Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssh/dist OpenSSH 8.4 was released on...
details: https://anonhg.NetBSD.org/src/rev/3e8f0e68f941
branches: trunk
changeset: 957573:3e8f0e68f941
user: christos <christos%NetBSD.org@localhost>
date: Fri Dec 04 18:40:04 2020 +0000
description:
OpenSSH 8.4 was released on 2020-09-27. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html
Future deprecation notice
=========================
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.
This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.
The better alternatives include:
* The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
algorithms have the advantage of using the same key type as
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
supported since OpenSSH 7.2 and are already used by default if the
client and server support them.
* The ssh-ed25519 signature algorithm. It has been supported in
OpenSSH since release 6.5.
* The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
have been supported by OpenSSH since release 5.7.
To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.
We intend to enable UpdateHostKeys by default in the next OpenSSH
release. This will assist the client by automatically migrating to
better algorithms. Users may consider enabling this option manually.
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
Security
========
* ssh-agent(1): restrict ssh-agent from signing web challenges for
FIDO/U2F keys.
When signing messages in ssh-agent using a FIDO key that has an
application string that does not start with "ssh:", ensure that the
message being signed is one of the forms expected for the SSH protocol
(currently public key authentication and sshsig signatures).
This prevents ssh-agent forwarding on a host that has FIDO keys
attached granting the ability for the remote side to sign challenges
for web authentication using those keys too.
Note that the converse case of web browsers signing SSH challenges is
already precluded because no web RP can have the "ssh:" prefix in the
application string that we require.
* ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
a FIDO resident key.
The recent FIDO 2.1 Client to Authenticator Protocol introduced a
"credProtect" feature to better protect resident keys. We use this
option to require a PIN prior to all operations that may retrieve
a resident key from a FIDO token.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* For FIDO/U2F support, OpenSSH recommends the use of libfido2 1.5.0
or greater. Older libraries have limited support at the expense of
disabling particular features. These include resident keys, PIN-
required keys and multiple attached tokens.
* ssh-keygen(1): the format of the attestation information optionally
recorded when a FIDO key is generated has changed. It now includes
the authenticator data needed to validate attestation signatures.
* The API between OpenSSH and the FIDO token middleware has changed
and the SSH_SK_VERSION_MAJOR version has been incremented as a
result. Third-party middleware libraries must support the current
API version (7) to work with OpenSSH 8.4.
* The portable OpenSSH distribution now requires automake to rebuild
the configure script and supporting files. This is not required when
simply building portable OpenSSH from a release tar file.
Changes since OpenSSH 8.3
=========================
New features
------------
* ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
each use. These keys may be generated using ssh-keygen using a new
"verify-required" option. When a PIN-required key is used, the user
will be prompted for a PIN to complete the signature operation.
* sshd(8): authorized_keys now supports a new "verify-required"
option to require FIDO signatures assert that the token verified
that the user was present before making the signature. The FIDO
protocol supports multiple methods for user-verification, but
currently OpenSSH only supports PIN verification.
* sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
signatures. Webauthn is a standard for using FIDO keys in web
browsers. These signatures are a slightly different format to plain
FIDO signatures and thus require explicit support.
* ssh(1): allow some keywords to expand shell-style ${ENV}
environment variables. The supported keywords are CertificateFile,
ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
RemoteForward when used for Unix domain socket paths. bz#3140
* ssh(1), ssh-agent(1): allow some additional control over the use of
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
including forcibly enabling and disabling its use. bz#69
* ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
limit for keys in addition to its current flag options. Time-
limited keys will automatically be removed from ssh-agent after
their expiry time has passed.
* scp(1), sftp(1): allow the -A flag to explicitly enable agent
forwarding in scp and sftp. The default remains to not forward an
agent, even when ssh_config enables it.
* ssh(1): add a '%k' TOKEN that expands to the effective HostKey of
the destination. This allows, e.g., keeping host keys in individual
files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654
* ssh(1): add %-TOKEN, environment variable and tilde expansion to
the UserKnownHostsFile directive, allowing the path to be
completed by the configuration (e.g. bz#1654)
* ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted
from stdin. bz#3180
* sshd(8): improve logging for MaxStartups connection throttling.
sshd will now log when it starts and stops throttling and periodically
while in this state. bz#3055
Bugfixes
--------
* ssh(1), ssh-keygen(1): better support for multiple attached FIDO
tokens. In cases where OpenSSH cannot unambiguously determine which
token to direct a request to, the user is now required to select a
token by touching it. In cases of operations that require a PIN to
be verified, this avoids sending the wrong PIN to the wrong token
and incrementing the token's PIN failure counter (tokens
effectively erase their keys after too many PIN failures).
