Recently the release of the new version of OpenSSH 9.0 was announced, an open client and server implementation for working with the SSH 2.0 and SFTP protocols.
For those who do not know about OpenSSH (Open Secure Shell) should know that this is a set of applications that allow encrypted communications over a network, using the SSH protocol. It was created as a free and open alternative to the Secure Shell program, which is proprietary software.
The OpenSSH suite includes the following command line utilities and daemons:
- scp: which is a replacement for rcp.
- sftp - A replacement for ftp for copying files between computers.
- ssh - A replacement for rlogin, rsh, and telnet to allow shell access to a remote machine.
- ssh-add and ssh-agent: a set of utilities to facilitate authentication by keeping keys ready and avoiding the need to enter passphrases each time they are used.
- ssh-keygen - A tool for inspecting and generating RSA, DSA, and elliptical curve keys that are used for user and host authentication.
- ssh-keyscan: which scans a list of hosts and collects their public keys.
- sshd: the SSH server daemon.
Main new features of OpenSSH 9.0
In the new version, the utility scp moved by default to use SFTP instead of the legacy SCP/RCP protocol.
SFTP uses more predictable name handling methods and it doesn't use shell processing of glob patterns on filenames on the other side of the host, which creates security issues. In particular, when using SCP and RCP, the server decides which files and directories to send to the client, and the client only checks the returned object names for correctness, which, in the absence of proper checks by the client, allows the server to pass other file names that differ from those requested.
The protocol SFTP does not have these problems, but it does not support special route expansion. like "~/". To address this difference, as of OpenSSH 8.7, the SFTP server implementation supports the "email@example.com" protocol extension to expand the ~/ and ~user/ paths.
When using SFTP, users may also encounter incompatibilities caused by the need to double escape path expansion characters in SCP and RCP requests to prevent them from being interpreted on the remote side.
In SFTP, this escaping is not necessary and the extra quotes can cause a data transfer error. At the same time, the OpenSSH developers refused to add an extension to repeat scp's behavior in this case, since double escaping is seen as a flaw that doesn't make sense to repeat.
Other changes that stand out in this new version of OpenSSH 9.0 is that ssh and sshd have a hybrid key exchange algorithm "firstname.lastname@example.org" (ECDH/x25519 + NTRU Prime) enabled by default, resistant to brute force on quantum computers, and combined with ECDH/x25519 to block potential issues in NTRU Prime that may arise in the future. In the KexAlgorithms list, which determines the order in which key exchange methods are chosen, the mentioned algorithm now ranks first and takes precedence over the ECDH and DH algorithms.
On the other hand, it is also highlighted that quantum computers have not yet reached the level of traditional key decryption, but the use of hybrid protection it will protect users from attacks related to the storage of intercepted SSH sessions in the expectation that they can be decrypted in the future, when the necessary quantum computers become available.
The extension "copy-data" has been added to sftp-server, which allows copying data on the server side, without transferring it to the client, if the source and destination files are on the same server.
Also the "cp" command was added to the sftp utility to force the client to copy files on the server side.
Finally if you are interested in knowing more about it about this new version, you can check the details by going to the following link.
How to install OpenSSH 9 on Linux?
For those who are interested in being able to install this new version of OpenSSH on their systems, for now they can do it downloading the source code of this and performing the compilation on their computers.
This is because the new version has not yet been included in the repositories of the main Linux distributions. To get the source code, you can do from the following link.
Done the download, now we are going to unzip the package with the following command:
tar -xvf openssh-9.0.tar.gz
We enter the created directory:
Y we can compile with the following commands:
./configure --prefix=/opt --sysconfdir=/etc/ssh make make install