OpenSSH 8.0 is available to test and detect bugs before it is released.

openssh

Recientemente OpenSSH developers just announced that version 8.0 of this security tool for remote connection with the SSH protocol it is almost ready to be published.

Damian Miller, one of the main developers of the project, just called the user community of this tool so they can try it since, with enough eyes, all errors can be caught in time.

People who decide to use this new version will be able to Not only will they help you test performance and detect bugs without failing, you will also be able to discover new enhancements from various orders.

At the security level, for example, mitigation measures for scp protocol weaknesses have been introduced in this new version of OpenSSH.

In practice, copying files with scp will be more secure in OpenSSH 8.0 because copying files from a remote directory to a local directory will cause scp to check if the files sent by the server match the issued request.

If this mechanism were not implemented, an attack server could, in theory, intercept the request by delivering malicious files instead of the ones originally requested.

However, despite these mitigation measures, OpenSSH does not recommend the use of the scp protocol, because it is "outdated, inflexible, and difficult to resolve."

 "We recommend using more modern protocols like sftp and rsync for file transfers," Miller cautioned.

What will this new version of OpenSSH offer?

In the package «News» of this new version includes a number of changes that can affect existing configurations.

For example, at the aforementioned level of the scp protocol, since this protocol is based on a remote shell, there is no sure way that the files transferred from the client match the one from the server.

If there is a difference between the generic client and the server extension, the client can reject the files from the server.

For this reason, the OpenSSH team has provided scp with a new "-T" flag which disables client-side checks to reintroduce the attack described above.

At the demond sshd level: the OpenSSH team removed support for the deprecated "host / port" syntax.

A slash-separated host / port was added in 2001 in place of the "host: port" syntax for IPv6 users.

Today slash syntax is easily confused with CIDR notation, which is also compatible with OpenSSH.

other developments

Therefore, it is advisable to remove the forward slash notation from ListenAddress and PermitOpen. In addition to these changes, we have new features added to OpenSSH 8.0. These include:

An experimental method of key exchange for quantum computers that has appeared in this version.

The purpose of this function is to solve security problems that may arise when distributing keys between parties, given the threats to technological advances, such as the increase in the computing power of machines, new algorithms for quantum computers.

To do this, this method relies on the quantum key distribution solution (abbreviated QKD in English).

This solution uses quantum properties to exchange secret information, such as a cryptographic key.

In principle, measuring a quantum system alters the system. Also, if a hacker were to attempt to intercept a cryptographic key issued through a QKD implementation, it would inevitably leave detectable fingerprints for OepnSSH.

On the other hand, the default size of the RSA key which has been updated to 3072 bits.

Of the other news reported are the following:

  • Adding support for ECDSA keys in PKCS tokens
  • permission of "PKCS11Provide = none" to override subsequent instances of the PKCS11Provide directive in ssh_config.
  • A log message is added for situations where a connection is broken after trying to run a command while a sshd_config ForceCommand = internal-sftp constraint is in effect.

For more details, a full list of other additions and bug fixes is available on the official page.

To try this new version you can go to the following link. 


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.