* sshd(8): fix Include before Match in sshd_config; bz#3122
* ssh(1): close stdin/out/error when forking after authentication
completes ("ssh -f ...") bz#3137
* ssh(1), sshd(8): limit the amount of channel input data buffered,
avoiding peers that advertise large windows but are slow to read
from causing high memory consumption.
* ssh-agent(1): handle multiple requests sent in a single write() to
the agent.
* sshd(8): allow sshd_config longer than 256k
* sshd(8): avoid spurious "Unable to load host key" message when sshd
load a private key but no public counterpart
* ssh(1): prefer the default hostkey algorithm list whenever we have
a hostkey that matches its best-preference algorithm.
* sshd(1): when ordering the hostkey algorithms to request from a
server, prefer certificate types if the known_hosts files contain a key
marked as a @cert-authority; bz#3157
* ssh(1): perform host key fingerprint comparisons for the "Are you
sure you want to continue connecting (yes/no/[fingerprint])?"
prompt with case sensitivity.
* sshd(8): ensure that address/masklen mismatches in sshd_config
yield fatal errors at daemon start time rather than later when
they are evaluated.
* ssh-keygen(1): ensure that certificate extensions are lexically
sorted. Previously if the user specified a custom extension then
the everything would be in order except the custom ones. bz#3198
* ssh(1): also compare username when checking for JumpHost loops.
bz#3057
* ssh-keygen(1): preserve group/world read permission on known_hosts
files across runs of "ssh-keygen -Rf /path". The old behaviour was
to remove all rights for group/other. bz#3146
* ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen
manual page and usage().
* sshd(8): explicitly construct path to ~/.ssh/rc rather than
relying on it being relative to the current directory, so that it
can still be found if the shell startup changes its directory.
bz#3185
* sshd(8): when redirecting sshd's log output to a file, undo this
redirection after the session child process is forked(). Fixes
missing log messages when using this feature under some
circumstances.
* sshd(8): start ClientAliveInterval bookkeeping before first pass
through select() loop; fixed theoretical case where busy sshd may
ignore timeouts from client.
* ssh(1): only reset the ServerAliveInterval check when we receive
traffic from the server and ignore traffic from a port forwarding
client, preventing a client from keeping a connection alive when
it should be terminated. bz#2265
* ssh-keygen(1): avoid spurious error message when ssh-keygen
creates files outside ~/.ssh
* sftp-client(1): fix off-by-one error that caused sftp downloads to
make one more concurrent request that desired. This prevented using
sftp(1) in unpipelined request/response mode, which is useful when
debugging. bz#3054
* ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect()
helpers. bz#3071
* ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to
write to it so we don't leave an empty .ssh directory when it's not
needed. bz#3156
* ssh(1), sshd(8): fix multiplier when parsing time specifications
when handling seconds after other units. bz#3171
Portability
-----------
* sshd(8): always send any PAM account messages. If the PAM account
stack returns any messages, always send them to the user and not
just if the check succeeds. bz#2049
* Implement some backwards compatibility for libfido2 libraries
older than 1.5.0. Note that use of an older library will result
in the loss of certain features including resident key support,
PIN support and support for multiple attached tokens.
* configure fixes for XCode 12
* gnome-ssh-askpass3: ensure the "close" button is not focused by
default for SSH_ASKPASS_PROMPT=none prompts. Avoids space/enter
accidentally dismissing FIDO touch notifications.
* gnome-ssh-askpass3: allow some control over textarea colour via
$GNOME_SSH_ASKPASS_FG_COLOR and $GNOME_SSH_ASKPASS_BG_COLOR
environment variables.
* sshd(8): document another PAM spec problem in a frustrated comment
* sshd(8): support NetBSD's utmpx.ut_ss address field. bz#960
* Add the ssh-sk-helper binary and its manpage to the RPM spec file
* Detect the Frankenstein monster of Linux/X32 and allow the sandbox
to function there. bz#3085
diffstat:
crypto/external/bsd/openssh/dist/PROTOCOL.sshsig | 3 +-
crypto/external/bsd/openssh/dist/PROTOCOL.u2f | 130 +++++++++-------------
crypto/external/bsd/openssh/dist/sk-api.h | 7 +-
crypto/external/bsd/openssh/dist/sshsig.h | 9 +-
4 files changed, 64 insertions(+), 85 deletions(-)
diffs (256 lines):
diff -r 3e3e4288840a -r 3e8f0e68f941 crypto/external/bsd/openssh/dist/PROTOCOL.sshsig
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.sshsig Fri Dec 04 18:28:55 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.sshsig Fri Dec 04 18:40:04 2020 +0000
@@ -71,7 +71,7 @@
signature algorithm must be "rsa-sha2-512" or "rsa-sha2-256" (i.e.
not the legacy RSA-SHA1 "ssh-rsa").
