Date: Thu, 9 Sep 2021 14:01:57 -0400 From: Ed Maste <emaste@freebsd.org> To: freebsd-security@freebsd.org Subject: Important note for future FreeBSD base system OpenSSH update Message-ID: <CAPyFy2Aw8Z3ngiM8YHApjjPRLZVC5MCN8TRQkh6pj2fSeM1zqw@mail.gmail.com> In-Reply-To: <CAPyFy2B04b0GtWoHFQwxht5vK4_cnApPXpDLXU%2BRvcR=2L9YxA@mail.gmail.com> References: <CAPyFy2A390kS_C3g=Y9QhQcJ06z_FKUxXsNvi9g2CdWF24pukg@mail.gmail.com> <CAPyFy2B04b0GtWoHFQwxht5vK4_cnApPXpDLXU%2BRvcR=2L9YxA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
We now have OpenSSH 8.7p1 in the base system and I will MFC it to stable branches soon. (FIDO/U2F support is one of the most anticipated new features available in this OpenSSH version, but it is not yet enabled in the base system - additional work is ongoing.) There is an important caveat to be aware of for the next base system update though - I've reproduced it below (from OpenSSH's release notes, https://www.openssh.com/releasenotes.html). The notice includes a command to run to determine if a server will be affected by this issue - I would appreciate it if folks can try it with servers they use and report back, to help determine if this will be an issue in practice and to help guide the next base system update. Imminent deprecation notice =========================== OpenSSH will disable the ssh-rsa signature scheme by default in the next release. In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 hash algorithm in conjunction with the RSA public key algorithm. It is now possible[1] to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default. This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs that is still enabled by default. The better alternatives include: * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them. * The RFC8709 ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5. * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7. To check whether a server is using the weak ssh-rsa public key algorithm, for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list: ssh -oHostKeyAlgorithms=-ssh-rsa user@host If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded. OpenSSH recently enabled the UpdateHostKeys option by default to assist the client by automatically migrating to better algorithms. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2Aw8Z3ngiM8YHApjjPRLZVC5MCN8TRQkh6pj2fSeM1zqw>