OpenSSH 8.0

OpenSSH 8.0 Releasing With Quantum Computing Resistant Keys

March 29, 2019 Posted by News 0 thoughts on “OpenSSH 8.0 Releasing With Quantum Computing Resistant Keys”

OpenSSH 7.9 came out with a host of bug fixes  last year with few new features, as is to be expected in minor releases. However, recently, Damien Miller has announced that OpenSSH 8.0 is nearly ready to be released. Currently, it’s undergoing testing to ensure compatibility across supported systems.

That piece of news aside, here are some things to look forward to with Open SSH 8.0.


Better Security

Copying filenames with scp will be more secure in OpenSSH 8.0 due to the fact that copying filenames from a remote to local directory will prompt scp to check if the files sent from the server match your request. Otherwise, an attack server would theoretically be able to intercept the request by serving malicious files in place of the ones originally requested. Knowing this, you’re probably better off never using scp anyway.

OpenSSH advises against it:

“The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead.”


New Features


Here are some key features that you can expect to be in OpenSSH 8.0:

  • One of the most promising new features is the experimental quantum-computing resistant key exchange method Damien mention in his tweet. It marks a big step in OpenSSH’s dev cycle as developments in this area of key distribution will make encryption systems immune to technological advances. You can read more about quantum computing key distribution here.
  • The default RSA key size will be larger: 3072 bits


The rest of the features are contextual improvements. For example, dropped connections will still be logged if you have FoceCommand set to internal-sftp restriction.  Here’s a full list of the new features taken directly from the mailing list.

* ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens.

* ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519.

* ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57’s guidance for a 128-bit equivalent symmetric security level.

* ssh(1): Allow “PKCS11Provide=none” to override later instances of the PKCS11Provide directive in ssh_config; bz#2974

* sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960

* ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for “yes”. This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you.

* ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number.

* scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines.

* ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept “-v” command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent.

* ssh-add(1): Add a “-T” option to allowing testing whether keys in an agent are usable by performing a signature and a verification.

* sftp-server(8): Add a “lsetstat at” protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067

* sftp(1): Add “-h” flag to chown/chgrp/chmod commands to request they do not follow symlinks.

* sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741

* sshd(8): Add a ssh_config “Match final” predicate Matches in same pass as “Match canonical” but doesn’t require hostname canonicalisation be enabled. bz#2906

* sftp(1): Support a prefix of ‘@’ to suppress echo of sftp batch commands; bz#2926

* ssh-keygen(1): When printing certificate contents using “ssh-keygen -Lf /path/certificate”, include the algorithm that the CA used to sign the cert.


Bug Fixes


As with every releases, you have your bug fixes. You can look through the list of fixes in OpenSSH 8.0 and rejoice if you find a dead bug that’s been bugging you.

* sshd(8): Fix authentication failures when sshd_config contains “AuthenticationMethods any” inside a Match block that overrides a more restrictive default.

* sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is enabled.

* sshd(8): Fix two race conditions related to SIGHUP daemon restart. Remnant file descriptors in recently-forked child processes could block the parent sshd’s attempt to listen(2) to the configured addresses. Also, the restarting parent sshd could exit before any child processes that were awaiting their re-execution state had completed reading it, leaving them in a fallback path.

* ssh(1): Fix stdout potentially being redirected to /dev/null when ProxyCommand=- was in use.

* sshd(8): Avoid sending SIGPIPE to child processes if they attempt to write to stderr after their parent processes have exited; bz#2071

* ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and ConnectionAttempts directives – connection attempts after the first were ignoring the requested timeout; bz#2918

* ssh-keyscan(1): Return a non-zero exit status if no keys were found; bz#2903

* scp(1): Sanitize scp filenames to allow UTF-8 characters without terminal control sequences; bz#2434

* sshd(8): Fix confusion between ClientAliveInterval and time-based RekeyLimit that could cause connections to be incorrectly closed. bz#2757

* ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at initial token login. The attempt to read the PIN could be skipped in some cases, particularly on devices with integrated PIN readers. This would lead to an inability to retrieve keys from these tokens. bz#2652

* ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the C_SignInit operation. bz#2638

* ssh(1): Improve documentation for ProxyJump/-J, clarifying that local configuration does not apply to jump hosts.

* ssh-keygen(1): Clarify manual – ssh-keygen -e only writes public keys, not private.

* ssh(1), sshd(8): be more strict in processing protocol banners, allowing \r characters only immediately before \n.

* Various: fix a number of memory leaks, including bz#2942 and bz#2938

* scp(1), sftp(1): fix calculation of initial bandwidth limits. Account for bytes written before the timer starts and adjust the schedule on which recalculations are performed. Avoids an initial burst of traffic and yields more accurate bandwidth limits; bz#2927

* sshd(8): Only consider the ext-info-c extension during the initial key eschange. It shouldn’t be sent in subsequent ones, but if it is present we should ignore it. This prevents sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929

* ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in authorized_keys) and -R (remove host from authorized_keys) options may accept either a bare hostname or a [hostname]:port combo. bz#2935

* ssh(1): Don’t attempt to connect to empty SSH_AUTH_SOCK; bz#2936

* sshd(8): Silence error messages when sshd fails to load some of the default host keys. Failure to load an explicitly-configured hostkey is still an error, and failure to load any host key is still fatal. pr/103

* ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is started with ControlPersist; prevents random ProxyCommand output from interfering with session output.

* ssh(1): The ssh client was keeping a redundant ssh-agent socket (leftover from authentication) around for the life of the connection; bz#2912

* sshd(8): Fix bug in HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were specified, then authentication would always fail for RSA keys as the monitor checks only the base key (not the signature algorithm) type against

*AcceptedKeyTypes. bz#2746

* ssh(1): Request correct signature types from ssh-agent when certificate keys and RSA-SHA2 signatures are in use.


You can add more bugs to the current build by contributing to the testing. Send your feedback to OpenSSH’s mailing list.

Please follow and like us: