Episode Details

Back to Episodes
172: A tale of BSD from yore

172: A tale of BSD from yore

Published 9 years, 3 months ago
Description

This week on BSDNow, we have a very special guest joining us to tell us a tale of the early days in BSD history. That plus some new OpenSSH goodness, shell scripting utilities and much more. Stay tuned for your place to B...SD!

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open Source alt="DigitalOcean - Simple Cloud Hosting, Built for Developers" />Tarsnap - Online Backups for the Truly Paranoid

Headlines

Call For Testing: OpenSSH 7.4

  • Getting ready to head into the holidays for for the end of 2016 means some of us will have spare time on our hands. What a perfect time to get some call for testing work done!
  • Damien Miller has issued a public CFT for the upcoming OpenSSH 7.4 release, which considering how much we all rely on SSH I would expect will get some eager volunteers for testing.
  • What are some of the potential breakers?

“* This release removes server support for the SSH v.1 protocol.

  • ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
    block ciphers are not safe in 2016 and we don't want to wait until
    attacks like SWEET32 are extended to SSH. As 3des-cbc was the
    only mandatory cipher in the SSH RFCs, this may cause problems
    connecting to older devices using the default configuration,
    but it's highly likely that such devices already need explicit
    configuration for key exchange and hostkey algorithms already
    anyway.

  • sshd(8): Remove support for pre-authentication compression.
    Doing compression early in the protocol probably seemed reasonable
    in the 1990s, but today it's clearly a bad idea in terms of both
    cryptography (cf. multiple compression oracle attacks in TLS) and
    attack surface. Pre-auth compression support has been disabled by
    default for >10 years. Support remains in the client.

  • ssh-agent will refuse to load PKCS#11 modules outside a whitelist
    of trusted paths by default. The path whitelist may be specified
    at run-time.

  • sshd(8): When a forced-command appears in both a certificate and
    an authorized keys/principals command= restriction, sshd will now
    refuse to accept the certificate unless they are identical.
    The previous (documented) behaviour of having the certificate
    forced-command override the other could be a bit confusing and
    error-prone.

  • sshd(8): Remove the UseLogin configuration directive and support
    for having /bin/login manage login sessions.“

  • What about new features? 7.4 has some of those to wake you up also:

“* ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
version in PuTTY by Simon Tatham. This allows a multiplexing
client to communicate with the master process using a subset of
the SSH packet and channels protocol over a Unix-domain socket,
with the main process acting as a proxy that translates channel
IDs, etc. This allows multiplexing mode to run on systems that
lack file- descriptor passing (used by current multiplexing
code) and potentially, in conjunction with Unix-domain socket
forwarding, with the client and multiplexing master process on
different machines. Multiplexing proxy mode may be invoked using
"ssh -O proxy ..."

  • sshd(8): Add a sshd_config DisableForwaring option that disables
    X11, agent, TCP, tunnel and Unix domain socket forwarding, as well

Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us