Sun. Mar 29th, 2020

OpenSSH 8.2 released: support for FIDO/U2F hardware authenticator

2 min read

 

OpenSSH

OpenSSH is a 100% complete SSH 2.0 protocol implementation that includes sftp client and server support. The version 8.2 contains some changes that may affect your existing configuration:

The better alternatives include:

* The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as “ssh-rsa” but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.

* The ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5.

* The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7.

Security
========

* ssh(1), sshd(8), ssh-keygen(1): this release removes the “ssh-rsa” (RSA/SHA1) algorithm from those accepted for certificate signatures (i.e. the client and server CASignatureAlgorithms option) and will use the rsa-sha2-512 signature algorithm by default when the ssh-keygen(1) CA signs new certificates.

Certificates are at special risk to the aforementioned SHA1 collision vulnerability as an attacker has effectively unlimited time in which to craft a collision that yields them a valid certificate, far more than the relatively brief LoginGraceTime window that they have to forge a host key signature.

The OpenSSH certificate format includes a CA-specified (typically random) nonce value near the start of the certificate that should make exploitation of chosen-prefix collisions in this context challenging, as the attacker does not have full control over the prefix that actually gets signed. Nonetheless, SHA1 is now a demonstrably broken algorithm and futher improvements in attacks are highly likely.

OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2 algorithms and will refuse to accept certificates signed by an OpenSSH 8.2+ CA using RSA keys unless the unsafe algorithm is explicitly selected during signing (“ssh-keygen -t ssh-rsa”). Older clients/servers may use another CA key type such as ssh-ed25519 (supported since OpenSSH 6.5) or one of the ecdsa-sha2-nistp256/384/521 types (supported since OpenSSH 5.7) instead if they cannot be upgraded.

More info, you can view here.