• openssh-9.8p1-2.el10.0
    • None
    • None
    • Rebase
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 26
    • 6
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Hide

      AC: OpenSSH version is 9.8 and number of regressions is reasonable

      Show
      AC: OpenSSH version is 9.8 and number of regressions is reasonable
    • Pass
    • Not Needed
    • RegressionOnly
    • Rebase
    • Hide
      .OpenSSH provided in version 9.8

      RHEL 10 provides OpenSSH in version 9.8, which introduces many fixes and improvements over OpenSSH 8.7 which was provided in RHEL 9. For the complete list of changes, see the `openssh-9.8p1/ChangeLog` file. The most important changes are as follows:

      * A system for restricting forwarding and use of keys that were added to the `ssh-agent` program has been added to `ssh`, `sshd`, `ssh-add`, and `ssh-agent` programs.
      * Improvements to the use of the FIDO standard:
      ** The `verify-required` certificate option has been added to `ssh-keygen`.
      ** Fixes to FIDO key handling reduce unnecessary PIN prompts for keys that support intrinsic user verification.
      ** A check for existing matching credentials in the `ssh-keygen` program prompts the user before overwriting the credential.
      * New `EnableEscapeCommandline` option in the `ssh_config` configuration file enables the command line option in the `EscapeChar` menu for interactive sessions.
      * New `ChannelTimeout` keyword specifies whether and how quickly the `sshd` daemon should close inactive channels.
      * The `ssh-keygen` utility generates Ed25519 keys by default except in FIPS mode, where the default is RSA.
      * The `ssh` client performs keystroke timing obfuscation by sending interactive traffic at fixed intervals, every 20 ms by default, when only a small amount of data is being sent. It also sends fake keystrokes for a random interval after the last real keystroke, defined by the `ObscureKeystrokeTiming` keyword.
      * DSA keys have been deprecated, and might be removed in a future major release.
      * With the new `ChannelTimeout` type, `ssh` and `sshd` close all open channels if all channels lack traffic for a specified interval. This is in addition to the existing per-channel timeouts.
      * The `sshd` server blocks client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication, or that crash the server.
      * The `sshd` server penalizes client addresses that do not successfully complete authentication. The penalties are controlled by the new `PerSourcePenalties` keyword in `sshd_config`.
      * The `sshd` server is split into a listener binary `sshd` and a per-session binary `sshd-session`. This reduces the listener binary size that does not need to support the SSH protocol. This also removes support for disabling privilege separation and disabling re-execution of `sshd`
      * In portable OpenSSH, `sshd` no longer uses `argv[0]` as the PAM service name. You can select the service name at runtime with the new `PAMServiceName` directive in the `sshd_config` file. This defaults to "sshd".
      * The `HostkeyAlgorithms` keyword allows `ssh` to disable implicit fallback from certificate host key to plain host keys.
      * The components have been hardened in general and work better with the PKCS #11 standard.
      Show
      .OpenSSH provided in version 9.8 RHEL 10 provides OpenSSH in version 9.8, which introduces many fixes and improvements over OpenSSH 8.7 which was provided in RHEL 9. For the complete list of changes, see the `openssh-9.8p1/ChangeLog` file. The most important changes are as follows: * A system for restricting forwarding and use of keys that were added to the `ssh-agent` program has been added to `ssh`, `sshd`, `ssh-add`, and `ssh-agent` programs. * Improvements to the use of the FIDO standard: ** The `verify-required` certificate option has been added to `ssh-keygen`. ** Fixes to FIDO key handling reduce unnecessary PIN prompts for keys that support intrinsic user verification. ** A check for existing matching credentials in the `ssh-keygen` program prompts the user before overwriting the credential. * New `EnableEscapeCommandline` option in the `ssh_config` configuration file enables the command line option in the `EscapeChar` menu for interactive sessions. * New `ChannelTimeout` keyword specifies whether and how quickly the `sshd` daemon should close inactive channels. * The `ssh-keygen` utility generates Ed25519 keys by default except in FIPS mode, where the default is RSA. * The `ssh` client performs keystroke timing obfuscation by sending interactive traffic at fixed intervals, every 20 ms by default, when only a small amount of data is being sent. It also sends fake keystrokes for a random interval after the last real keystroke, defined by the `ObscureKeystrokeTiming` keyword. * DSA keys have been deprecated, and might be removed in a future major release. * With the new `ChannelTimeout` type, `ssh` and `sshd` close all open channels if all channels lack traffic for a specified interval. This is in addition to the existing per-channel timeouts. * The `sshd` server blocks client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication, or that crash the server. * The `sshd` server penalizes client addresses that do not successfully complete authentication. The penalties are controlled by the new `PerSourcePenalties` keyword in `sshd_config`. * The `sshd` server is split into a listener binary `sshd` and a per-session binary `sshd-session`. This reduces the listener binary size that does not need to support the SSH protocol. This also removes support for disabling privilege separation and disabling re-execution of `sshd` * In portable OpenSSH, `sshd` no longer uses `argv[0]` as the PAM service name. You can select the service name at runtime with the new `PAMServiceName` directive in the `sshd_config` file. This defaults to "sshd". * The `HostkeyAlgorithms` keyword allows `ssh` to disable implicit fallback from certificate host key to plain host keys. * The components have been hardened in general and work better with the PKCS #11 standard.
    • Done
    • None

      We want to disable DSA support in OpenSSH in RHEL10, 9.8 has it automatically

              dbelyavs@redhat.com Dmitry Belyavskiy
              dbelyavs@redhat.com Dmitry Belyavskiy
              Dmitry Belyavskiy Dmitry Belyavskiy
              Miluse Bezo Konecna Miluse Bezo Konecna
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: