From nobody Wed Sep 08 17:52:48 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C02B517A67CB for ; Wed, 8 Sep 2021 17:53:20 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f170.google.com (mail-il1-f170.google.com [209.85.166.170]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H4V9W3VWzz4qpp for ; Wed, 8 Sep 2021 17:53:19 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f170.google.com with SMTP id z2so3379274iln.0 for ; Wed, 08 Sep 2021 10:53:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=gvJI9bArDdtBp+I68gvolyUhP7sfeQXhgNdMBwo/2WM=; b=A4EzzFh4nFM43qRBNuzg+rZ4DJ/zF+hJATYAxRAGuLVg6SEHZlvVKIp3k/ogFapC0M qtniqctncU7yxYGSB8IuJMz30Qu7uqU1DZiKRrsdiiZqH8olHyOuzRPE4uPO7IGWq1sT LtgB7wU49mdLNmLf6Pft/GlX+Q7AciSS2PBECwVVVWUMGpIkztCjPu5DL7vlppK2+Z1Q v55WqN3yhkMn7uKIJKGuYpzc/eQjpnx6NVSNrWDBka8TuTVyQ3wMTXVb+SKcUTWmeSE2 Y2IWh3KGyLaYpuz/ODuT/ZRPyOKaVYGP1CM9/sKPR12Mn2NKNrZRL0283TYGYH2rfOE7 6/dQ== X-Gm-Message-State: AOAM530sSmcwCEv0VoXOIXHd0KLxRKqPnBTbeYQi9uAkxfgRANIoBIFv zjM/7yyCP+jFyqIgt4MbUCqbFFmygug9C6u9Jm0Ti8S6poM= X-Google-Smtp-Source: ABdhPJzsdOdqDdjLnpa/cKmonV14dRIJkXSr046X8CTAXlaHvUwjH0nFv7i514JlmqNU7wHX2AR21h3OVH6WDx1QkJU= X-Received: by 2002:a92:7302:: with SMTP id o2mr838083ilc.44.1631123591957; Wed, 08 Sep 2021 10:53:11 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Ed Maste Date: Wed, 8 Sep 2021 13:52:48 -0400 Message-ID: Subject: Re: OpenSSH 8.7p1 update for the base system To: FreeBSD Hackers Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4H4V9W3VWzz4qpp X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.170 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-2.99 / 15.00]; RCVD_TLS_ALL(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FREEFALL_USER(0.00)[carpeddiem]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[freebsd.org]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.991]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.170:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.170:from]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; TO_DOM_EQ_FROM_DOM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On Sat, 4 Sept 2021 at 11:59, Ed Maste wrote: > > I'm preparing to update OpenSSH in the FreeBSD base system to 8.7p1, > and am sharing an initial patch for testing. This is now in the tree (commit 19261079b743) - thanks to all who reviewed / tested (on and off list). One thing I forgot to include in the commit message - OpenSSH upstream removed the DSA host key path from the default list some time ago. We kept it slightly longer, but with this update it has been removed. There are still a few local changes and bugfixes that need to be sent upstream, and I hope to do so before OpenSSH 8.8 is released. Also OpenSSH now has support for FIDO/U2F but not yet available in the base system. Finally, this note from upstream's release notes is important: (https://www.openssh.com/releasenotes.html) Imminent deprecation notice =========================== OpenSSH will disable the ssh-rsa signature scheme by default in the next release. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. OpenSSH recently enabled the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf