From owner-freebsd-security@freebsd.org  Thu Sep  9 18:02:33 2021
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0BD776744AF
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Thu,  9 Sep 2021 18:02:33 +0000 (UTC)
 (envelope-from carpeddiem@gmail.com)
Received: from mail-io1-f45.google.com (mail-io1-f45.google.com
 [209.85.166.45])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4H56Kg4cg5z4qB2
 for <freebsd-security@freebsd.org>; Thu,  9 Sep 2021 18:02:31 +0000 (UTC)
 (envelope-from carpeddiem@gmail.com)
Received: by mail-io1-f45.google.com with SMTP id z1so3456499ioh.7
 for <freebsd-security@freebsd.org>; Thu, 09 Sep 2021 11:02:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to;
 bh=WQ4t5qRPMMnyUVsJfOrOeVNDWnF1LNIzJYjBd7rr1po=;
 b=ajqXxEbFegYAULObjaGspuJtjZMGfB5wtQmg5ZsRJ3RG66Eib0Fx+iwk9+hvjHCRoe
 fSHDclbIPkrlF+uPMEuZXLMBGP/kmROV1sAegOPvOQbrb1pHsY59Vb6sGY65SFmMz3nw
 c2CY5sHRGGjMO9PH86rJYDoNpaN2FHmEI6NC4dB5DiF/G9AWDrG2Q3cNcvsIuWmBhKi9
 bRzR7AeH7cQYF3txpQ3c3lwuvHFKKSlTOKl4OIt0J5Q09w45Cs3ezZB8n8/+pWb/s38o
 m3UTOichmpDqj3gcgai9FIvRwIqFAXge1hOEI0KOA6JoiEFy5Ts1CsEa4gW/w7Ak2/MH
 /cEA==
X-Gm-Message-State: AOAM532ei3goJNzUVC/9Kq41/ZOi98rW7dDSwrZaQVwcjKL4axR1qpdh
 0vrR/UOghO70/BDQv3oW/5QGag3VkTcsGlAIyBCXZjVxgEQ=
X-Google-Smtp-Source: ABdhPJyFsp4IaKZyibYelJ4mqZRnEDP4MJZ0+b3l3PvS6lC0m+iAJFEArPCr+Ol9guNvy6Ewn76ZEC+Jj2b6PTXvvf8=
X-Received: by 2002:a02:95ee:: with SMTP id b101mr1001601jai.96.1631210544246; 
 Thu, 09 Sep 2021 11:02:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAPyFy2A390kS_C3g=Y9QhQcJ06z_FKUxXsNvi9g2CdWF24pukg@mail.gmail.com>
 <CAPyFy2B04b0GtWoHFQwxht5vK4_cnApPXpDLXU+RvcR=2L9YxA@mail.gmail.com>
In-Reply-To: <CAPyFy2B04b0GtWoHFQwxht5vK4_cnApPXpDLXU+RvcR=2L9YxA@mail.gmail.com>
From: Ed Maste <emaste@freebsd.org>
Date: Thu, 9 Sep 2021 14:01:57 -0400
Message-ID: <CAPyFy2Aw8Z3ngiM8YHApjjPRLZVC5MCN8TRQkh6pj2fSeM1zqw@mail.gmail.com>
Subject: Important note for future FreeBSD base system OpenSSH update
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 4H56Kg4cg5z4qB2
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates
 209.85.166.45 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com
X-Spamd-Result: default: False [-2.68 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; TO_DOM_EQ_FROM_DOM(0.00)[];
 FREEFALL_USER(0.00)[carpeddiem]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
 TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2];
 RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000];
 DMARC_NA(0.00)[freebsd.org]; NEURAL_HAM_SHORT(-0.68)[-0.683];
 RCVD_TLS_ALL(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[209.85.166.45:from];
 FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com];
 RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.45:from];
 R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
 MIME_TRACE(0.00)[0:+];
 FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com];
 MAILMAN_DEST(0.00)[freebsd-security]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2021 18:02:33 -0000

We now have OpenSSH 8.7p1 in the base system and I will MFC it to
stable branches soon. (FIDO/U2F support is one of the most anticipated
new features available in this OpenSSH version, but it is not yet
enabled in the base system - additional work is ongoing.)

There is an important caveat to be aware of for the next base system
update though - I've reproduced it below (from OpenSSH's release
notes, https://www.openssh.com/releasenotes.html).

The notice includes a command to run to determine if a server will be
affected by this issue - I would appreciate it if folks can try it
with servers they use and report back, to help determine if this will
be an issue in practice and to help guide the next base system update.

Imminent deprecation notice
===========================

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
hash algorithm in conjunction with the RSA public key algorithm. It is
now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K.

Note that the deactivation of "ssh-rsa" signatures does not
necessarily require cessation of use for RSA keys. In the SSH
protocol, keys may be capable of signing using multiple algorithms. In
particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256"
(RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1).
Only the last of these is being turned off by default.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs that is still
enabled by default.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The RFC8709 ssh-ed25519 signature algorithm. It has been supported
   in OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

OpenSSH recently enabled the UpdateHostKeys option by default to
assist the client by automatically migrating to better algorithms.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020)
https://eprint.iacr.org/2020/014.pdf