Recent Releases

7.521 Mar 2017 22:25 minor feature: This is a release. Security. Ssh(1), sshd(8): weakness in CBC padding oracle countermeasures. That allowed a variant of the attack in OpenSSH 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by default, sshd. Offers them as lowest-preference options and will remove them by Default entriely in the next release. Reported by Jean Paul Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of Royal Holloway, University of London. Sftp-client(1): portable OpenSSH only On Cygwin, a client making a recursive file transfer could be maniuplated by a hostile server to. Perform a path-traversal attack. creating or modifying files outside of the intended target directory. Reported by Jann Horn of Google Project Zero. New Features. Ssh(1), sshd(8): Support "=-" syntax to easily remove methods from. Algorithm lists, e.g. Ciphers=-*cbc. bz#2671 Sshd(1): NULL dereference crash when key exchange start. Messages are sent out of sequence. Ssh(1), sshd(8): Allow form-feed characters to appear in. Configuration files. Sshd(8): regression in OpenSSH 7.4 support for the. Server-sig-algs extension, where SHA2 RSA signature methods were Not being correctly advertised. bz#2680 Ssh(1), ssh-keygen(1): a number of case-sensitivity in. Known_hosts processing. bz#2591 bz#2685 Ssh(1): Allow ssh to use certificates accompanied by a private key. File but no corresponding plain *.pub public key. bz#2617 Ssh(1): When updating hostkeys using the UpdateHostKeys option. Accept RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*. Methods were enabled in HostkeyAlgorithms and not the old ssh-rsa Method. bz#2650 Ssh(1): Detect and report excessively long configuration file. Lines. bz#2651 Merge a number of found by Coverity and reported via Redhat. And FreeBSD. Includes for some memory and file descriptor Leaks in error paths. bz#2687 Ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692. Ssh(1), sshd
7.420 Dec 2016 10:05 minor feature: This is primarily a release. Security. Ssh-agent(1): Will now refuse to load PKCS#11 modules from paths. Outside a trusted whitelist (run-time configurable). Requests to Load modules could be passed via agent forwarding and an attacker Could attempt to load a hostile PKCS#11 module across the forwarded Agent channel: PKCS#11 modules are shared libraries, so this would Result in code execution on the system running the ssh-agent if the Attacker has control of the forwarded agent-socket (on the host Running the sshd server) and the ability to write to the filesystem of the host running ssh-agent (usually the host running the ssh. Client). Reported by Jann Horn of Project Zero. Sshd(8): When privilege separation is disabled, forwarded Unix-. Domain sockets would be created by sshd(8) with the privileges of root' instead of the authenticated user. This release refuses Unix-domain socket forwarding when privilege separation is disabled. Privilege separation has been enabled by default for 14 years). Reported by Jann Horn of Project Zero. Sshd(8): Avoid theoretical leak of host private key material to. Privilege-separated child processes via realloc() when reading Keys. No such leak was observed in practice for normal-sized keys, Nor does a leak to the child processes directly expose key material to unprivileged users. Reported by Jann Horn of Project Zero. Sshd(8): The shared memory manager used by pre-authentication. Compression support had a bounds checks that could be elided by Some optimising compilers. Additionally, this memory manager was Incorrectly accessible when pre-authentication compression was Disabled. This could potentially allow attacks against the Privileged monitor process from the sandboxed privilege-separation Process (a compromise of the latter would be required first). This release removes support for pre-authentication compression. From sshd(8). Reported by Guido Vranken using the Stack unstable Optimisation identification tool (http://css.csail.mi
