Language Selection

English French German Italian Portuguese Spanish

OpenSSH 8.5

Filed under
BSD
OpenSSH 8.5 was released on 2021-03-03. It is available from the
mirrors listed at https://www.openssh.com/.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html

Future deprecation notice
=========================

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K.

In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
hash algorithm in conjunction with the RSA public key algorithm.
OpenSSH will disable this signature scheme by default in the near
future.

Note that the deactivation of "ssh-rsa" signatures does not necessarily
require cessation of use for RSA keys. In the SSH protocol, keys may be
capable of signing using multiple algorithms. In particular, "ssh-rsa"
keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
"rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
these is being turned off by default.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs that is still
enabled by default.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The RFC8709 ssh-ed25519 signature algorithm. It has been supported
   in OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

This release enables the UpdateHostKeys option by default to assist
the client by automatically migrating to better algorithms.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

Security
========

 * ssh-agent(1): fixed a double-free memory corruption that was
   introduced in OpenSSH 8.2 . We treat all such memory faults as
   potentially exploitable. This bug could be reached by an attacker
   with access to the agent socket.

   On modern operating systems where the OS can provide information
   about the user identity connected to a socket, OpenSSH ssh-agent
   and sshd limit agent socket access only to the originating user
   and root. Additional mitigation may be afforded by the system's
   malloc(3)/free(3) implementation, if it detects double-free
   conditions.

   The most likely scenario for exploitation is a user forwarding an
   agent either to an account shared with a malicious user or to a
   host with an attacker holding root access.

 * Portable sshd(8): Prevent excessively long username going to PAM.
   This is a mitigation for a buffer overflow in Solaris' PAM username
   handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
   implementations.  This is not a problem in sshd itself, it only
   prevents sshd from being used as a vector to attack Solaris' PAM.
   It does not prevent the bug in PAM from being exploited via some
   other PAM application. GHPR#212


Potentially-incompatible changes
================================

This release includes a number of changes that may affect existing
configurations:

 * ssh(1), sshd(8): this release changes the first-preference signature
   algorithm from ECDSA to ED25519.

 * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration
   for interactive use prior to TCP connect. The connection phase of
   the SSH session is time-sensitive and often explicitly interactive.
   The ultimate interactive/bulk TOS/DSCP will be set after
   authentication completes.

 * ssh(1), sshd(8): remove the pre-standardization cipher
   rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before
   it was standardized in RFC4253 (2006), has been deprecated and
   disabled by default since OpenSSH 7.2 (2016) and was only briefly
   documented in ssh.1 in 2001.

 * ssh(1), sshd(8): update/replace the experimental post-quantum
   hybrid key exchange method based on Streamlined NTRU Prime coupled
   with X25519.

   The previous sntrup4591761x25519-sha512@tinyssh.org method is
   replaced with sntrup761x25519-sha512@openssh.com. Per its
   designers, the sntrup4591761 algorithm was superseded almost two
   years ago by sntrup761.

   (note this both the updated method and the one that it replaced are
   disabled by default)

 * ssh(1): disable CheckHostIP by default. It provides insignificant
   benefits while making key rotation significantly more difficult,
   especially for hosts behind IP-based load-balancers.

Changes since OpenSSH 8.4
=========================

New features
------------

 * ssh(1): this release enables UpdateHostkeys by default subject to
   some conservative preconditions:
    - The key was matched in the UserKnownHostsFile (and not in the
      GlobalKnownHostsFile).
    - The same key does not exist under another name.
    - A certificate host key is not in use.
    - known_hosts contains no matching wildcard hostname pattern.
    - VerifyHostKeyDNS is not enabled.
    - The default UserKnownHostsFile is in use.

   We expect some of these conditions will be modified or relaxed in
   future.

 * ssh(1), sshd(8): add a new LogVerbose configuration directive for
   that allows forcing maximum debug logging by file/function/line
   pattern-lists.

 * ssh(1): when prompting the user to accept a new hostkey, display
   any other host names/addresses already associated with the key.

 * ssh(1): allow UserKnownHostsFile=none to indicate that no
   known_hosts file should be used to identify host keys.

 * ssh(1): add a ssh_config KnownHostsCommand option that allows the
   client to obtain known_hosts data from a command in addition to
   the usual files.

 * ssh(1): add a ssh_config PermitRemoteOpen option that allows the
   client to restrict the destination when RemoteForward is used
   with SOCKS.

 * ssh(1): for FIDO keys, if a signature operation fails with a
   "incorrect PIN" reason and no PIN was initially requested from the
   user, then request a PIN and retry the operation. This supports
   some biometric devices that fall back to requiring PIN when reading
   of the biometric failed, and devices that require PINs for all
   hosted credentials.

