After six months of development OpenSSH 8.9 release announcedIn which fix vulnerability in sshd which could potentially allow access without authentication. The problem is caused by an integer overflow in the authentication code, but the exploitation is only possible in combination with other logical errors in the code.
In its current form, the vulnerability cannot be exploited when division of privileges is enabled, since its manifestation is blocked by separate checks performed on the division-of-privilege tracking code.
Shared privilege mode was enabled by default in 2002 as of OpenSSH 3.2.2 and has been required since the 2017 release of OpenSSH 7.5. Additionally, in portable versions of OpenSSH since version 6.5 (2014), the vulnerability is blocked by compiling with the inclusion of flags to protect against integer overflows.
Main new features of OpenSSH 8.9
In this new version that is presented we can find that lPortable version of OpenSSH removes built-in sshd support for password hashing using the MD5 algorithm (relinking to external libraries like libxcrypt is allowed)
ssh, sshd, ssh-add, and ssh-agent implement a subsystem to restrict the forwarding and use of keys added to ssh-agent.
The subsystem allows setting rules that determine how and where keys can be used in ssh-agent. For example, to add a key that can only be used to authenticate when any user connects to host scylla.example.org, user perseus connects to host cetus.example.org, and user medea connects to host charybdis.example .org host, redirecting through an intermediate host scylla.example.org.
En ssh and sshd, the KexAlgorithms list, which determines the order in which the key exchange methods are selected, has added by default the hybrid algorithm “sntrup761x25519-sha512@openssh.com» (ECDH/x25519 + NTRU Prime), which is resistant to selection in quantum computers. In OpenSSH 8.9, this negotiation method was added between the ECDH and DH methods, but it is planned to be enabled by default in the next release.
ssh-keygen, ssh and ssh-agent have improved handling of FIDO token keys used for device verification, including keys for biometric authentication.
Of the other changes that stand out in this new version:
- Added "ssh-keygen -Y match-principals" command to ssh-keygen to check usernames in a file with a list of allowed names.
- ssh-add and ssh-agent provide the ability to add PIN-protected FIDO keys to ssh-agent (a PIN prompt is displayed at authentication time).
- ssh-keygen allows you to choose the hash algorithm (sha512 or sha256) during signing.
To improve performance, ssh and sshd read network data directly into the incoming packet buffer, bypassing the intermediate buffer in the stack. Direct placement of received data in the channel buffer is implemented in a similar way. - In ssh, the PubkeyAuthentication directive has extended the list of supported parameters (yes|no|unbound|host-bound) to provide the ability to select which protocol extension to use.
In a future version, it is planned to change the scp utility default to use SFTP instead of the legacy SCP/RCP protocol. SFTP uses more predictable name handling methods and does not use shell processing of glob patterns on filenames on the other side of the host, which creates security issues.
In particular, when using SCP and RCP, the server decides which files and directories to send to the client, and the client only checks the correctness of the names of the returned objects, which, in the absence of proper checks by the client, allows that the server to transfer other file names that differ from those requested. The SFTP protocol does not have these problems, but it does not support expansion of special paths like "~/
Finally if you are interested in knowing more about it about this new version, you can check the details by going to the following link.
How to install OpenSSH 8.9 on Linux?
For those who are interested in being able to install this new version of OpenSSH on their systems, for now they can do it downloading the source code of this and performing the compilation on their computers.
This is because the new version has not yet been included in the repositories of the main Linux distributions. To get the source code, you can do from the following link.
Done the download, now we are going to unzip the package with the following command:
tar -xvf openssh-8.9.tar.gz
We enter the created directory:
cd openssh-8.9
Y we can compile with the following commands:
./configure --prefix=/opt --sysconfdir=/etc/ssh make make install