openSSH 8.9

openSSH 8.9 Released, Removes Support for MD5-Hashed Passwords

OpenSSH 8.9 is a feature-focused version that has been released with some new features, bug fixes, and security enhancements.

OpenSSH is an open-source implementation of the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

The latest release of OpenSSH – version 8.9, released on February 23th — removes in-built support for MD5-hashed passwords. It is important to note that this change only affects the portable version of the software. If you require MD5-hashed passwords on your system, the openSSH developers recommend linking against libxcrypt or a similar one-way hashing crypt library.

Among other noteworthy changes, this release modifies the FIDO security key middleware interface and increments SSH_SK_VERSION_MAJOR. For those of you unaware, FIDO (Fast Identity Online) is a technical specification for online user identity authentication. From version 8.2, openSSH supports FIDO U2F (two-factor authentication) security keys, which means that it can be used with devices like YubiKey for authentication.

On the security side, openSSH 8.9 fixes an integer overflow in the user authentication path that, in conjunction with other logic errors, could lead to unauthenticated access under difficult to exploit conditions.

Aside from the above-mentioned, in this release, the ssh-keygen command has been given some new features. Now it has better handling for FIDO keys on tokens that provide user verification on the device itself, including biometric keys, avoiding unnecessary PIN prompts. On top of that, ssh-keygen now allows the selection of hash at sshsig signing time.

Last but not least, it is important to be mentioned an upcoming change related to the scp command. Namely, in upcoming releases of OpenSSH, scp will be switched from using the legacy scp/rcp protocol to using SFTP by default.

This is because currently, the scp command requires double quoting of shell meta-characters in file names included on the scp command-line, otherwise, they could be interpreted as shell commands on the remote side. Switching to using SFTP by default will eliminate the need for double-quoting shell characters in file names.

For detailed information about all changes in openSSH 8.9, you can refer to the release notes.

Leave a Reply