 * sshd(8): implement client address-based rate-limiting via new
   sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize
   directives that provide more fine-grained control on a per-origin
   address basis than the global MaxStartups limit.

Bugfixes
--------

 * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to
   make it easier to determine which connection they are associated
   with in cases like scp -3, ProxyJump, etc. bz#3224

 * sshd(8): fix sshd_config SetEnv directives located inside Match
   blocks. GHPR#201

 * ssh(1): when requesting a FIDO token touch on stderr, inform the
   user once the touch has been recorded.

 * ssh(1): prevent integer overflow when ridiculously large
   ConnectTimeout values are specified, capping the effective value
   (for most platforms) at 24 days. bz#3229

 * ssh(1): consider the ECDSA key subtype when ordering host key
   algorithms in the client.

 * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
   PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
   that it control allowed key algorithms, when this option actually
   specifies the signature algorithms that are accepted. The previous
   name remains available as an alias. bz#3253

 * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
   HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.

 * sftp-server(8): add missing lsetstat@openssh.com documentation
   and advertisement in the server's SSH2_FXP_VERSION hello packet.

 * ssh(1), sshd(8): more strictly enforce KEX state-machine by
   banning packet types once they are received. Fixes memleak caused
   by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).

 * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
   platforms instead of being limited by LONG_MAX. bz#3206

 * Minor man page fixes (capitalization, commas, etc.) bz#3223

 * sftp(1): when doing an sftp recursive upload or download of a
   read-only directory, ensure that the directory is created with
   write and execute permissions in the interim so that the transfer
   can actually complete, then set the directory permission as the
   final step. bz#3222

 * ssh-keygen(1): document the -Z, check the validity of its argument
   earlier and provide a better error message if it's not correct.
   bz#2879

 * ssh(1): ignore comments at the end of config lines in ssh_config,
   similar to what we already do for sshd_config. bz#2320

 * sshd_config(5): mention that DisableForwarding is valid in a
   sshd_config Match block. bz3239

 * sftp(1): fix incorrect sorting of "ls -ltr" under some
   circumstances. bz3248.

 * ssh(1), sshd(8): fix potential integer truncation of (unlikely)
   timeout values. bz#3250

 * ssh(1): make hostbased authentication send the signature algorithm
   in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
   This make HostbasedAcceptedAlgorithms do what it is supposed to -
   filter on signature algorithm and not key type.

Portability
-----------

 * sshd(8): add a number of platform-specific syscalls to the Linux
   seccomp-bpf sandbox. bz#3232 bz#3260

 * sshd(8): remove debug message from sigchld handler that could cause
   deadlock on some platforms. bz#3259

 * Sync contrib/ssh-copy-id with upstream.

 * unittests: add a hostname function for systems that don't have it.
   Some systems don't have a hostname command (it's not required by
   POSIX). The do have uname -n (which is), but not all of those have
   it report the FQDN.

Checksums:
==========

 - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e
 - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU=

 - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e
 - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc

Please note that the OpenPGP key used to sign releases has been
rotated for this release. The new key has been signed by the previous
key to provide continuity.

Reporting Bugs:
===============

- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to openssh@openssh.com

Read more

OpenSSH 8.5 released

  • OpenSSH 8.5 released

    OpenSSH 8.5 has been released. It includes fixes for a couple of potential security problems (one of which only applies to Solaris hosts); it also enables UpdateHostKeys by default, allowing hosts with insecure keys to upgrade them without creating scary warnings for users. There are a lot of other small changes; see the announcement for details.

Announce: OpenSSH 8.5 released

  • Announce: OpenSSH 8.5 released

    OpenSSH 8.5 has just been released. It will be available from the mirrors listed at https://www.openssh.com/ shortly.

    OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support.

    Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

KDE Frameworks 5.81 Released with KHamburgerMenu, Various Improvements

The biggest new feature in the KDE Frameworks 5.81 release is the implementation of a new, custom hamburger menu called KHamburgerMenu, which will be shown on QWidgets-based apps whenever the main menubar is hidden. The KDE Project plans to adopt the KHamburgerMenu for all KDE apps as it offers several advantages, including an alternative app menu in case you hide the default menubar by accident, more freedom when you want to take full advantage of the maximum vertical space, more compact design with only relevant menu items, as well as support for relocating, renaming, removing, or even changing its icon. Read more

today's leftovers

  • Radeon Vulkan Driver Adds Option Of Rendering Less For ~30% Greater Performance - Phoronix

    If your current Vulkan-based Radeon Linux gaming performance isn't cutting it and a new GPU is out of your budget or you have been unable to find a desired GPU upgrade in stock, the Mesa RADV driver has added an option likely of interest to you... Well, at least moving forward with this feature being limited to RDNA2 GPUs for now. RADV as Mesa's Radeon Vulkan driver has added an option to allow Variable Rate Shading (VRS) via an environment variable override. This RADV addition is inspired by the likes of NVIDIA DLSS for trading rendering quality for better performance but in its current form is a "baby step" before being comparable to DLSS quality and functionality.

