Call for testing: OpenSSH 10.0
Dmitry Belyavskiy
dbelyavs at redhat.com
Thu Apr 3 18:02:06 AEDT 2025
Fedora 41, successfully built from github master.
To avoid problems with sha1 signatures (forbidden on RHEL systems), you
need to specify OPENSSL_CONF=/dev/null to make test passes.
We have several downstream patches providing run-time detection of sha1
signatures, are they of any interest for you?
On Wed, Apr 2, 2025 at 12:22 AM Darren Tucker <dtucker at dtucker.net> wrote:
> Hi all.
>
> OpenSSH 10.0p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is primarily a bugfix
> release, although one notable change is the introduction of the sshd-auth
> binary (see below).
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Potentially-incompatible changes
> --------------------------------
>
> * This release removes support for the weak DSA signature
> algorithm, completing the deprecation process that began in
> 2015 (when DSA was disabled by default) and repeatedly warned
> over the the last 12 months.
>
> * This release has the version number 10.0 and announces itself
> as "SSH-2.0-OpenSSH_10.0". Software that naively matches
> versions using patterns like "OpenSSH_1*" may be confused by
> this.
>
> * sshd(8): this release removes the code responsible for the
> user authentication phase of the protocol from the per-
> connection sshd-session binary to a new sshd-auth binary.
> Splitting this code into a separate binary ensures that the
> crucial pre-authentication attack surface has an entirely
> disjoint address space from the code used for the rest of the
> connection. It also yields a small runtime memory saving as the
> authentication code will be unloaded after the authentication
> phase completes. This change should be largely invisible to
> users, though some log messages may now come from "sshd-auth"
> instead of "sshd-session". Downstream distributors of OpenSSH
> will need to package the sshd-auth binary.
>
> * sshd(8): this release disables finite field (a.k.a modp)
> Diffie-Hellman key exchange in sshd by default. Specifically,
> this removes the "diffie-hellman-group*" and
> "diffie-hellman-group-exchange-*" methods from the default
> KEXAlgorithms list. The client is unchanged and continues to
> support these methods by default. Finite field Diffie Hellman
> is slow and computationally expensive for the same security
> level as Elliptic Curve DH or PQ key agreement while offering
> no redeeming advantages. ECDH has been specified for the SSH
> protocol for 15 years and some form of ECDH has been the default
> key exchange in OpenSSH for the last 14 years.
>
> * sshd(8): this release removes the implicit fallback to compiled-
> in groups for Diffie-Hellman Group Exchange KEX when the moduli
> file exists but does not contain moduli within the client-
> requested range. The fallback behaviour remains for the case
> where the moduli file does not exist at all. This allows
> administrators more explicit control over which DH groups will
> be selected, but can lead to connection failures if the moduli
> file is edited incorrectly. bz#2793
>
> * sftp(1) and scp(1) will now explicitly not create a ControlMaster mux
> connection, since doing so would potentially create one with
> options more restrictive than those specified in the config file.
> This could lead to later confusion, particularly when used with
> ControlMaster=auto. sftp(1) and scp(1) can still use a mux connection,
> so ssh(1) can be used to establish one, after which they can use it
> as per usual.
>
> Changes since OpenSSH 9.9
> =========================
>
> New features
> ------------
>
> * ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
> is now used by default for key agreement. This algorithm is
> considered to be safe against attack by quantum computers,
> is guaranteed to be no less strong than the popular
> curve25519-sha256 algorithm, has been standardised by NIST
> and is considerably faster than the previous default.
>
> * ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
> for the connection. The default cipher preference list is now
> Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
> (128/192/256).
>
> * ssh(1): add %-token and environment variable expansion to the
> ssh_config SetEnv directive.
>
> * ssh(1): allow %-token and environment variable expansion in
> the ssh_config User directive, with the exception of %r and %C
> which would be self-referential. bz#3477
>
> * ssh(1), sshd(8): add "Match version" support to ssh_config and
> sshd_config. Allows matching on the local version of OpenSSH,
> e.g. "Match version OpenSSH_10.*".
>
> * ssh(1): add support for "Match sessiontype" to ssh_config.
> Allows matching on the type of session initially requested,
> either "shell" for interactive sessions, "exec" for command
> execution sessions, "subsystem" for subsystem requests, such as
> sftp, or "none" for transport/forwarding-only sessions.
>
> * ssh(1): add support for "Match command ..." support to
> ssh_config, allowing matching on the remote command as specified
> on the command-line.
>
> * ssh(1): allow 'Match tagged ""' and 'Match command ""' to match
> empty tag and command values respectively.
>
> * sshd(8): allow glob(3) patterns to be used in sshd_config
> AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
> bz2755
>
> * sshd(1): support the VersionAddendum in the client, mirroring
> the option of the same name in the server; bz2745
>
> * ssh-agent(1): the agent will now delete all loaded keys when
> signaled with SIGUSR1. This allows deletion of keys without
> having access to $SSH_AUTH_SOCK.
