

OpenSSH 6.8 released - mukyu
http://lists.mindrot.org/pipermail/openssh-unix-announce/2015-March/000120.html

======
throwaway7767
The host key rotation support sounds very nice, and something I've wanted for
a long time:

> * ssh(1), sshd(8): Experimental host key rotation support. Add a protocol
> extension for a server to inform a client of all its available host keys
> after authentication has completed. The client may record the keys in
> known_hosts, allowing it to upgrade to better host key algorithms and a
> server to gracefully rotate its keys.

> The client side of this is controlled by a UpdateHostkeys config option
> (default off).

I wish it were on by default, but I guess they want to test it further before
enabling it by default. It will remove the temptation to keep using old, weak
or suspect keys just because of the hassle of having all the users update
their keys or because the admins are afraid of training their users that the
scary "HOST KEY HAS CHANGED!!!" warnings are normal and should be ignored.

~~~
Gracana
But you don't want users to think they're normal and should be ignored.
They're an exceptional case and should be understood.

~~~
throwaway7767
I think you should read the message you are responding to again, as you just
agreed with what I said.

------
beagle3
I submitted a very detailed bug report[0] a while ago, which can lead to a DoS
(albeit in a very specific setting). I don't expect anyone to rush to fix it,
but I'm surprised that there isn't even a comment about it. Is there another
place it needs to be reported in?

[0]
[https://bugzilla.mindrot.org/show_bug.cgi?id=2265](https://bugzilla.mindrot.org/show_bug.cgi?id=2265)

~~~
LukeShu
Try pointing it out on the mailing list ( openssh-unix-dev@mindrot.org ).

Having been on both user and the developer sides, with F/OSS projects, more
developers are likely to read every post on the mailing list than every report
in the bug tracker.

------
some_furry
The --without-openssl option is particularly attractive on Linux systems if
you distrust openssl's code.

~~~
xorcist
It is, but please note that OpenSSH uses very little of OpenSSL's code. None
of the serious bugs lately had any impact on OpenSSH.

~~~
some_furry
That's probably very reassuring.

I personally don't share this belief that openssl is bad (in fact, for PHP
developers, openssl is preferable to libmcrypt which has been abandoned since
2007), I just know it's a common sentiment of infosec people. :)

~~~
jamiesonbecker
Just because OpenSSL is very hard to replace doesn't mean it's not very bad.

~~~
some_furry
Sure. I simply use it for crypto primitives (e.g. aes-256-gcm) in environments
where I cannot install libsodium from PECL (e.g. crypto_easybox() and
crypto_easybox_open()).

------
SpaceInvader
Finally UseDNS is set to 'no' by default. This is the thing I was ALWAYS
changing :)

~~~
Florin_Andrei
I always felt guilty about it, as if I was perhaps missing something obvious.
:)

Glad to see it gone in the defaults.

------
hobarrera
> [...] SSH protocol version 1.3, 1.5 [...]

Do we still need these? Aren't they extremely ancient? Is there any old client
that _only_ support these protocol versions __and __has no security issues, or
is out-of-support?

~~~
Sanddancer
I've got a few older Dell switches that still work wonderfully, but only
connect via ssh1, not ssh2. They're still useful, and setting up a management
vlan isn't that hard, so replacing them is a proposition that's much more
expensive than it's worth.

~~~
hobarrera
That sort of avoids the question: Do those machines still get an up-to-date
OpenSSH that's considered trustworthy today? Is there some impediment to
upgrade OpenSSH on them?

------
dwb
[https://bugzilla.mindrot.org/show_bug.cgi?id=1424](https://bugzilla.mindrot.org/show_bug.cgi?id=1424)
:(

Oh well, refactoring and crypto work is certainly more important. Congrats on
the release.

------
wolf550e
I have to configure ssh servers so that putty is able to connect, so I can't
follow best practices. Why don't the people working in this area help the
putty project with support for the latest stuff?

~~~
clarry
Why don't the people who use and depend on putty help the project with support
for the things they need?

~~~
wolf550e
There aren't a lot of people qualified to work on security software.

------
an6n
I was hoping for U2F but I guess it's not ready yet. :)

~~~
feld
Chrome has access to USB and its own code to handle U2F devices. This would
require your SSH client to have the same capabilities.

This might work well on Linux/BSD machines, but likely not on OSX due to
stagnant unix utility updates and Windows because... well, not a real Unix.
Would probably require a heavy wrapper around Putty. Not sure if cygwin and
friends would ever work either.

~~~
aroch
OSX supports PAM auth, U2F is just another kind of PAM. That's how I use my
Yubikey.

~~~
feld
I was thinking that server side it was a PAM module, but client side it was
not... for some bizarre reason.

So yeah, I suppose if your platform supports PAM this is feasible.

------
themckman
OpenSSH is certainly the standard amongst SSH servers, however, I'm curious if
there are serious alternatives that offer something missing in OpenSSH? I know
there's a patch floating around that allowed some buffer to be configurable
and boosted `scp` performance, for example, but I'm curious if there are other
servers that offer anything else interesting.

~~~
pwnna
Dropbear is a lightweight replacement for OpenSSH. It runs on things like
routers (openwrt) and certain android ROMs.

~~~
agumonkey
Used it through an sshserver app for Android, had no troubles doing a full scp
-R <phone> <backup> with it.

------
jamiesonbecker
Fingerprint hash tracking is on the plan to add to Userify soon as well, along
with host key wipe and regen. Can't wait to get some of these other awesome
features mixed in. Of course, we'll have to wait for distributions to catch
up.. queue five year wait..

------
w8rbt
The sshlog (password logging) patch still seems to work on 6.8

    
    
        http://w8rbt.org/patches/sshlog.patch

~~~
mortenlarsen
wget is blocked on that URL, any specific reason?

wget --user-agent="Not wget"
[http://w8rbt.org/patches/sshlog.patch](http://w8rbt.org/patches/sshlog.patch)

works.