  • Bas Nieuwenhuizen: A First Foray into Rendering Less

    In RADV we just added an option to speed up rendering by rendering less pixels. These kinds of techniques have become more common over the past decade with techniques such as checkerboarding, TAA based upscaling and recently DLSS. Fundamentally all they do is trading off rendering quality for rendering cost and many of them include some amount of postprocessing to try to change the curve of that tradeoff. Most notably DLSS has been widly successful at that to the point many people claim it is barely a quality regression. Of course increasing GPU performance by up to 50% or so with barely any quality regression seems like must have and I think it would be pretty cool if we could have the same improvements on Linux. I think it has the potential to be a game changer, making games playable on APUs or playing with really high resolution or framerates on desktops. [...] VRS is by far the easiest thing to make work in almost all games. Most alternatives like checkerboarding, TAA and DLSS need modified render target size, significant shader fixups, or even a proprietary integration with games. Making changes that deeply is getting more complicated the more advanced the game is. If we want to reduce render resolution (which would be a key thing in e.g. checkerboarding or DLSS) it is very hard to confidently tie all resolution dependent things together. For example a big cost for some modern games is raytracing, but the information flow to the main render targets can be very hard to track automatically and hence such a thing would require a lot of investigation or a bunch of per game customizations.

  • Dota 2 version 7.29 is out with the new Dawnbreaker melee hero

    Valve has put out a major upgrade for their popular free to play MOBA with Dota 2 getting Dawnbreaker. This brand new hero is focused on melee, with a low-skill entry level so it should be suitable for a lot of players. You can see a dedicated hero page for Dawnbreaker here. "Dawnbreaker shines in the heart of battle, happily crushing enemies with her celestial hammer and healing nearby allies. She revels in hurling her hammer through multiple foes and then converging with it in a blazing wake, always waiting to tap her true cosmic power to fly to the aid of her teammates — eager to rout her enemies on the battlefield no matter where they are."

  • Grape times ahead with the release of Wine 6.6 noting plenty of fixes

    No wine-ing about the puns please. Jokes aside, the tasty compatibility tech that is Wine has a new development release available today with Wine 6.6. For newer readers and Linux users here's a refresher - Wine is a compatibility layer built for operating systems like Linux, macOS and BSD. The idea is to allow other platforms to run games and applications only built and supported for Windows. It's also part of what makes up Steam Play Proton. Once a year or so, a new stable release is made.

  • Friday’s Fedora Facts: 2021-14

    Here’s your weekly Fedora report. Read what happened this week and what’s coming up. Your contributions are welcome (see the end of the post)! The Final freeze is underway. The F34 Final Go/No-Go meeting is Thursday. I have weekly office hours on Wednesdays in the morning and afternoon (US/Eastern time) in #fedora-meeting-1. Drop by if you have any questions or comments about the schedule, Changes, elections, or anything else. See the upcoming meetings for more information.

  • A developer goes to the Masters: Day 1 inside the digital ops center [Ed: IBM is OK with the word "Master" again, contrary to spin]
  • Rancher Platform Partner, Weka delivers Stateful Storage for Containers at Scale

    Containers rose to the mainstream primarily due to workload portability and immutability advantages. Kubernetes became the primary orchestration tool and was initially supporting stateless applications, commonly referred to as the cattle vs. pets approach. However, data-centric applications need stateful-ness while still leveraging the cattle vs. pet approach. Microservices, Containers, and Kubernetes are now moving mainstream as increasingly more stateful applications are adopting them.

  • SUSE for your agile data platform, featuring Microsoft SQL Server[Ed: SUSE is just a worthless proprietary software reseller for SAP and Microsoft (their salesperson from SAP signing anti-RMS petition makes perfect sense and proves us correct about SUSE's motivations)]
  • What's the point of open source without contributors? Turns out, there are several [Ed: Mac Asay isn't even using it himself, just lecturing others what to do while working for Jeff Bezos]
  • Am I FLoCed? A New Site to Test Google's Invasive Experiment

    FLoC is a terrible idea that should not be implemented. Google’s experimentation with FLoC is also deeply flawed . We hope that this site raises awareness about where the future of Chrome seems to be heading, and why it shouldn't.

