| version 1.78, 2017/04/07 17:38:52 |
version 1.79, 2017/04/08 14:53:35 |
|
|
| |
|
| <li>OpenSSH 7.4 |
<li>OpenSSH 7.4 |
| <ul> |
<ul> |
| <li>... |
<li>Security: |
| |
<ul> |
| |
<li>ssh-agent(1): Will now refuse to load PKCS#11 modules from paths |
| |
outside a trusted whitelist (run-time configurable). Requests to |
| |
load modules could be passed via agent forwarding and an attacker |
| |
could attempt to load a hostile PKCS#11 module across the forwarded |
| |
agent channel: PKCS#11 modules are shared libraries, so this would |
| |
result in code execution on the system running the ssh-agent if the |
| |
attacker has control of the forwarded agent-socket (on the host |
| |
running the sshd server) and the ability to write to the filesystem |
| |
of the host running ssh-agent (usually the host running the ssh |
| |
client). |
| |
<li>sshd(8): When privilege separation is disabled, forwarded Unix- |
| |
domain sockets would be created by sshd(8) with the privileges of |
| |
'root' instead of the authenticated user. This release refuses |
| |
Unix-domain socket forwarding when privilege separation is disabled |
| |
(Privilege separation has been enabled by default for 14 years). |
| |
<li>sshd(8): Avoid theoretical leak of host private key material to |
| |
privilege-separated child processes via realloc() when reading |
| |
keys. No such leak was observed in practice for normal-sized keys, |
| |
nor does a leak to the child processes directly expose key material |
| |
to unprivileged users. |
| |
<li>sshd(8): The shared memory manager used by pre-authentication |
| |
compression support had a bounds checks that could be elided by |
| |
some optimising compilers. Additionally, this memory manager was |
| |
incorrectly accessible when pre-authentication compression was |
| |
disabled. This could potentially allow attacks against the |
| |
privileged monitor process from the sandboxed privilege-separation |
| |
process (a compromise of the latter would be required first). |
| |
This release removes support for pre-authentication compression |
| |
from sshd(8). |
| |
<li>sshd(8): Fix denial-of-service condition where an attacker who |
| |
sends multiple KEXINIT messages may consume up to 128MB per |
| |
connection. |
| |
<li>sshd(8): Validate address ranges for AllowUser and DenyUsers |
| |
directives at configuration load time and refuse to accept invalid |
| |
ones. It was previously possible to specify invalid CIDR address |
| |
ranges (e.g. user@127.1.2.3/55) and these would always match, |
| |
possibly resulting in granting access where it was not intended. |
| |
<li>ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures |
| |
that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. |
| |
<li>sftp-client(1): [portable OpenSSH only] On Cygwin, a client making |
| |
a recursive file transfer could be maniuplated by a hostile server to |
| |
perform a path-traversal attack. creating or modifying files outside |
| |
of the intended target directory. |
| |
</ul> |
| |
<li>New/changed features: |
| |
<ul> |
| |
<li>Server support for the SSH v.1 protocol has been removed. |
| |
<li>ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit |
| |
block ciphers are not safe in 2016 and we don't want to wait until |
| |
attacks like SWEET32 are extended to SSH. As 3des-cbc was the |
| |
only mandatory cipher in the SSH RFCs, this may cause problems |
| |
connecting to older devices using the default configuration, |
| |
but it's highly likely that such devices already need explicit |
| |
configuration for key exchange and hostkey algorithms already |
| |
anyway. |
| |
<li>sshd(8): Remove support for pre-authentication compression. |
| |
Doing compression early in the protocol probably seemed reasonable |
| |
in the 1990s, but today it's clearly a bad idea in terms of both |
| |
cryptography (cf. multiple compression oracle attacks in TLS) and |
| |
attack surface. Pre-auth compression support has been disabled by |
| |
default for >10 years. Support remains in the client. |
| |
<li>ssh-agent will refuse to load PKCS#11 modules outside a whitelist |
| |
of trusted paths by default. The path whitelist may be specified |
| |
at run-time. |
| |
<li>sshd(8): When a forced-command appears in both a certificate and |
| |
an authorized keys/principals command= restriction, sshd will now |
| |
refuse to accept the certificate unless they are identical. |
| |
