The ongoing effort to enhance OpenSSH security by splitting functionalities into separate binaries continues, with the latest development introducing a new binary, sshd-auth.
This change is a part of OpenBSD’s broader strategy to make the OpenSSH implementation even more secure and efficient.
Damien Miller, an OpenBSD developer, recently committed this new update, which aims to further segregate the sshd functionality by creating a dedicated binary for user authentication.
As stated in the commit message, the goal is straightforward: “Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection.“
In other words, this effectively minimizes risk by isolating the pre-authentication stage and reducing the overall attack surface.
Moreover, this approach offers an added advantage: a small runtime memory saving. Once the authentication phase is complete, the authentication code will be unloaded, freeing up memory for other tasks.
This change has already been integrated into OpenBSD snapshots and has been tested since last week. As with other components like sshd, ssh-session, and ssh-agent, the new sshd-auth binary will be randomly relinked at boot, adding another layer of protection.
For more information, refer to the announcement in OpenBSD Journal.
How This Relates to Other OpenSSH Implementations
As you probably know, OpenSSH is part of the OpenBSD project and is widely used across different operating systems, including Linux. So, changes made in the OpenBSD version of OpenSSH are often reflected in other implementations, as the core code is shared.
This means that improvements, like the segregation of functionalities into separate binaries, will eventually make their way into Linux and other systems that rely on OpenSSH.