7.309 Oct 2016 04:05 minor feature: This is primarily a release. Security. Sshd(8): Mitigate a potential denial-of-service attack against. The system's crypt(3) function via sshd(8). An attacker could Send very long passwords that would cause excessive CPU use in Crypt(3). sshd(8) now refuses to accept password authentication Requests of length greater than 1024 characters. Independently Reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto. Sshd(8): Mitigate timing differences in password authentication. That could be used to discern valid from invalid account names When long passwords were sent and particular password hashing Algorithms are in use on the server. CVE-2016-6210, reported by EddieEzra.Harari at Ssh(1), sshd(8): observable timing weakness in the CBC padding. Oracle countermeasures. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers. Are disabled by default and only included for legacy compatibility. Ssh(1), sshd(8): Improve operation ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This removes the possibility of timing differences leaking facts about the plaintext, though no. Such leakage has been observed. Reported by Jean Paul Degabriele, Kenny Paterson, Torben Hansen and Martin Albrecht. Sshd(8): (portable only) Ignore PAM environment vars when UseLogin=yes. If PAM is configured to read user-specified. Environment variables and UseLogin=yes in sshd_config, then a Hostile local user may attack /bin/login via LD_PRELOAD or Similar environment variables set via PAM. CVE-2015-8325, Found by Shayan Sadigh. New Features. Ssh(1): Add a ProxyJump option and corresponding -J command-line. Flag to allow simplified indirection through a one or more SSH Bastions or "jump hosts". Ssh(1): Add an IdentityAgent option to allow specifying specific. Agent sockets instead of accepting one from the environment. Ssh(1): Allow ExitOnForwar
7.229 Feb 2016 18:05 minor feature: This is primarily a release. Security. Ssh(1), sshd(8): remove unfinished and unused roaming code (was. Already forcibly disabled in OpenSSH 7.1p2). Ssh(1): eliminate fallback from untrusted X11 forwarding to. Trusted forwarding when the X server disables the SECURITY Extension. Ssh(1), sshd(8): increase the minimum modulus size supported for. Diffie-hellman-group-exchange to 2048 bits. Sshd(8): pre-auth sandboxing is now enabled by default (previous. Releases enabled it for new installations via sshd_config). New Features. All: add support for RSA signatures using SHA-256/512 hash. Algorithms based on draft-rsa-dsa-sha2-256-03.txt and Draft-ssh-ext-info-04.txt. Ssh(1): Add an AddKeysToAgent client option which can be set to. yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When. Enabled, a private key that is used during authentication will be Added to ssh-agent if it is running (with confirmation enabled if Set to 'confirm'). Sshd(8): add a new authorized_keys option "restrict" that includes. All current and future key restrictions (no-*-forwarding, etc.). Also add permissive versions of the existing restrictions, e.g. no-pty" - "pty". This simplifies the task of setting up. Restricted keys and ensures they are maximally-restricted, Regardless of any permissions we might implement in the future. Ssh(1): add ssh_config CertificateFile option to explicitly list. Certificates. bz#2436 Ssh-keygen(1): allow ssh-keygen to change the key comment for all. Supported formats. Ssh-keygen(1): allow fingerprinting from standard input, e.g. ssh-keygen -lf -". Ssh-keygen(1): allow fingerprinting multiple public keys in a. File, e.g. "ssh-keygen -lf /.ssh/authorized_keys" bz#1319 Sshd(8): support "none" as an argument for sshd_config Foreground and ChrootDirectory. Useful inside Match blocks to. Override a global default. bz#2486 Ssh-keygen(1): support multiple certificates (one per line) and. Reading from standard input (using "-f -") for "ssh-keygen -L" Ssh-keyscan(1):
7.122 Aug 2015 11:45 minor feature: This is a release. Security. sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin= prohibit-password/without-password that could, depending on compile-time configuration, permit password authentication to root while preventing other forms of authentication. This problem was reported by Mantas Mikulenas. ssh(1), sshd(8): add compatibility workarounds for FuTTY. ssh(1), sshd(8): refine compatibility workarounds for WinSCP. a number of memory faults (double-free, free of uninitialised memory, etc) in ssh(1) and ssh-keygen(1). Reported by Mateusz Kocielski. Checksums: SHA1 (openssh-7.1.tar.gz) = 06c1db39f33831fe004726e013b2cf84f1889042. SHA256 (openssh-7.1.tar.gz) = H7U1se9EoBmhkKi2i7lqpMX9QHdDTsgpu7kd5VZUGSY=. SHA1 (openssh-7.1p1.tar.gz) = ed22af19f962262c493fcc6ed8c8826b2761d9b6. SHA256 (openssh-7.1p1.tar.gz) = /AptLR0GPVxm3/2VJJPQzaJWytIE9oHeD4TvhbKthCg=. Please note that the SHA256 signatures are base64 encoded and not. hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available as RELEASE_KEY.asc from the mirror sites. Reporting : Please read Security should be reported directly to OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt. Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom.
