[PATCH v2 1/4] OpenSSH :Update to 9.9p1

List overview All Threads
Download

newer

older

[PATCH] linux: Enforce userspace...

[PATCH 1/2] OpenSSH :Update to...

Peter Müller

21 Sep 2024 21 Sep '24

3:29 p.m.

Please refer to https://www.openssh.com/releasenotes.html#9.9p1 for the release announcement of this version.

Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/openssh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lfs/openssh b/lfs/openssh index 036d0bb8e..c14c8267c 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@

include Config

-VER = 9.8p1 +VER = 9.9p1

THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_BLAKE2 = 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 +$(DL_FILE)_BLAKE2 = 817d267e42b8be74a13e0cfd7999bdb4dab6355c7f62c1a4dd89adad310c5fb7fe3f17109ce1a36cd269a3639c1b8f1d18330c615ab3b419253ec027cfa20997

install : $(TARGET)

-- 2.39.5

Show replies by date

Peter Müller

21 Sep 21 Sep

3:29 p.m.

New subject: [PATCH v2 2/4] OpenSSH: Add ML-KEM x X25519 hybrid key exchange

This was newly introduced in OpenSSH 9.9, hence our custom configurations for both SSH server and client need to be updated.

Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/ssh/ssh_config | 2 +- config/ssh/sshd_config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 85c069dda..5a9ad85c5 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -9,7 +9,7 @@ Host * UseRoaming no

# Only use secure crypto algorithms - KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 76c9b3eb1..9229b6518 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -20,7 +20,7 @@ LoginGraceTime 30s MaxStartups 5

# Only allow safe crypto algorithms -KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

-- 2.39.5

Peter Müller

3:29 p.m.

New subject: [PATCH v2 3/4] OpenSSH: Add alias name for sntrup761x25519-sha512 key exchange

This makes sure OpenSSH connections make use of this post-quantum key exchange whenever possible, even if one peer still running OpenSSH 9.8 or older.

Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/ssh/ssh_config | 2 +- config/ssh/sshd_config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 5a9ad85c5..86f123e28 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -9,7 +9,7 @@ Host * UseRoaming no

# Only use secure crypto algorithms - KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 9229b6518..421416705 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -20,7 +20,7 @@ LoginGraceTime 30s MaxStartups 5

# Only allow safe crypto algorithms -KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

-- 2.39.5

Peter Müller

3:30 p.m.

New subject: [PATCH v2 4/4] OpenSSH: Order symmetric ciphers by strength

We also wish to prefer AES over Chacha/Poly, given the prevalence of hardware accelaration for the former.

Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/ssh/ssh_config | 2 +- config/ssh/sshd_config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 86f123e28..d5f63f315 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -10,7 +10,7 @@ Host *

# Only use secure crypto algorithms KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 - Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

# Always visualise server host keys (helps to identify key based MITM attacks) diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 421416705..e338f8cef 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -21,7 +21,7 @@ MaxStartups 5

# Only allow safe crypto algorithms KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

# Only allow cryptographically safe SSH host keys (adjust paths if needed)

-- 2.39.5

Age (days ago)

Last active (days ago)

development@lists.ipfire.org

3 comments

1 participants

tags (0)

participants (1)

Peter Müller