After four months of development the launch of the new version of OpenSSH 8.4, an open client and server implementation for SSH 2.0 and SFTP.
In the new version stands out for being a 100% complete implementation of the SSH 2.0 protocol and in addition to including changes in support for sftp server and client, also for FIDO, Ssh-keygen and some other changes.
Main new features of OpenSSH 8.4
Ssh-agent now verifies that the message will be signed using SSH methods when using FIDO keys that were not generated for SSH authentication (the key ID does not start with the string "ssh:").
The change will not allow redirect ssh-agent to remote hosts that have FIDO keys to block the ability to use these keys to generate signatures for web authentication requests (otherwise, when the browser can sign an SSH request, it was initially excluded due to the use of the prefix "ssh:" in the key identification).
ssh-keygen, when generating a resident key, includes support for credProtect plugin described in the FIDO 2.1 specification, which provides additional protection for keys by requiring a PIN to be entered prior to performing any operations that may result in the extraction of the resident key from the token.
Regarding the changes that potentially break compatibility:
For compatibility with FIDO U2F, it is recommended to use libfido2 library of at least the version 1.5.0. The possibility of using old editions is partially implemented, but in this case functions such as resident keys, PIN request and connection of several tokens will not be available.
In ssh-keygen, in the format of the confirmation information, which is optionally saved when generating the FIDO key, the authenticator data is added, which is required to verify confirmation digital signatures.
When creating a portable version of OpenSSH, automake is now required to generate the configuration script and accompanying assembly files (if you're compiling from a code-published tar file, you don't need to rebuild configure).
Added support for FIDO keys that require PIN verification for ssh and ssh-keygen. To generate keys with a PIN, the "verify required" option has been added to ssh-keygen. In the case of using such keys, before performing the signature creation operation, the user is requested to confirm their actions by entering the PIN code.
In sshd, in the authorized_keys configuration, the "verify required" option is implemented, which requires the use of capabilities to verify the presence of a user during token operations.
Sshd and ssh-keygen have added support for verifying digital signatures that comply with the FIDO Webauthn standard, which allows FIDO keys to be used in web browsers.
Of the other changes that stand out:
- Added ssh and ssh-agent support for the $ SSH_ASKPASS_REQUIRE environment variable, which can be used to enable or disable the ssh-askpass call.
- In ssh, in ssh_config, in the AddKeysToAgent directive, the ability to limit the validity period of the key was added. After the specified limit has expired, the keys are automatically removed from the ssh-agent.
- In scp and sftp, using the "-A" flag, you can now explicitly allow redirection in scp and sftp using ssh-agent (by default, redirection is disabled).
- Added support for '% k' substitution in ssh config for host key name.
- Sshd provides the log of the start and end of the connection drop process, controlled by the MaxStartups parameter.
How to install OpenSSH 8.4 on Linux?
For those who are interested in being able to install this new version of OpenSSH on their systems, for now they can do it downloading the source code of this and performing the compilation on their computers.
This is because the new version has not yet been included in the repositories of the main Linux distributions. To get the source code, you can do from the following link.
Done the download, now we are going to unzip the package with the following command:
tar -xvf openssh-8.4.tar.gz
We enter the created directory:
cd openssh-8.4
Y we can compile with the following commands:
./configure --prefix = / opt --sysconfdir = / etc / ssh make make install