7.013 Aug 2015 10:25 minor feature: This focus of this release is primarily to deprecate weak, legacy and/or unsafe cryptography. Security. sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world- writable. Local attackers may be able to write arbitrary messages to logged-in users, including terminal escape sequences. Reported by Nikolay Edigaryev. sshd(8): Portable OpenSSH only: Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users. Reported by Moritz Jodeit. sshd(8): Portable OpenSSH only: Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution. Also reported by Moritz Jodeit. sshd(8): fix circumvention of MaxAuthTries using keyboard- interactive authentication. By specifying a long, repeating keyboard-interactive "devices" string, an attacker could request the same authentication method be tried thousands of times in a single pass. The LoginGraceTime timeout in sshd(8) and any authentication failure delays implemented by the authentication mechanism itself were still applied. Found by Kingcope. Potentially-incompatible Changes. Support for the legacy SSH version 1 protocol is disabled by default at compile time. Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time. It may be re-enabled using the instructions at Support for ssh-dss, ssh-dss-cert- host and user keys is disabled by default at run-time. These may be re-enabled using the instructions at Support for the legacy v00 cert format has been removed. The default for the sshd_config(5) PermitRootLogin option has changed from "yes" to "prohibit-password". PermitRootLogin=without-password/prohibit-password now bans all interactive authentication
6.902 Jul 2015 13:45 minor feature: This is primarily a bugfix release. Security. ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn. ssh-agent(1): fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci. New Features. ssh(1), sshd(8): promote to be the default cipher. sshd(8): support admin-specified arguments to AuthorizedKeysCommand; bz#2081. sshd(8): add AuthorizedPrincipalsCommand that allows retrieving authorized principals information from a subprocess rather than a file. ssh(1), ssh-add(1): support PKCS#11 devices with external PIN entry devices bz#2240. sshd(8): allow GSSAPI host credential check to be relaxed for multihomed hosts via GSSAPIStrictAcceptorCheck option; bz#928. ssh-keygen(1): support "ssh-keygen -lF hostname" to search known_hosts and print key hashes rather than full keys. ssh-agent(1): add -D flag to leave ssh-agent in foreground without enabling debug mode; bz#2381. Bugfixes. ssh(1), sshd(8): deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD message and do not try to use it against some 3rd-party SSH implementations that use it (older PuTTY, WinSCP). Many fixes for problems caused by compile-time deactivation of SSH1 support. ssh(1), sshd(8): cap DH-GEX group size at 4Kbits for Cisco implementations as some would fail when attempting to use group sizes 4K; bz#2209. ssh(1): fix out-of-bound read in EscapeChar configuration option parsing; bz#2396. sshd(8): fix application of Per
6.819 Mar 2015 00:25 major feature: This is a major release, containing a number of new features as well as a large internal re-factoring. Potentially-incompatible changes. sshd: UseDNS now defaults to 'no'. Configurations that match against the client host name may need to re-enable it or convert to matching against addresses. New Features. Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout. Add FingerprintHash option to ssh and sshd, and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different. ssh, sshd: Experimental host key rotation support. Add a protocol extension for a server to inform a client of all its available host keys after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option . ssh: Add a ssh_config HostbasedKeyType option to control which host public key types are tried during host-based authentication. ssh, sshd: fix connection-killing host key mismatch errors when sshd offers multiple ECDSA keys of different lengths. ssh: when host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. fixes bzand avoiding needless DNS lookups in some cases. ssh-keygen, sshd: Key Revocation Lists no longer require OpenSSH to be compiled with OpenSSL support. ssh, ssh-keysign: Make ed25519 keys work for host based authentication. sshd: SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fa
6.708 Oct 2014 23:58 major feature: The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. Support for tcpwrappers/libwrap has been removed. Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form. Add support for Unix domain socket forwarding. Add support for SSHFP DNS records for ED25519 key types. Allow resumption of interrupted sftp uploads. When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange. Allow explicit ::1 and forwarding bind addresses when GatewayPorts=no; allows client to choose address family. Add a C escape sequence for LocalCommand and ControlPath. Added unit and fuzz tests for refactored code. These are run automatically in portable OpenSSH via the "make tests" target. Many bugfixes were applied.