Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* This release deprecates the sshd_config UsePrivilegeSeparation
option, thereby making privilege separation mandatory. Privilege
separation has been on by default for almost 15 years and
sandboxing has been on by default for almost the last five.
* The format of several log messages emitted by the packet code has
changed to include additional information about the user and
their authentication state. Software that monitors ssh/sshd logs
may need to account for these changes. For example:
Connection closed by user x 1.1.1.1 port 1234 [preauth]
Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
Affected messages include connection closure, timeout, remote
disconnection, negotiation failure and some other fatal messages
generated by the packet code.
* [Portable OpenSSH only] This version removes support for building
against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting
versions prior to 1.0.1 over 12 months ago (i.e. they no longer
receive fixes for security bugs).
Changes since OpenSSH 7.4
=========================
This is a bugfix release.
Security
--------
* ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
Note that the OpenSSH client disables CBC ciphers by default, sshd
offers them as lowest-preference options and will remove them by
default entriely in the next release. Reported by Jean Paul
Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
Royal Holloway, University of London.
* sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
a recursive file transfer could be maniuplated by a hostile server to
perform a path-traversal attack. creating or modifying files outside
of the intended target directory. Reported by Jann Horn of Google
Project Zero.
New Features
------------
* ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
algorithm lists, e.g. Ciphers=-*cbc. bz#2671
Bugfixes
--------
* sshd(1): Fix NULL dereference crash when key exchange start
messages are sent out of sequence.
* ssh(1), sshd(8): Allow form-feed characters to appear in
configuration files.
* sshd(8): Fix regression in OpenSSH 7.4 support for the
server-sig-algs extension, where SHA2 RSA signature methods were
not being correctly advertised. bz#2680
* ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
known_hosts processing. bz#2591 bz#2685
* ssh(1): Allow ssh to use certificates accompanied by a private key
file but no corresponding plain *.pub public key. bz#2617
* ssh(1): When updating hostkeys using the UpdateHostKeys option,
accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
method. bz#2650
* ssh(1): Detect and report excessively long configuration file
lines. bz#2651
* Merge a number of fixes found by Coverity and reported via Redhat
and FreeBSD. Includes fixes for some memory and file descriptor
leaks in error paths. bz#2687
* ssh-keyscan(1): Correctly hash hosts with a port number. bz#2692
* ssh(1), sshd(8): When logging long messages to stderr, don't truncate
"\r\n" if the length of the message exceeds the buffer. bz#2688
* ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
line; avoid confusion over IPv6 addresses and shells that treat
square bracket characters specially.
* ssh-keygen(1): Fix corruption of known_hosts when running
"ssh-keygen -H" on a known_hosts containing already-hashed entries.
* Fix various fallout and sharp edges caused by removing SSH protocol
1 support from the server, including the server banner string being
incorrectly terminated with only \n (instead of \r\n), confusing
error messages from ssh-keyscan bz#2583 and a segfault in sshd
if protocol v.1 was enabled for the client and sshd_config
contained references to legacy keys bz#2686.
* ssh(1), sshd(8): Free fd_set on connection timeout. bz#2683
* sshd(8): Fix Unix domain socket forwarding for root (regression in
OpenSSH 7.4).
* sftp(1): Fix division by zero crash in "df" output when server
returns zero total filesystem blocks/inodes.
* ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
encountered during key loading to more meaningful error codes.
bz#2522 bz#2523
* ssh-keygen(1): Sanitise escape sequences in key comments sent to
printf but preserve valid UTF-8 when the locale supports it;
bz#2520
* ssh(1), sshd(8): Return reason for port forwarding failures where
feasible rather than always "administratively prohibited". bz#2674
* sshd(8): Fix deadlock when AuthorizedKeysCommand or
AuthorizedPrincipalsCommand produces a lot of output and a key is
matched early. bz#2655
* Regression tests: several reliability fixes. bz#2654 bz#2658 bz#2659
* ssh(1): Fix typo in ~C error message for bad port forward
cancellation. bz#2672
* ssh(1): Show a useful error message when included config files
can't be opened; bz#2653
* sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
(previously incorrectly) advertised. bz#2637
* sshd_config(5): Repair accidentally-deleted mention of %k token
in AuthorizedKeysCommand; bz#2656
* sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; bz#2665
* ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
common 32-bit compatibility library directories.
* sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
response handling.
* ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
keys. It was not possible to delete them except by specifying
their full physical path. bz#2682
Portability
-----------
* sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
crypto coprocessor.
* sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
inspection.
* ssh(1): Fix X11 forwarding on OSX where X11 was being started by
launchd. bz#2341
* ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
contain non-printable characters where the codeset in use is ASCII.
* build: Fix builds that attempt to link a kerberised libldns. bz#2603
* build: Fix compilation problems caused by unconditionally defining
_XOPEN_SOURCE in wide character detection.
* sshd(8): Fix sandbox violations for clock_gettime VSDO syscall
fallback on some Linux/X32 kernels. bz#2142
For full changes, please refer ChangeLog file.
Future deprecation notice
=========================
We plan on retiring more legacy cryptography in future releases,
specifically:
* In approximately August 2017, removing remaining support for the
SSH v.1 protocol (client-only and currently compile-time disabled).
* In the same release, removing support for Blowfish and RC4 ciphers
and the RIPE-MD160 HMAC. (These are currently run-time disabled).
* Refusing all RSA keys smaller than 1024 bits (the current minimum
is 768 bits)
* The next release of OpenSSH will remove support for running sshd(8)
with privilege separation disabled.
* The next release of portable OpenSSH will remove support for
OpenSSL version prior to 1.0.1.
This list reflects our current intentions, but please check the final
release notes for future releases.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* This release removes server support for the SSH v.1 protocol.
* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the
only mandatory cipher in the SSH RFCs, this may cause problems
connecting to older devices using the default configuration,
but it's highly likely that such devices already need explicit
configuration for key exchange and hostkey algorithms already
anyway.
* sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist
of trusted paths by default. The path whitelist may be specified
at run-time.
* sshd(8): When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, sshd will now
refuse to accept the certificate unless they are identical.
The previous (documented) behaviour of having the certificate
forced-command override the other could be a bit confusing and
error-prone.
* sshd(8): Remove the UseLogin configuration directive and support
for having /bin/login manage login sessions.
Changes since OpenSSH 7.3
=========================
This is primarily a bugfix release.
Security
--------
* ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
outside a trusted whitelist (run-time configurable). Requests to
load modules could be passed via agent forwarding and an attacker
could attempt to load a hostile PKCS#11 module across the forwarded
agent channel: PKCS#11 modules are shared libraries, so this would
result in code execution on the system running the ssh-agent if the
attacker has control of the forwarded agent-socket (on the host
running the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the ssh
client). Reported by Jann Horn of Project Zero.
* sshd(8): When privilege separation is disabled, forwarded Unix-
domain sockets would be created by sshd(8) with the privileges of
'root' instead of the authenticated user. This release refuses
Unix-domain socket forwarding when privilege separation is disabled
(Privilege separation has been enabled by default for 14 years).
Reported by Jann Horn of Project Zero.
* sshd(8): Avoid theoretical leak of host private key material to
privilege-separated child processes via realloc() when reading
keys. No such leak was observed in practice for normal-sized keys,
nor does a leak to the child processes directly expose key material
to unprivileged users. Reported by Jann Horn of Project Zero.
* sshd(8): The shared memory manager used by pre-authentication
compression support had a bounds checks that could be elided by
some optimising compilers. Additionally, this memory manager was
incorrectly accessible when pre-authentication compression was
disabled. This could potentially allow attacks against the
privileged monitor process from the sandboxed privilege-separation
process (a compromise of the latter would be required first).
This release removes support for pre-authentication compression
from sshd(8). Reported by Guido Vranken using the Stack unstable
optimisation identification tool (http://css.csail.mit.edu/stack/)
* sshd(8): Fix denial-of-service condition where an attacker who
sends multiple KEXINIT messages may consume up to 128MB per
connection. Reported by Shi Lei of Gear Team, Qihoo 360.
* sshd(8): Validate address ranges for AllowUser and DenyUsers
directives at configuration load time and refuse to accept invalid
ones. It was previously possible to specify invalid CIDR address
ranges (e.g. user@127.1.2.3/55) and these would always match,
possibly resulting in granting access where it was not intended.
Reported by Laurence Parry.
OpenSSH 7.3p1 is primarily a bugfix release and here is summary.
Changes since OpenSSH 7.2
=========================
Security
--------
* sshd(8): Mitigate a potential denial-of-service attack against
the system's crypt(3) function via sshd(8). An attacker could
send very long passwords that would cause excessive CPU use in
crypt(3). sshd(8) now refuses to accept password authentication
requests of length greater than 1024 characters. Independently
reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.
* sshd(8): Mitigate timing differences in password authentication
that could be used to discern valid from invalid account names
when long passwords were sent and particular password hashing
algorithms are in use on the server. CVE-2016-6210, reported by
EddieEzra.Harari at verint.com
* ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
are disabled by default and only included for legacy compatibility.
* ssh(1), sshd(8): Improve operation ordering of MAC verification for
Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
MAC before decrypting any ciphertext. This removes the possibility
of timing differences leaking facts about the plaintext, though no
such leakage has been observed. Reported by Jean Paul Degabriele,
Kenny Paterson, Torben Hansen and Martin Albrecht.
* sshd(8): (portable only) Ignore PAM environment vars when
UseLogin=yes. If PAM is configured to read user-specified
environment variables and UseLogin=yes in sshd_config, then a
hostile local user may attack /bin/login via LD_PRELOAD or
similar environment variables set via PAM. CVE-2015-8325,
found by Shayan Sadigh.
