web analytics
It runs on Linux

OpenSSH 7.0 available

OpenSSH 7.0 has been released, just a month after OpenSSH release 6.9. This release mainly contains security improvements/fixes.

OpenSSH

OpenSSH

OpenSSH is a 100% complete SSH protocol (version 1.3, 1.5 and 2.0) implementation and includes server support and sftp.

According to the OpenSSH developers “the focus of this release is primarily to deprecate weak, legacy and/or unsafe cryptography.”

Changes since the last release

Security

  • sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-
    writable. Local attackers may be able to write arbitrary messages
    to logged-in users, including terminal escape sequences.
    Reported by Nikolay Edigaryev.
  • sshd(8): Portable OpenSSH only: Fixed a privilege separation
    weakness related to PAM support. Attackers who could successfully
    compromise the pre-authentication process for remote code
    execution and who had valid credentials on the host could
    impersonate other users. Reported by Moritz Jodeit.
  • sshd(8): Portable OpenSSH only: Fixed a use-after-free bug
    related to PAM support that was reachable by attackers who could
    compromise the pre-authentication process for remote code
    execution. Also reported by Moritz Jodeit.
  • sshd(8): fix circumvention of MaxAuthTries using keyboard-
    interactive authentication. By specifying a long, repeating
    keyboard-interactive “devices” string, an attacker could request
    the same authentication method be tried thousands of times in
    a single pass. The LoginGraceTime timeout in sshd(8) and any
    authentication failure delays implemented by the authentication
    mechanism itself were still applied. Found by Kingcope.

Potentially-incompatible Changes

  • Support for the legacy SSH version 1 protocol is disabled by
    default at compile time.
  • Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
    is disabled by default at run-time. It may be re-enabled using
    the instructions at http://www.openssh.com/legacy.html
  • Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
    by default at run-time. These may be re-enabled using the
    instructions at http://www.openssh.com/legacy.html
  • Support for the legacy v00 cert format has been removed.
  • The default for the sshd_config(5) PermitRootLogin option has
    changed from “yes” to “prohibit-password”.
  • PermitRootLogin=without-password/prohibit-password now bans all
    interactive authentication methods, allowing only public-key,
    hostbased and GSSAPI authentication (previously it permitted
    keyboard-interactive and password-less authentication if those
    were enabled).

New Features

  • ssh_config(5): add PubkeyAcceptedKeyTypes option to control which
    public key types are available for user authentication.
  • sshd_config(5): add HostKeyAlgorithms option to control which
    public key types are offered for host authentications.
  • ssh(1), sshd(8): extend Ciphers, MACs, KexAlgorithms,
    HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes
    options to allow appending to the default set of algorithms
    instead of replacing it. Options may now be prefixed with a ‘+’
    to append to the default, e.g. “HostKeyAlgorithms=+ssh-dss”.
  • sshd_config(5): PermitRootLogin now accepts an argument of
    ‘prohibit-password’ as a less-ambiguous synonym of ‘without-
    password’.

Bugfixes

  • ssh(1), sshd(8): add compatability workarounds for Cisco and more
    PuTTY versions. bz#2424
  • Fix some omissions and errors in the PROTOCOL and PROTOCOL.mux
    documentation relating to Unix domain socket forwarding;
    bz#2421 bz#2422
  • ssh(1): Improve the ssh(1) manual page to include a better
    description of Unix domain socket forwarding; bz#2423
  • ssh(1), ssh-agent(1): skip uninitialised PKCS#11 slots, fixing
    failures to load keys when they are present. bz#2427
  • ssh(1), ssh-agent(1): do not ignore PKCS#11 hosted keys that wth
    empty CKA_ID; bz#2429
  • sshd(8): clarify documentation for UseDNS option; bz#2045

 

OpenSSH 7.0 is available from one of the download mirrors, mentioned at the OpenSSH site here.