OpenSSH is a set of applications that allow encrypted communications over a network, using the SSH protocol.
It was unveiled on lrelease of the new version of OpenSSH 9.4, version in which a series of corrections and small improvements have been implemented, among which the support for configuration tags, support for KRL extensions and more.
For those who do not know about OpenSSH (Open Secure Shell) should know that this is a set of applications that allow encrypted communications over a network, using the SSH protocol. It was created as a free and open alternative to the Secure Shell program, which is proprietary software.
Main new features of OpenSSH 9.4
In this new version of the OpenSSH 9.4 implementation, one of its main novelties is the support for configuration tags to ssh via the "Tag" directive and a Match tag operation to the ssh_config configuration file to allow tags to be used to define selection conditions for a specific configuration block.
Another of the changes that stands out in this new version is that sshd, the AuthorizedPrincipalsCommand and AuthorizedKeysCommand directives support two additional sequences, which are "%- and %D" to replace the address of the gateway through which routes the current session and "%C" to substitute the addresses and port numbers of the local and remote side of the connection
In addition to this, it is also highlighted that in this new version of OpenSSH 9.4 backwards compatibility with libcrypto is removed. With which, starting with OpenSSH 9.4, versions higher than LibreSSL 3.1.0 and OpenSSL 1.1.1 are required.
Also another of the incompatibility-causing changes and as an additional way to block the vulnerability associated with the ability to load PKCS#11 modules in ssh-agent, it is prohibited to specify relative and incomplete paths to modules (previously, the dlopen function looked for a module by name in the library directory).
On the other hand, it is highlighted that added support for connecting extensions in KRL format to ssh, sshd and ssh-keygen. The extensions themselves are not yet available at this stage of development.
Also, in the default ssh-keygen utility, the number of rounds in the bcrypt function has been increased by 50% when generating keys for symmetric file encryption with password-protected keys.
Of the other changes that stand out of this new version:
- The ssh utility allows redirection to another Unix socket host using the "ssh -W" command.
- Added the match localnetwork operation to ssh which allows addresses of available network interfaces to be matched and can be used to vary the effective client configuration based on network location.
- sshd provides a replacement for the SELinux matchpathcon() function, which is deprecated.
- Troubleshooting compilation for the sk-dummy.so FIDO provider module
used in some tests. - ssh-agent improves isolation between loaded PKCS#11 modules
by running separate ssh-pkcs11-helpers for each provider loaded. - In sshd, ssh, and ssh-keygen, residual support for KRL signatures is removed. This
version removes partially implemented code to check KRLs. - ssh-keygen fixes no comment not being displayed when running `ssh-keygen -l` on multiple keys where one has a comment and subsequent keys do not.
- Adjusted the ftruncate() logic to handle servers reordering requests. Previously, if the server reordered the requests, then the resulting file would be truncated by mistake.
Finally if you are interested in knowing more about it about this new version, you can check the details by going to the following link.
How to install OpenSSH 9.4 on Linux?
For those who are interested in being able to install this new version of OpenSSH on their systems, for now they can do it downloading the source code of this and performing the compilation on their computers.
This is because the new version has not yet been included in the repositories of the main Linux distributions. To get the source code, you can do from the following link.
Done the download, now we are going to unzip the package with the following command:
tar -xvf openssh-9.4.tar.gz
We enter the created directory:
cd openssh-9.4
Y we can compile with the following commands:
./configure --prefix=/opt --sysconfdir=/etc/ssh make make install