This document may be found at: http://www.openssh.com/txt/legacy-cert.adv

1. Vulnerability

Legacy certificates generated by OpenSSH might contain data from the stack thus leaking confidential information.

2. Affected configurations

OpenSSH 5.6 and OpenSSH 5.7 only when generating legacy certificates. These must be specifically requested using the “-t” option on the ssh-keygen CA command-line.

3. Mitigation

Avoid generating legacy certificates using OpenSSH 5.6 or 5.7

If legacy certificates have been issued with a vulnerable OpenSSH version, consider rotating any CA key used.

4. Details

When generating legacy *-cert-v00@openssh.com certificates, the nonce field was not being correctly filled with random data but was left uninitialised, containing the contents of the stack.

The contents of the stack at this point in ssh-keygen’s execution do not appear to leak the CA private key or other sensitive data, but this possibility cannot be excluded on

all platforms and library versions.

If certificates are generated using user-specified contents (as opposed to the CA specifying all fields) then they will be less resistant to hash collision attacks. Fortunately, such attacks are not currently considered practical for the SHA family of hashes used to sign these certificates.

5. Credit

This issue was privately reported by Mateusz Kocielski on January 26, 2011.

6. Fix

OpenSSH 5.8 contains a fix for this vulnerability. Users who prefer to continue to use OpenSSH 5.6 or 5.7 may apply this patch:

Index: key.c

===================================================================

RCS file: /cvs/src/usr.bin/ssh/key.c,v

retrieving revision 1.95

diff -u -r1.95 key.c

--- key.c   10 Nov 2010 01:33:07 -0000    1.95

+++ key.c   3 Feb 2011 06:52:33 -0000

@@ -1823,8 +1823,8 @@

buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));

/* -v01 certs put nonce first */

+     arc4random_buf(&nonce, sizeof(nonce));

if (!key_cert_is_legacy(k)) {

-           arc4random_buf(&nonce, sizeof(nonce));

buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));

}

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

Changes since OpenSSH 5.7

=========================

Security:

* Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski.

Legacy certificates signed by OpenSSH 5.6 or 5.7 included data from the stack in place of a random nonce field. The contents of the stack do not appear to contain private data at this point, but this cannot be stated with certainty for all platform, library and compiler combinations. In particular, there exists a risk that some bytes from the privileged CA key may be accidentally included.

A full advisory for this issue is available at: http://www.openssh.com/txt/legacy-cert.adv

Portable OpenSSH Bugfixes:

* Fix compilation failure when enableing SELinux support.

* Do not attempt to call SELinux functions when SELinux is disabled. bz#1851

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

Changes since OpenSSH 5.6

=========================

Features:

* Implement Elliptic Curve Cryptography modes for key exchange (ECDH)

and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA

offer better performance than plain DH and DSA at the same equivalent

symmetric key length, as well as much shorter keys.

Only the mandatory sections of RFC5656 are implemented, specifically

the three REQUIRED curves nistp256, nistp384 and nistp521 and only

ECDH and ECDSA. Point compression (optional in RFC5656) is NOT

implemented.

Certificate host and user keys using the new ECDSA key types are

supported – an ECDSA key may be certified, and an ECDSA key may act

as a CA to sign certificates.

ECDH in a 256 bit curve field is the preferred key agreement

algorithm when both the client and server support it. ECDSA host

keys are preferred when learning a host’s keys for the first time,

or can be learned using ssh-keyscan(1).

* sftp(1)/sftp-server(8): add a protocol extension to support a hard

link operation. It is available through the “ln” command in the

client. The old “ln” behaviour of creating a symlink is available

using its “-s” option or through the preexisting “symlink” command

* scp(1): Add a new -3 option to scp: Copies between two remote hosts

are transferred through the local host.  Without this option the

data is copied directly between the two remote hosts.

* ssh(1): automatically order the hostkeys requested by the client

based on which hostkeys are already recorded in known_hosts. This

avoids hostkey warnings when connecting to servers with new ECDSA

keys, since these are now preferred when learning hostkeys for the

first time.

* ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary

TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.

bz#1733

* sftp(1): the sftp client is now significantly faster at performing

directory listings, using OpenBSD glob(3) extensions to preserve

the results of stat(3) operations performed in the course of its

execution rather than performing expensive round trips to fetch

them again afterwards.

* ssh(1): “atomically” create the listening mux socket by binding it on

a temporary name and then linking it into position after listen() has

succeeded. This allows the mux clients to determine that the server

socket is either ready or stale without races. stale server sockets

are now automatically removed. (also fixes bz#1711)

* ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server

configuration to allow selection of which key exchange methods are

used by ssh(1) and sshd(8) and their order of preference.

* sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into

a generic bandwidth limiter that can be attached using the atomicio

callback mechanism and use it to add a bandwidth limit option to

sftp(1). bz#1147

BugFixes:

* ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent

temporary directories. bz#1809

* ssh(1): avoid NULL deref on receiving a channel request on an unknown

or invalid channel; bz#1842

* sshd(8): remove a debug() that pollutes stderr on client connecting

to a server in debug mode; bz#1719

* scp(1): pass through ssh command-line flags and options when doing

remote-remote transfers, e.g. to enable agent forwarding which is

particularly useful in this case; bz#1837

* sftp-server(8): umask should be parsed as octal

* sftp(1): escape ‘[‘ in filename tab-completion

* ssh(1): Typo in confirmation message.  bz#1827

* sshd(8): prevent free() of string in .rodata when overriding

AuthorizedKeys in a Match block

* sshd(8): Use default shell /bin/sh if $SHELL is “”

* ssh(1): kill proxy command on fatal() (we already killed it on

clean exit);

* ssh(1): install a SIGCHLD handler to reap expiried child process;

bz#1812

* Support building against openssl-1.0.0a

Portable OpenSSH Bugfixes:

* Use mandoc as preferred manpage formatter if it is present, followed

by nroff and groff respectively.

* sshd(8): Relax permission requirement on btmp logs to allow group

read/write

* bz#1840: fix warning when configuring –with-ssl-engine

* sshd(8): Use correct uid_t/pid_t types instead of int. bz#1817

* sshd(8): bz#1824: Add Solaris Project support.

* sshd(8): Check is_selinux_enabled for exact return code since it can

apparently return -1 under some conditions.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

This is a bugfix release.

Changes since OpenSSH 5.4

=========================

* Unbreak sshd_config’s AuthorizedKeysFile option for $HOME-relative paths

* Fix compilation failures on platforms that lack dlopen()

* Include a language tag when sending a protocol 2 disconnection message.

* Make logging of certificates used for user authentication more clear and consistent between CAs specified using TrustedUserCAKeys and authorized_keys

Portable OpenSSH:

* Allow contrib/ssh-copy-id to fail gracefully when there are no keys in the ssh-agent. bz#1723

* Explicitly link libX11 into contrib/gnome-ssh-askpass2. bz#1725

* Allow ChrootDirectory to work in SELinux platforms. bz#1726

* Add configure.ac stanza for Haiku OS. bz#1741

* Enable utmpx support on FreeBSD where possible. bz#1732

* Use pkg-config to determine libedit linker flags where possible. bz#1744

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

This is a major feature and bugfix release.

Changes since OpenSSH 5.3

=========================

Features:

* After a transition period of about 10 years, this release disables

SSH protocol 1 by default. Clients and servers that need to use the

legacy protocol must explicitly enable it in ssh_config / sshd_config

or on the command-line.

* Remove the libsectok/OpenSC-based smartcard code and add support for

PKCS#11 tokens. This support is automatically enabled on all

platforms that support dlopen(3) and was inspired by patches written

by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages.

* Add support for certificate authentication of users and hosts using a

new, minimal OpenSSH certificate format (not X.509). Certificates

contain a public key, identity information and some validity

constraints and are signed with a standard SSH public key using

ssh-keygen(1). CA keys may be marked as trusted in authorized_keys

or via a TrustedUserCAKeys option in sshd_config(5) (for user

authentication), or in known_hosts (for host authentication).

Documentation for certificate support may be found in ssh-keygen(1),

sshd(8) and ssh(1) and a description of the protocol extensions in

PROTOCOL.certkeys.

* Added a ‘netcat mode’ to ssh(1): “ssh -W host:port …” This connects

stdio on the client to a single port forward on the server. This

allows, for example, using ssh as a ProxyCommand to route connections

via intermediate servers. bz#1618

* Add the ability to revoke keys in sshd(8) and ssh(1). User keys may

be revoked using a new sshd_config(5) option “RevokedKeys”. Host keys

are revoked through known_hosts (details in the sshd(8) man page).

Revoked keys cannot be used for user or host authentication and will

trigger a warning if used.

* Rewrite the ssh(1) multiplexing support to support non-blocking

operation of the mux master, improve the resilience of the master to

malformed messages sent to it by the slave and add support for

requesting port- forwardings via the multiplex protocol. The new

stdio-to-local forward mode (“ssh -W host:port …”) is also

supported. The revised multiplexing protocol is documented in the

file PROTOCOL.mux in the source distribution.

* Add a ‘read-only’ mode to sftp-server(8) that disables open in write

mode and all other fs-modifying protocol methods. bz#430

* Allow setting an explicit umask on the sftp-server(8) commandline to

override whatever default the user has. bz#1229

* Many improvements to the sftp(1) client, many of which were

implemented by Carlos Silva through the Google Summer of Code

program:

- Support the “-h” (human-readable units) flag for ls

- Implement tab-completion of commands, local and remote filenames

- Support most of scp(1)’s commandline arguments in sftp(1), as a

first step towards making sftp(1) a drop-in replacement for scp(1).

Note that the rarely-used “-P sftp_server_path” option has been

moved to “-D sftp_server_path” to make way for “-P port” to match

scp(1).

- Add recursive transfer support for get/put and on the commandline

* New RSA keys will be generated with a public exponent of RSA_F4 ==

(2**16)+1 == 65537 instead of the previous value 35.