>
> * Portable OpenSSH, ssh-agent(1): support systemd-style socket
> activation in ssh-agent using the LISTEN_PID/LISTEN_FDS
> mechanism. Activated when these environment variables are set,
> the agent is started with the -d or -D option and no socket path
> is set. GHPR502
>
> * ssh-keygen(1): support FIDO tokens that return no attestation
> data, e.g. recent WinHello. GHPR542
>
> * ssh-agent(1): add a "-Owebsafe-allow=..." option to allow the
> default FIDO application ID allow-list to be overridden.
>
> * Add a work-in-progress tool to verify FIDO attestation blobs
> that ssh-keygen can optionally write when enrolling FIDO keys.
> This tool is available under regress/misc/ssh-verify-attestation
> for experimentation but is not installed by "make install".
>
> * ssh-keygen(1): allow "-" as output file for moduli screening.
> GHPR393
>
> Bugfixes
> --------
>
> * sshd(8): remove assumption that the sshd_config and any configs
> it includes can fit in a (possibly enlarged) socket buffer.
> Previously it was possible to create a sufficiently large
> configuration that could cause sshd to fail to accept any
> connection. sshd(8) will now actively manage sending its config
> to the sshd-session sub-process.
>
> * ssh(1): don't start the ObscureKeystrokeTiming mitigations if
> there has been traffic on a X11 forwarding channel recently.
> Should fix X11 forwarding performance problems when this setting
> is enabled. bz3655
>
> * ssh(1): prohibit the comma character in hostnames accepted, but
> allow an underscore as the first character in a hostname.
>
> * sftp(1): set high-water when resuming a "put". Prevents bogus
> "server reordered acks" debug message.
>
> * ssh(1), sshd(8): fix regression in openssh-9.8, which would fail
> to accept "Match criteria=argument" as well as the documented
> "Match criteria argument" syntax in ssh_config and sshd_config.
> bz3739
>
> * scp(1), sftp(1): pass "ControlMaster no" to ssh when invoked by
> scp & sftp. This disables implicit session creation by these
> tools when ControlMaster was set to yes/auto by configuration,
> which some users found surprising. This change will not prevent
> scp/sftp from using an existing multiplexing session if one had
> already been created. GHPR557
>
> * sftp(1), ssh(1): fix a number possible NULL dereference bugs,
> including Coverity CIDs 405019 and 477813.
>
> * sshd(8): fix PerSourcePenalty incorrectly using "crash" penalty
> when LoginGraceTime was exceeded. bz3797
>
> * sshd(8): fix "Match invalid-user" from incorrectly being
> activated in initial configuration pass when no other predicates
> were present on the match line
>
> * sshd(8): fix debug logging of user specific delay. GHPR#552
>
> * sshd(8): improve debug logging across sub-process boundaries.
> Previously some log messages were lost early in the sshd-auth and
> sshd-session processes' life.
>
> * ssh(1): require control-escape character sequences passed via
> the '-e ^x' command-line to be exactly two characters long. Avoids
> one byte out-of-bounds read if ssh is invoked as "ssh -e^ ..."
> GHPR368
>
> * ssh(1), sshd(8): prevent integer overflow in x11 port handling.
> These are theoretically possible if the admin misconfigured
> X11DisplayOffset or the user misconfigures their own $DISPLAY,
> but don't happen in normal operation. bz#3730
>
> * ssh-keygen(1): don't mess up ssh-keygen -l output when the file
> contains CR characters; GHPR236 bz3385.
>
> * sshd(8): add rate limits to logging of connections dropped by
> PerSourcePenalties. Previously these could be noisy in logs.
>
> * ssh(1): fix argument of "Compression" directive in ssh -G config
> dump, which regressed in openssh-9.8.
>
> * sshd(8): fix a corner-case triggered by UpdateHostKeys when sshd
> refuses to accept the signature returned by an agent holding host
> keys during the hostkey rotation sub-protocol. This situation
> could occur in situations where a PKCS#11 smartcard that lacked
> support for particular signature algorithms was used to store
> host keys.
>
> * ssh-keygen(1): when using RSA keys to sign messages with
> "ssh-keygen -Y", select the signature algorithm based on the
> requested hash algorithm ("-Ohashalg=xxx"). This allows using
> something other than the default of rsa-sha2-512, which may not
> be supported on all signing backends, e.g. some smartcards only
> support SHA256.
>
> * ssh(1), sshd(8), ssh-keyscan(1): fix ML-KEM768x25519 KEX on
> big-endian systems.
>
> * Many regression and interop test improvements.
>
> Portability
> -----------
>
> * All: add support for AWS-LC (AWS libcrypto). bz3784
>
> * sshd(8): add wtmpdb support as a Y2038 safe wtmp replacement.
>
> * sshd(8): add support for locking sshd into memory, enabled with
> the --with-linux-memlock-onfault configure flag.
>
> * Add support for building a standalone sk-libfido2 library,
> enabled by --with-security-key-standalone
>
> * ssh(1), sshd(8), ssh-keyscan(1): include __builtin_popcount
> replacement function. for compilers that lack it.
>
> * All: Check for and replace le32toh, le64toh, htole64 separately.
> It appears that at least some versions of endian.h in glibc do
> not have the latter two. bz#3794
>
> * Remove ancient RHL 6.x config in RPM spec.
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
--
Dmitry Belyavskiy
More information about the openssh-unix-dev
mailing list