-This blob is encoded as a string using the RFC4243 encoding
+This blob is encoded as a string using the RFC4253 encoding
rules and base64 encoded to form the middle part of the
armored signature.
@@ -97,3 +97,4 @@
The data is concatenated and passed to the SSH signing
function.
+$OpenBSD: PROTOCOL.sshsig,v 1.4 2020/08/31 00:17:41 djm Exp $
diff -r 3e3e4288840a -r 3e8f0e68f941 crypto/external/bsd/openssh/dist/PROTOCOL.u2f
--- a/crypto/external/bsd/openssh/dist/PROTOCOL.u2f Fri Dec 04 18:28:55 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/PROTOCOL.u2f Fri Dec 04 18:40:04 2020 +0000
@@ -39,6 +39,13 @@
primarily use ECDSA signatures in the NIST-P256 field, though the FIDO2
standard specifies additional key types, including one based on Ed25519.
+Use of U2F security keys does not automatically imply multi-factor
+authentication. From sshd's perspective, a security key constitutes a
+single factor of authentication, even if protected by a PIN or biometric
+authentication. To enable multi-factor authentication in ssh, please
+refer to the AuthenticationMethods option in sshd_config(5).
+
+
SSH U2F Key formats
-------------------
@@ -147,6 +154,16 @@
case, OpenSSH optionally allows retaining the attestation information
at the time of key generation. It will take the following format:
+ string "ssh-sk-attest-v01"
+ string attestation certificate
+ string enrollment signature
+ string authenticator data (CBOR encoded)
+ uint32 reserved flags
+ string reserved string
+
+A previous version of this format, emitted prior to OpenSSH 8.4 omitted
+the authenticator data.
+
string "ssh-sk-attest-v00"
string attestation certificate
string enrollment signature
@@ -202,6 +219,32 @@
byte flags
uint32 counter
+webauthn signatures
+-------------------
+
+The W3C/FIDO webauthn[1] standard defines a mechanism for a web browser to
+interact with FIDO authentication tokens. This standard builds upon the
+FIDO standards, but requires different signature contents to raw FIDO
+messages. OpenSSH supports ECDSA/p256 webauthn signatures through the
+"webauthn-sk-ecdsa-sha2-nistp256%openssh.com@localhost" signature algorithm.
+
+The wire encoding for a webauthn-sk-ecdsa-sha2-nistp256%openssh.com@localhost
+signature is similar to the sk-ecdsa-sha2-nistp256%openssh.com@localhost format:
+
+ string "webauthn-sk-ecdsa-sha2-nistp256%openssh.com@localhost"
+ string ecdsa_signature
+ byte flags
+ uint32 counter
+ string origin
+ string clientData
+ string extensions
+
+Where "origin" is the HTTP origin making the signature, "clientData" is
+the JSON-like structure signed by the browser and "extensions" are any
+extensions used in making the signature.
+
+[1] https://www.w3.org/TR/webauthn-2/
+
ssh-agent protocol extensions
-----------------------------
@@ -234,87 +277,15 @@
loaded middleware libraries to communicate with security keys, but offer
support for the common case of USB HID security keys internally.
-The middleware library need only expose a handful of functions:
-
- #define SSH_SK_VERSION_MAJOR 0x00050000 /* API version */
- #define SSH_SK_VERSION_MAJOR_MASK 0xffff0000
-
- /* Flags */
- #define SSH_SK_USER_PRESENCE_REQD 0x01
- #define SSH_SK_USER_VERIFICATION_REQD 0x04
- #define SSH_SK_RESIDENT_KEY 0x20
-
- /* Algs */
- #define SSH_SK_ECDSA 0x00
- #define SSH_SK_ED25519 0x01
-
- /* Error codes */
- #define SSH_SK_ERR_GENERAL -1
- #define SSH_SK_ERR_UNSUPPORTED -2
- #define SSH_SK_ERR_PIN_REQUIRED -3
- #define SSH_SK_ERR_DEVICE_NOT_FOUND -4
-
- struct sk_enroll_response {
- uint8_t *public_key;
- size_t public_key_len;
- uint8_t *key_handle;
- size_t key_handle_len;
- uint8_t *signature;
- size_t signature_len;
- uint8_t *attestation_cert;
- size_t attestation_cert_len;
- };
-
- struct sk_sign_response {
- uint8_t flags;
- uint32_t counter;
- uint8_t *sig_r;
- size_t sig_r_len;
- uint8_t *sig_s;
- size_t sig_s_len;
- };
-
- struct sk_resident_key {
- uint32_t alg;
- size_t slot;
- char *application;
- struct sk_enroll_response key;
- };
-
- struct sk_option {
- char *name;
- char *value;
- uint8_t important;
- };
-
- /* Return the version of the middleware API */
- uint32_t sk_api_version(void);
-
- /* Enroll a U2F key (private key generation) */
- int sk_enroll(uint32_t alg,
- const uint8_t *challenge, size_t challenge_len,
- const char *application, uint8_t flags, const char *pin,
- struct sk_option **options,
- struct sk_enroll_response **enroll_response);
-
- /* Sign a challenge */
- int sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
- const char *application,
- const uint8_t *key_handle, size_t key_handle_len,
- uint8_t flags, const char *pin, struct sk_option **options,
- struct sk_sign_response **sign_response);
-
- /* Enumerate all resident keys */
- int sk_load_resident_keys(const char *pin, struct sk_option **options,
- struct sk_resident_key ***rks, size_t *nrks);
-
-The SSH_SK_VERSION_MAJOR should be incremented for each incompatible
+The middleware library need only expose a handful of functions and
+numbers listed in sk-api.h. Included in the defined numbers is a
+SSH_SK_VERSION_MAJOR that should be incremented for each incompatible
API change.