The previous (documented) behaviour of having the certificate |
| |
forced-command override the other could be a bit confusing and |
| |
error-prone. |
| |
<li>sshd(8): Remove the UseLogin configuration directive and support |
| |
for having /bin/login manage login sessions. |
| |
<li>ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the |
| |
version in PuTTY by Simon Tatham. This allows a multiplexing |
| |
client to communicate with the master process using a subset of |
| |
the SSH packet and channels protocol over a Unix-domain socket, |
| |
with the main process acting as a proxy that translates channel |
| |
IDs, etc. This allows multiplexing mode to run on systems that |
| |
lack file- descriptor passing (used by current multiplexing |
| |
code) and potentially, in conjunction with Unix-domain socket |
| |
forwarding, with the client and multiplexing master process on |
| |
different machines. Multiplexing proxy mode may be invoked using |
| |
"ssh -O proxy ..." |
| |
<li>sshd(8): Add a sshd_config DisableForwarding option that disables |
| |
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well |
| |
as anything else we might implement in the future. Like the |
| |
'restrict' authorized_keys flag, this is intended to be a simple |
| |
and future-proof way of restricting an account. |
| |
<li>sshd(8), ssh(1): Support the "curve25519-sha256" key exchange |
| |
method. This is identical to the currently-supported method named |
| |
"curve25519-sha256@libssh.org". |
| |
<li>sshd(8): Improve handling of SIGHUP by checking to see if sshd is |
| |
already daemonised at startup and skipping the call to daemon(3) |
| |
if it is. This ensures that a SIGHUP restart of sshd(8) will |
| |
retain the same process-ID as the initial execution. sshd(8) will |
| |
also now unlink the PidFile prior to SIGHUP restart and re-create |
| |
it after a successful restart, rather than leaving a stale file in |
| |
the case of a configuration error. |
| |
<li>sshd(8): Allow ClientAliveInterval and ClientAliveCountMax |
| |
directives to appear in sshd_config Match blocks. |
| |
<li>sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match |
| |
those supported by AuthorizedKeysCommand (key, key type, |
| |
fingerprint, etc.) and a few more to provide access to the |
| |
contents of the certificate being offered. |
| |
<li>Added regression tests for string matching, address matching and |
| |
string sanitisation functions. |
| |
<li>Improved the key exchange fuzzer harness. |
| |
<li>Deprecate the sshd_config UsePrivilegeSeparation |
| |
option, thereby making privilege separation mandatory. Privilege |
| |
separation has been on by default for almost 15 years and |
| |
sandboxing has been on by default for almost the last five. |
| |
<li>ssh(1), sshd(8): Support "=-" syntax to easily remove methods from |
| |
algorithm lists, e.g. Ciphers=-*cbc. |
| |
</ul> |
| |
<li>The following significant bugs have been fixed in this release: |
| |
<ul> |
| |
<li>ssh(1): Allow IdentityFile to successfully load and use |
| |
certificates that have no corresponding bare public key. |
| |
certificate id_rsa-cert.pub (and no id_rsa.pub). |
| |
<li>ssh(1): Fix public key authentication when multiple |
| |
authentication is in use and publickey is not just the first |
| |
method attempted. |
| |
<li>ssh-agent(1), ssh(1): improve reporting when attempting to load |
| |
keys from PKCS#11 tokens with fewer useless log messages and more |
| |
detail in debug messages. |
| |
<li>ssh(1): When tearing down ControlMaster connections, don't |
| |
pollute stderr when LogLevel=quiet. |
| |
<li>sftp(1): On ^Z wait for underlying ssh(1) to suspend before |
| |
suspending sftp(1) to ensure that ssh(1) restores the terminal mode |
| |
correctly if suspended during a password prompt. |
| |
<li>ssh(1): Avoid busy-wait when ssh(1) is suspended during a password |
| |
prompt. |
| |
<li>ssh(1), sshd(8): Correctly report errors during sending of ext- |
| |
info messages. |
| |
<li>sshd(8): fix NULL-deref crash if sshd(8) received an out-of- |
| |
sequence NEWKEYS message. |
| |
<li>sshd(8): Correct list of supported signature algorithms sent in |
| |
the server-sig-algs extension. |
| |
<li>sshd(8): Fix sending ext_info message if privsep is disabled. |
| |
<li>sshd(8): more strictly enforce the expected ordering of privilege |
| |
separation monitor calls used for authentication and allow them |
| |