    FLoC takes most of your browsing history in Chrome, and analyzes it to assign you to a category or “cohort.” This identification is then sent to any website you visit that requests it, in essence telling them what kind of person Google thinks you are. For the time being, this ID changes every week, hence leaking new information about you as your browsing habits change. You can read a more detailed explanation here .

    Because this ID changes, you will want to visit https://amifloced.org often to see those changes.

  • The Brave browser basics: what it does, how it differs from rivals

    Boutique browsers try to scratch out a living by finding a niche underserved by the usual suspects. Brave is one of those browsers.

    Brave has gotten more attention than most alternate browsers, partly because a co-founder was one of those who kick-started Mozilla's Firefox, partly because of its very unusual — some say parasitical — business model.

Devices/Embedded Hardware

  • 3.5-inch SBC features Comet Lake-S

    Aaeon’s 3.5-inch Linux-ready “GENE-CML5” SBC supplies an up to octa-core 10th Gen Core CPU plus up to 64GB DDR4, 2x SATA, 2x GbE, 2x USB 3.2 Gen2, DP, VGA, M.2 M-key, and PCIe x4. Aaeon has posted a preliminary product page for what appears to be the first 3.5-inch SBC built around Intel’s 10th Gen Comet Lake-S. In fact, this is one of the first Comet Lake SBCs of any kind, following a few early entries like Portwell’s WADE-8212 Mini-ITX board.

  • Play your retro console on a modern TV
  • Olimex RP2040-PICO-PC “computer” to feature RP2040-Py Raspberry Pi Pico compatible module

    We previously wrote it was possible to create a Raspberry Pi RP2040 board with HDMI using DVI and programmable IOs to output video up to 640×480 at 60 Hz with the microcontroller’s Cortex-M0+ cores clocked at 252 MHz. At the time, we also noted Olimex was working on such a board with RP2040-PICO-PC designed to create a small Raspberry Pi RP2040 computer with HDMI/DVI video output. The Bulgarian company has now manufactured the first prototype, but due to supply issues with the Raspberry Pi Pico board, they also designed their own RP2040-PICO module since they’ve got a reel of Raspberry Pi RP2040 microcontrollers.

  • Our most complex Open Source Hardware board made with KiCad – the octa core iMX8 Quad Max – Tukhla is completely routed and now on prototype production

    We started this project June-July 2020. Due to the Covid19 the development took 10 months although only 6 month of active work was done, due to lock downs, ill developers and so on troubles.

    Now the board is completely routed and has these features: [...]

Programming Leftovers

  • Open Source Software Leader the Eclipse Foundation Launches the Adoptium Working Group for Multi-Vendor Delivery of Java Runtimes for Enterprises
  • AWS's Shane Miller to head the newly created Rust Foundation

    Miller, who leads the Rust Platform team for AWS, has been a software engineer for almost 30 years. At AWS, Miller has been a leader in open-source strategic initiatives and software engineering and delivery. Miller's Rust Platform team includes Rust language and compiler maintainers and contributors and developers on the Tokio runtime for writing reliable asynchronous applications with Rust. Under Miller's leadership, the AWS Rust team is crafting optimizations and tools for the features that engineers will use to build and operate services which take full advantage of Rust's performance and safety.

  • Inkscape compiled in OpenEmbedded

    Cross-compiling can be a challenge with some packages, and some of the big ones, such as SeaMonkey, LibreOffice and Inkscape, I have compiled in a running EasyOS (with the "devx" SFS loaded). I have previously compiled LibreOffice in OE, see the Pyro series. But it was a lot of work.

  • Felix Häcker: New Shortwave release

    Ten months later, after 14.330 added and 8.634 deleted lines, Shortwave 2.0 is available! It sports new features, and comes with the well known improvements, and bugfixes as always. [...] Shortwave has always been designed to handle any screen size from the beginning. In version 2.0 we have been able to improve this even further. There is now a compact mini player for desktop screens. This still offers access to the most important functions in a tiny window.

  • 5 signs you're a groff programmer

    I first discovered Unix systems in the early 1990s, when I was an undergraduate at university. I liked it so much that I replaced the MS-DOS system on my home computer with the Linux operating system. One thing that Linux didn't have in the early to mid-1990s was a word processor. A standard office application on other desktop operating systems, a word processor lets you edit text easily. I often used a word processor on DOS to write my papers for class. I wouldn't find a Linux-native word processor until the late 1990s. Until then, word processing was one of the rare reasons I maintained dual-boot on my first computer, so I could occasionally boot back into DOS to write papers. Then I discovered that Linux provided kind of a word processor. GNU troff, better known as groff, is a modern implementation of a classic text processing system called troff, short for "typesetter roff," which is an improved version of the nroff system. And nroff was meant to be a new implementation of the original roff (which stood for "run off," as in to "run off" a document).