openSSH 8.9 Released, Removes Support for MD5-Hashed Passwords

OpenSSH 8.9 is a feature-focused version that has been released with some new features, bug fixes, and security enhancements.

OpenSSH is an open-source implementation of the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

The latest release of OpenSSH – version 8.9, released on February 23th — removes in-built support for MD5-hashed passwords. It is important to note that this change only affects the portable version of the software. If you require MD5-hashed passwords on your system, the openSSH developers recommend linking against libxcrypt or a similar one-way hashing crypt library.

Among other noteworthy changes, this release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. For those of you unaware, FIDO (Fast Identity Online) is a technical specification for online user identity authentication. From version 8.2, openSSH supports FIDO U2F (two-factor authentication) security keys, which means that it can be used with devices like YubiKey for authentication.

On the security side, openSSH 8.9 fixes an integer overflow in the user authentication path that, in conjunction with other logic errors, could lead to unauthenticated access under difficult to exploit conditions.

Aside from the above-mentioned, in this release, the ssh-keygen command has been given some new features. Now it has better handling for FIDO keys on tokens that provide user verification on the device itself, including biometric keys, avoiding unnecessary PIN prompts. On top of that, ssh-keygen now allows the selection of hash at sshsig signing time.

Last but not least, it is important to be mentioned an upcoming change related to the scp command. Namely, in upcoming releases of OpenSSH, scp will be switched from using the legacy scp/rcp protocol to using SFTP by default.

This is because currently, the scp command requires double quoting of shell meta-characters in file names included on the scp command-line, otherwise, they could be interpreted as shell commands on the remote side. Switching to using SFTP by default will eliminate the need for double-quoting shell characters in file names.

For detailed information about all changes in openSSH 8.9, you can refer to the release notes.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 68%