New Features
------------
* ssh(1): Add a ProxyJump option and corresponding -J command-line
flag to allow simplified indirection through a one or more SSH
bastions or "jump hosts".
* ssh(1): Add an IdentityAgent option to allow specifying specific
agent sockets instead of accepting one from the environment.
* ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
optionally overridden when using ssh -W. bz#2577
* ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
per draft-sgtatham-secsh-iutf8-00.
* ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
* ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
signatures in certificates;
* ssh(1): Add an Include directive for ssh_config(5) files.
* ssh(1): Permit UTF-8 characters in pre-authentication banners sent
from the server. bz#2058
Bugfixes
--------
* ssh(1), sshd(8): Reduce the syslog level of some relatively common
protocol events from LOG_CRIT. bz#2585
* sshd(8): Refuse AuthenticationMethods="" in configurations and
accept AuthenticationMethods=any for the default behaviour of not
requiring multiple authentication. bz#2398
* sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
ATTEMPT!" message when forward and reverse DNS don't match. bz#2585
* ssh(1): Close ControlPersist background process stderr except
in debug mode or when logging to syslog. bz#1988
* misc: Make PROTOCOL description for direct-streamlocal@openssh.com
channel open messages match deployed code. bz#2529
* ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
failures when both ExitOnForwardFailure and hostname
canonicalisation are enabled. bz#2562
* sshd(8): Remove fallback from moduli to obsolete "primes" file
that was deprecated in 2001. bz#2559.
* sshd_config(5): Correct description of UseDNS: it affects ssh
hostname processing for authorized_keys, not known_hosts; bz#2554
* ssh(1): Fix authentication using lone certificate keys in an agent
without corresponding private keys on the filesystem. bz#2550
* sshd(8): Send ClientAliveInterval pings when a time-based
RekeyLimit is set; previously keepalive packets were not being
sent. bz#2252
Changes since OpenSSH 7.2p1
===========================
This release fixes a security bug:
* sshd(8): sanitise X11 authentication credentials to avoid xauth
command injection when X11Forwarding is enabled.
Full details of the vulnerability are available at:
http://www.openssh.com/txt/x11fwd.adv
if ssh_host_key doesn't exist.
RSA1 support is dead and doesn't exist in the package we generate, hence,
regeneration of the key is executed everytime sshd is started/restarted.
Bump PKGREVISION
Reviewed by wiz@
Changes since OpenSSH 7.0
=========================
This is a bugfix release.
Security
--------
* sshd(8): OpenSSH 7.0 contained a logic error in PermitRootLogin=
prohibit-password/without-password that could, depending on
compile-time configuration, permit password authentication to
root while preventing other forms of authentication. This problem
was reported by Mantas Mikulenas.
Bugfixes
--------
* ssh(1), sshd(8): add compatability workarounds for FuTTY
* ssh(1), sshd(8): refine compatability workarounds for WinSCP
* Fix a number of memory faults (double-free, free of uninitialised
memory, etc) in ssh(1) and ssh-keygen(1). Reported by Mateusz
Kocielski.
privilege separation has been disabled all that time. The logic was changed
such that it was only enabled on Interix, instead of only being disabled on
Interix as originally intended.
While here, pull in patches from MacPorts to enable privsep on Darwin.
Bump PKGREVISION.
pkgsrc change:
* tcp_wrappers support was removed from release 6.7, but add it refering
FreeBSD's ports.
* hpn-patch is also based on FreeBSD's ports.
Security
--------
* ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
connections made after ForwardX11Timeout expired could be permitted
and no longer subject to XSECURITY restrictions because of an
ineffective timeout check in ssh(1) coupled with "fail open"
behaviour in the X11 server when clients attempted connections with
expired credentials. This problem was reported by Jann Horn.
* ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
password guessing by implementing an increasing failure delay,
storing a salted hash of the password rather than the password
itself and using a timing-safe comparison function for verifying
unlock attempts. This problem was reported by Ryan Castellucci.
For more information, please refer release announce.
http://www.openssh.com/txt/release-6.9http://www.openssh.com/txt/release-6.8http://www.openssh.com/txt/release-6.7
It's not available.
ftp://ftp.belnet.be/pub/OpenBSD/OpenSSH/portable/ (capitalize openbsd) is
availabe, but it's a mirror, not the special old distfile holder.
Moreover, mirrors have good enough old versions, and "old" subdirectory
have much old distfiles.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
Changes since OpenSSH 6.3
=========================
This release fixes a security bug:
* sshd(8): fix a memory corruption problem triggered during rekeying
when an AES-GCM cipher is selected. Full details of the vulnerability
are available at: http://www.openssh.com/txt/gcmrekey.adv
Changes since OpenSSH 6.2 is too many to write here, please refer
the release note: http://www.openssh.com/txt/release-6.3.
