Published the release of OpenSSH 8.8, an open client and server implementation for the SSH 2.0 and SFTP protocols. The release is notable for disabling by default the ability to use digital signatures based on RSA keys with a SHA-1 hash (“ssh-rsa”).
The end of support for “ssh-rsa” signatures is due to an increase in the effectiveness of collision attacks with a given prefix (the cost of collision guessing is estimated at about 50 thousand dollars). To test the use of ssh-rsa on your systems, you can try connecting via ssh with the “-oHostKeyAlgorithms = -ssh-rsa” option. Support for RSA signatures with SHA-256 and SHA-512 (rsa-sha2-256 / 512) hashes, which are supported since OpenSSH 7.2, is unchanged.
In most cases, the end of support for “ssh-rsa” will not require any manual action from users, since the UpdateHostKeys setting was previously enabled by default in OpenSSH, which automatically translates clients to more reliable algorithms. For migration, the “firstname.lastname@example.org” protocol extension is used, which allows the server, after passing the authentication, to inform the client about all available host keys. When connecting to hosts with very old versions of OpenSSH on the client side, you can selectively revert the ability to use “ssh-rsa” signatures by adding to ~ / .ssh / config:
Host old_host_name HostkeyAlgorithms + ssh-rsa PubkeyAcceptedAlgorithms + ssh-rsa
The new version also resolves a security issue caused by sshd, since OpenSSH 6.2, incorrectly initializing the user group when executing commands specified in the Authorized Keys Command and Authorized Principals Command directives. These directives should ensure that commands are run under a different user, but in fact they inherited the list of groups used when starting sshd. Potentially, this behavior, given certain system settings, allowed the running handler to gain additional privileges in the system.
The release notes also contain a warning about the intention to change the default scp utility to use SFTP instead of the legacy SCP / RCP protocol. The SFTP apply more predictable methods names, and non-processing is used glob-patterns in filenames through the shell on the side of the other host, which creates problems with security… In particular, when using SCP and RCP, the server decides which files and directories to send to the client, and the client only checks the correctness of the returned object names, which, in the absence of proper checks on the client side, allows the server to transmit other file names that differ from the requested ones. The SFTP protocol is free of these problems, but does not support the expansion of special paths such as “~ /”. To address this difference, in the previous release of OpenSSH, a new SFTP extension was proposed in the SFTP server implementation to expose the ~ / and ~ user / paths.