only when their respective authentication methods are enabled |
| |
in the configuration |
| |
<li>sshd(8): Fix uninitialised optlen in getsockopt() call; harmless |
| |
on Unix/BSD but potentially crashy on Cygwin. |
| |
<li>Fix false positive reports caused by explicit_bzero(3) not being |
| |
recognised as a memory initialiser when compiled with |
| |
-fsanitize-memory. |
| |
<li>sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for |
| |
configuration examples. |
| |
<li>sshd(1): Fix NULL dereference crash when key exchange start |
| |
messages are sent out of sequence. |
| |
<li>ssh(1), sshd(8): Allow form-feed characters to appear in |
| |
configuration files. |
| |
<li>sshd(8): Fix regression in OpenSSH 7.4 support for the |
| |
server-sig-algs extension, where SHA2 RSA signature methods were |
| |
not being correctly advertised. |
| |
<li>ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in |
| |
known_hosts processing. |
| |
<li>ssh(1): Allow ssh to use certificates accompanied by a private key |
| |
file but no corresponding plain *.pub public key. |
| |
<li>ssh(1): When updating hostkeys using the UpdateHostKeys option, |
| |
accept RSA keys if HostkeyAlgorithms contains any RSA keytype. |
| |
Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-* |
| |
methods were enabled in HostkeyAlgorithms and not the old ssh-rsa |
| |
method. |
| |
<li>ssh(1): Detect and report excessively long configuration file |
| |
lines. |
| |
<li>Merge a number of fixes found by Coverity and reported via Redhat |
| |
and FreeBSD. Includes fixes for some memory and file descriptor |
| |
leaks in error paths. |
| |
<li>ssh-keyscan(1): Correctly hash hosts with a port number. |
| |
<li>ssh(1), sshd(8): When logging long messages to stderr, don't truncate |
| |
"\r\n" if the length of the message exceeds the buffer. |
| |
<li>ssh(1): Fully quote [host]:port in generated ProxyJump/-J command- |
| |
line; avoid confusion over IPv6 addresses and shells that treat |
| |
square bracket characters specially. |
| |
<li>ssh-keygen(1): Fix corruption of known_hosts when running |
| |
"ssh-keygen -H" on a known_hosts containing already-hashed entries. |
| |
<li>Fix various fallout and sharp edges caused by removing SSH protocol |
| |
1 support from the server, including the server banner string being |
| |
incorrectly terminated with only \n (instead of \r\n), confusing |
| |
error messages from ssh-keyscan a segfault in sshd |
| |
if protocol v.1 was enabled for the client and sshd_config |
| |
contained references to legacy keys. |
| |
<li>ssh(1), sshd(8): Free fd_set on connection timeout. |
| |
<li>sshd(8): Fix Unix domain socket forwarding for root (regression in |
| |
OpenSSH 7.4). |
| |
<li>sftp(1): Fix division by zero crash in "df" output when server |
| |
returns zero total filesystem blocks/inodes. |
| |
<li>ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors |
| |
encountered during key loading to more meaningful error codes. |
| |
<li>ssh-keygen(1): Sanitise escape sequences in key comments sent to |
| |
printf but preserve valid UTF-8 when the locale supports it. |
| |
<li>ssh(1), sshd(8): Return reason for port forwarding failures where |
| |
feasible rather than always "administratively prohibited". |
| |
<li>sshd(8): Fix deadlock when AuthorizedKeysCommand or |
| |
AuthorizedPrincipalsCommand produces a lot of output and a key is |
| |
matched early. |
| |
<li>ssh(1): Fix typo in ~C error message for bad port forward |
| |
cancellation. |
| |
<li>ssh(1): Show a useful error message when included config files |
| |
can't be opened. |
| |
<li>sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page |
| |
(previously incorrectly) advertised. |
| |
<li>sshd_config(5): Repair accidentally-deleted mention of %k token |
| |
in AuthorizedKeysCommand. |
| |
<li>sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; |
| |
<li>ssh-agent(1): Relax PKCS#11 whitelist to include libexec and |
| |
common 32-bit compatibility library directories. |
| |
<li>sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME |
| |
response handling. |
| |
<li>ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted |
| |
keys. It was not possible to delete them except by specifying |
| |
their full physical path. |
| |
</ul> |
| </ul> |
</ul> |
| <p> |
<p> |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to 61.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www