* Passphrase-protected SSH protocol 2 private keys are now protected

with AES-128 instead of 3DES. This applied to newly-generated keys

as well as keys that are reencrypted (e.g. by changing their

passphrase).

Bugfixes:

* Hold authentication debug messages until after successful

authentication. Fixes a minor information leak of environment

variables specified in authorized_keys if an attacker happens to

know the public key in use.

* When using ChrootDirectory, make sure we test for the existence of

the user’s shell inside the chroot and not outside (bz#1679)

* Cache user and group name lookups in sftp-server using

user_from_[ug]id(3) to improve performance on hosts where these

operations are slow (e.g. NIS or LDAP). bz#1495

* Fix problem that prevented passphrase reading from being interrupted

in some circumstances; bz#1590

* Ignore and log any Protocol 1 keys where the claimed size is not

equal to the actual size.

* Make HostBased authentication work with a ProxyCommand. bz#1569

* Avoid run-time failures when specifying hostkeys via a relative

path by prepending the current working directory in these cases.

bz#1290

* Do not prompt for a passphrase if we fail to open a keyfile, and log

the reason why the open failed to debug. bz#1693

* Document that the PubkeyAuthentication directive is allowed in a

sshd_config(5) Match block. bz#1577

* When converting keys, truncate key comments at 72 chars as per

RFC4716. bz#1630

* Do not allow logins if /etc/nologin exists but is not readable by the

user logging in.

* Output a debug log if sshd(8) can’t open an existing authorized_keys.

bz#1694

* Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we

usually don’t actually have a tty to read/set; bz#1686

* Prevent sftp from crashing when given a “-” without a command.

Also, allow whitespace to follow a “-”. bz#1691

* After sshd receives a SIGHUP, ignore subsequent HUPs while sshd

re-execs itself. Prevents two HUPs in quick succession from resulting

in sshd dying. bz#1692

* Clarify in sshd_config(5) that StrictModes does not apply to

ChrootDirectory. Permissions and ownership are always checked when

chrooting. bz#1532

* Set close-on-exec on various descriptors so they don’t get leaked to

child processes. bz#1643

* Fix very rare race condition in x11/agent channel allocation: don’t

read after the end of the select read/write fdset and make sure a

reused FD is not touched before the pre-handlers are called.

* Fix incorrect exit status when multiplexing and channel ID 0 is

recycled. bz#1570

* Fail with an error when an attempt is made to connect to a server

with ForceCommand=internal-sftp with a shell session (i.e. not a

subsystem session). Avoids stuck client when attempting to ssh to

such a service. bz#1606:

* Warn but do not fail if stat()ing the subsystem binary fails. This

helps with chrootdirectory+forcecommand=sftp-server and restricted

shells. bz #1599

* Change “Connecting to host…” message to “Connected to host.”

and delay it until after the sftp protocol connection has been

established. Avoids confusing sequence of messages when the

underlying ssh connection experiences problems. bz#1588

* Use the HostKeyAlias rather than the hostname specified on the

commandline when prompting for passwords. bz#1039

* Correct off-by-one in percent_expand(): we would fatal() when trying

to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to

actually work. Note that nothing in OpenSSH actually uses close to

this limit at present. bz#1607

* Fix passing of empty options from scp(1) and sftp(1) to the

underlying ssh(1). Also add support for the stop option “–”.

* Fix an incorrect magic number and typo in PROTOCOL; bz#1688

* Don’t escape backslashes when displaying the SSH2 banner. bz#1533

* Don’t unnecessarily dup() the in and out fds for sftp-server. bz#1566

* Force use of the correct hash function for random-art signature

display as it was inheriting the wrong one when bubblebabble

signatures were activated. bz#1611

* Do not fall back to adding keys without constraints (ssh-add -c /

-t …) when the agent refuses the constrained add request. bz#1612

* Fix a race condition in ssh-agent that could result in a wedged or

spinning agent. bz#1633

* Flush stdio before exec() to ensure that everying (motd

in particular) has made it out before the streams go away. bz#1596

* Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706

Portable OpenSSH Bugfixes:

* Use system’s kerberos principal name on AIX if it’s available.

bz#1583

* Disable OOM-killing of the listening sshd on Linux. bz#1470

* Use pkg-config for opensc config if it’s available. bz#1160

* Unbreak Redhat spec to allow building without askpass. bz#1677

* If PidFile is set in sshd_config, use it in SMF init file. bz#1628

* Print error and usage() when ssh-rand-helper is passed command-

line arguments as none are supported. bz#1568

* Add missing setsockopt() to set IPV6_V6ONLY for local forwarding

with GatwayPorts=yes. bz#1648

* Make GNOME 2 askpass dialog desktop-modal. bz#1645

* If SELinux is enabled set the security context to “sftpd_t” before

running the internal sftp server. bz#1637

* Correctly check libselinux for necessary SELinux functions; bz#1713

* Unbreak builds on Redhat using the supplied openssh.spec; bz#1731

* Fix incorrect privilege dropping order on AIX that prevented

chroot operation; bz#1567

* Call aix_setauthdb/aix_restoredb at the correct times on AIX to

prevent authentication failure; bz#1710