OpenSSH 9.6 arrives correcting three security problems, implements improvements and more

Darkcrizt

4 minutes

openssh

OpenSSH is a set of applications that allow encrypted communications over a network, using the SSH protocol.

The release of the new version of OpenSSH 9.6 was announced and this version includes several bug fixes and also includes some new features, several performance improvements and more.

For those who do not know about OpenSSH (Open Secure Shell) should know that this is a set of applications that allow encrypted communications over a network, using the SSH protocol. It was created as a free and open alternative to the Secure Shell program, which is proprietary software.

Main new features of OpenSSH 9.6

This new version of OpenSSH 9.6 highlights the simplified ProxyJump, as the "%j" substitution was added to ssh, expanding to the specified host name, as well as improved detection of unstable or unsupported compiler flags, as "-fzero-call-used-regs» in clang.

Another change that the new version presents is that Support for configuring ChannelTimeout has been added to ssh on the client side, which can be used to terminate inactive channels.

In addition, in OpenSSH 9.6 Granular control of signature algorithms introduced, since a protocol extension was added to ssh and sshd to renegotiate digital signature algorithms for public key authentication after receiving the username. For example, when using the extension, you can selectively use other algorithms in relation to the users you specify.

It is also highlighted that added a protocol extension to ssh-add and ssh-agent to configure certificates when loading PKCS#11 keys, lo that allows certificates associated with PKCS#11 private keys to be used in all OpenSSH utilities that support ssh-agent, not just ssh.

Regarding the bug fixes, it is mentioned that the following fixes are included:

  1. Solution to the vulnerability in the SSH protocol (CVE-2023-48795, Terrapin attack), which allows a MITM attack to revert the connection to use less secure authentication algorithms and disable protection against side-channel attacks that recreate input by analyzing delays between keystrokes on the keyboard. The attack method is described in a separate news article.
  2. Solution to the vulnerability in the ssh utility that allows substitution of arbitrary shell commands by manipulating login and host values ​​that contain special characters. The vulnerability can be exploited if an attacker controls the login and hostname values ​​passed to ssh, the ProxyCommand and LocalCommand directives, or "match exec" blocks that contain wildcard characters such as %u and %h. For example, the wrong login and host can be overridden on systems that use submodules in Git, since Git does not prohibit specifying special characters in host and user names. A similar vulnerability also appears in libssh.
  3. Solution to error in ssh-agent where, when adding PKCS#11 private keys, restrictions were applied only to the first key returned by the PKCS#11 token. The issue does not affect regular private keys, FIDO tokens, or unrestricted keys.

Of the other changes that stand out of this new version:

  • PubkeyAcceptedAlgorithms in the “Match user” block.
  • To limit the privileges of the sshd process, OpenSolaris versions that support the getpflags() interface use the PRIV_XPOLICY instead of PRIV_LIMIT.
  • Added support for reading ED25519 private keys in PEM PKCS8 format for ssh, sshd, ssh-add, and ssh-keygen (previously only the OpenSSH format was supported).

Finally if you are interested in knowing more about it about this new version, you can check the details by going to the following link.

How to install OpenSSH 9.6 on Linux?

For those who are interested in being able to install this new version of OpenSSH on their systems, for now they can do it downloading the source code of this and performing the compilation on their computers.

This is because the new version has not yet been included in the repositories of the main Linux distributions. To get the source code, you can do from the following link.

Done the download, now we are going to unzip the package with the following command:

tar -xvf openssh-9.6.tar.gz

We enter the created directory:

cd openssh-9.6

Y we can compile with the following commands:

./configure --prefix=/opt --sysconfdir=/etc/ssh
make
make install

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.