-The options may be used to pass miscellaneous options to the middleware
-as a NULL-terminated array of pointers to struct sk_option. The middleware
-may ignore unsupported or unknown options unless the "important" flag is
-set, in which case it should return failure if an unsupported option is
+miscellaneous options may be passed to the middleware as a NULL-
+terminated array of pointers to struct sk_option. The middleware may
+ignore unsupported or unknown options unless the "required" flag is set,
+in which case it should return failure if an unsupported option is
requested.
At present the following options names are supported:
@@ -335,3 +306,4 @@
ssh-pkcs11-helper to provide address-space containment of the
middleware from ssh-agent.
+$OpenBSD: PROTOCOL.u2f,v 1.26 2020/09/09 03:08:01 djm Exp $
diff -r 3e3e4288840a -r 3e8f0e68f941 crypto/external/bsd/openssh/dist/sk-api.h
--- a/crypto/external/bsd/openssh/dist/sk-api.h Fri Dec 04 18:28:55 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/sk-api.h Fri Dec 04 18:40:04 2020 +0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-api.h,v 1.9 2020/04/28 04:02:29 djm Exp $ */
+/* $OpenBSD: sk-api.h,v 1.11 2020/09/09 03:08:01 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
@@ -45,6 +45,8 @@
size_t signature_len;
uint8_t *attestation_cert;
size_t attestation_cert_len;
+ uint8_t *authdata;
+ size_t authdata_len;
};
struct sk_sign_response {
@@ -61,6 +63,7 @@
size_t slot;
char *application;
struct sk_enroll_response key;
+ uint8_t flags;
};
struct sk_option {
@@ -69,7 +72,7 @@
uint8_t required;
};
-#define SSH_SK_VERSION_MAJOR 0x00050000 /* current API version */
+#define SSH_SK_VERSION_MAJOR 0x00070000 /* current API version */
#define SSH_SK_VERSION_MAJOR_MASK 0xffff0000
/* Return the version of the middleware API */
diff -r 3e3e4288840a -r 3e8f0e68f941 crypto/external/bsd/openssh/dist/sshsig.h
--- a/crypto/external/bsd/openssh/dist/sshsig.h Fri Dec 04 18:28:55 2020 +0000
+++ b/crypto/external/bsd/openssh/dist/sshsig.h Fri Dec 04 18:40:04 2020 +0000
@@ -1,3 +1,4 @@
+/* $OpenBSD: sshsig.h,v 1.9 2020/08/31 00:17:41 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
@@ -23,7 +24,8 @@
struct sshkey_sig_details;
typedef int sshsig_signer(struct sshkey *, u_char **, size_t *,
- const u_char *, size_t, const char *, const char *, u_int, void *);
+ const u_char *, size_t, const char *, const char *, const char *,
+ u_int, void *);
/* Buffer-oriented API */
@@ -33,7 +35,7 @@
* out is populated with the detached signature, or NULL on failure.
*/
int sshsig_signb(struct sshkey *key, const char *hashalg,
- const char *sk_provider, const struct sshbuf *message,
+ const char *sk_provider, const char *sk_pin, const struct sshbuf *message,
const char *sig_namespace, struct sshbuf **out,
sshsig_signer *signer, void *signer_ctx);
@@ -54,7 +56,8 @@
* out is populated with the detached signature, or NULL on failure.
*/
int sshsig_sign_fd(struct sshkey *key, const char *hashalg,
- const char *sk_provider, int fd, const char *sig_namespace,
+ const char *sk_provider, const char *sk_pin,
+ int fd, const char *sig_namespace,
struct sshbuf **out, sshsig_signer *signer, void *signer_ctx);
/*
Home |
Main Index |
Thread Index |
Old Index