monitors the termination status of child processes, detecting situations where authentication failed or the process was terminated abnormally due to a crash. When a certain threshold is exceeded, it begins blocking requests from problematic IPs or subnets. The PerSourcePenalties, PerSourceNetBlockSize, and PerSourcePenaltyExemptList parameters are available for configuring the blocking threshold, the subnet mask to block, and the exclusion list.
  • sshd has been split into several separate executable files. The sshd-session process is allocated from sshd to perform tasks related to session processing. The sshd process retains functions responsible for accepting network connections, checking configurations, loading host keys, and managing startup processes in accordance with the MaxStartups parameter. Thus, the sshd executable now contains the minimum functionality required to accept a new network connection and start sshd-session to handle the session.
  • The text of some error messages written to the log has changed. In particular, a number of messages are now sent under the name of the "sshd-session" process rather than "sshd".
  • The ssh-keyscan utility now outputs protocol version and hostname information to standard stream instead of STDERR. To disable output, the β€œ-q” option is suggested.
  • In ssh, it is possible to disable the rollback from using a host key certificate to using plain host keys via the HostkeyAlgorithms directive.
  • The portable version of sshd no longer uses the value argv[0] to determine the PAM service name. To set the name of the PAM service, a new directive β€œPAMServiceName” has been added to sshd_config, which is set to β€œsshd” by default.
  • The portable version of sshd ensures that automatically generated files (configure script, config.h.in, etc.) are saved in a Git branch with releases (for example, V_9_8), which made it possible to synchronize the composition of digitally signed tar archives and branches in Git.
  • The portable version of ssh and ssh-agent provides mode setting
    SSH_ASKPASS in the presence of the WAYLAND_DISPLAY environment variable, similar to how for X11 this was done in the presence of the DISPLAY environment variable.
  • The portable version of sshd adds support for sending notifications to systemd when a listening network socket is created or restarted, using standalone code that does not call the libsystemd library.

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers πŸ”₯ Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster