After four months of development, the launch of the new version of OpenSSH 8.2, which is an open client and server implementation to work on the SSH 2.0 and SFTP protocols. A of key enhancements at launch by OpenSSH 8.2 feu the ability to use two-factor authentication using devices that support the U2F protocol developed by the FIDO alliance.
U2F allows the creation of low-cost hardware tokens to confirm the physical presence of the user, whose interaction is via USB, Bluetooth or NFC. Such devices are promoted as a means of two-factor authentication on the sites, are already compatible with all major browsers, and are produced by various manufacturers, including Yubico, Feitian, Thetis, and Kensington.
To interact with devices that confirm the presence of the user, OpenSSH has added two new types of keys "ecdsa-sk" and "ed25519-sk", which use the ECDSA and Ed25519 digital signature algorithms in combination with the SHA-256 hash.
The procedures for interacting with the tokens have been transferred to an intermediate library, which is loaded by analogy with the library for PKCS # 11 support and is a link on the libfido2 library, which provides means to communicate with tokens via USB (FIDO U2F / CTAP 1 and FIDO 2.0 / CTAP protocols are supported two).
The libsk-libfido2 intermediate library prepared by the OpenSSH developers sand includes in the kernel libfido2, as well as the HID driver for OpenBSD.
For authentication and key generation, you must specify the "SecurityKeyProvider" parameter in the configuration or set the environment variable SSH_SK_PROVIDER, specifying the path to the external library libsk-libfido2.so.
It is possible to build openssh with built-in support for the middle layer library and in this case you need to set the parameter "SecurityKeyProvider = internal".
Also, by default, when key operations are performed, local confirmation of the user's physical presence is required, for example, it is suggested to touch the sensor on the token, which makes it difficult to perform remote attacks on systems with a connected token.
On the other hand, the new version of OpenSSH also announced the upcoming transfer to the category of obsolete algorithms that use SHA-1 hashing. due to an increase in the efficiency of collision attacks.
To ease the transition to new algorithms in OpenSSH in an upcoming release, the UpdateHostKeys setting will be enabled by default, which will automatically switch clients to more reliable algorithms.
It can also be found in OpenSSH 8.2, the ability to connect using "ssh-rsa" is still left, but this algorithm is removed from the CASignatureAlgorithms list, which defines the algorithms that are valid for digitally signing new certificates.
Similarly, the diffie-hellman-group14-sha1 algorithm has been removed from the default key exchange algorithms.
Of the other changes that stand out in this new version:
- An include directive has been added to sshd_config, which allows the contents of other files to be included in the current position of the configuration file.
- The PublishAuthOptions directive has been added to sshd_config, combining different options related to public key authentication.
- Added "-O write-attestation = / path" option to ssh-keygen, which allows additional FIDO certification certificates to be written when generating keys.
- The ability to export PEM for DSA and ECDSA keys has been added to ssh-keygen.
- Added a new executable file ssh-sk-helper used to isolate the FIDO / U2F token access library.
How to install OpenSSH 8.2 on Linux?
For those who are interested in being able to install this new version of OpenSSH on their systems, for now they can do it downloading the source code of this and performing the compilation on their computers.
This is because the new version has not yet been included in the repositories of the main Linux distributions. To obtain the source code for OpenSSH 8.2. You can do this from the following link (at the time of writing the package is not yet available on the mirrors and they mention that it may take a few more hours)
Done the download, now we are going to unzip the package with the following command:
tar -xvf openssh-8.2.tar.gz
We enter the created directory:
cd openssh-8.2
Y we can compile with the following commands:
./configure --prefix=/opt --sysconfdir=/etc/ssh make make install