Openssh 8.2

admin



-->

Based on my research, OpenSSH 8.2 was released on 2020-02-14. So sorry that I failed to find any official document stating the timeline of getting this from FOD ISO. There is currently no timeline. Thank you so much for your understanding and support. Best regards, Hannah Xiong. OpenSSH version 8.2 added support for FIDO U2F hardware authenticators. FIDO devices are supported by the public key types “ecdsa-sk” and “ed25519-sk', along with corresponding certificate types. Ssh-keygen may be used to generate a FIDO token-backed SSH key, after which such keys may be used much like any other key type supported.

Applies to Windows Server 2019, Windows 10

OpenSSH is a connectivity tool for remote login that uses the SSH protocol. It encrypts all traffic between client and server to eliminate eavesdropping, connection hijacking, and other attacks.

OpenSSH can be used to connect Window 10 clients to Windows Server 2019. OpenSSH Client is available to install on Windows 10 build 1809 and later, while OpenSSH Server is available to install on Windows Server 2019 and later.

  1. Current Description. DISPUTED. The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server.
  2. TL;DR: In this context `ssh-rsa` means RSA with SHA-1. Make sure both your client and server support SHA-2 (support `rsa-sha2-256/512`). You are fine if both client and server use OpenSSH 7.2 (released in 2016) or newer. There is a lot of important info in OpenSSH 8.2 release notes, including how to test your server and client.

Important

If you downloaded OpenSSH from the GitHub repo at PowerShell/openssh-portable, follow the instructions listed there, not the ones in this article.

Install OpenSSH using Windows Settings

Both OpenSSH components can be installed using Windows Settings. OpenSSH Server is installed on Windows Server and OpenSSH Client is installed on Windows 10 devices. Finance calculator apr.

To install the OpenSSH components:

  1. Open Settings, select Apps > Apps & Features, then select Optional Features.

  2. Scan the list to see if the OpenSSH is already installed. If not, at the top of the page, select Add a feature, then:

    • On Windows 10, find OpenSSH Client, then click Install
    • On Windows Server 2019, find OpenSSH Server, then click Install

Once setup completes, return to Apps > Apps & Features and Optional Features and you should see OpenSSH listed.

Note

Installing OpenSSH Server will create and enable a firewall rule named OpenSSH-Server-In-TCP. This allows inbound SSH traffic on port 22. If this rule is not enabled and this port is not open, connections will be refused or reset.

Install OpenSSH using PowerShell

To install OpenSSH using PowerShell, run PowerShell as an Administrator.To make sure that OpenSSH is available, run the following cmdlet:

This should return the following output:

Then, install the server or client components as needed:

Both of these should return the following output:

Start and configure SSH Server

To start and configure OpenSSH server for initial use, open PowerShell as an administrator, then run the following commands to start the SSHD service:

Connect to SSH Server

Once installed, you can connect to OpenSSH Server from a Windows 10 device with the SSH client installed using PowerShell as follows. Be sure to run PowerShell as an administrator:

Once connected, you get a message similar to the following:

Selecting yes adds that server to the list of known ssh hosts on your Windows client.

You are prompted for the password at this point. As a security precaution, your password will not be displayed as you type.

Once connected, you will see the Windows command shell prompt:

Uninstall OpenSSH using Windows Settings

To uninstall OpenSSH using Windows Settings:

  1. Open Settings, then go to Apps > Apps & Features.
  2. Go to Optional Features.
  3. In the list, select OpenSSH Client or OpenSSH Server.
  4. Select Uninstall.

Uninstall OpenSSH using PowerShell

8.3

To uninstall the OpenSSH components using PowerShell, use the following commands:

You may need to restart Windows afterwards if the service was in use at the time it was uninstalled.

OpenSSH 8.2 released

Posted Feb 15, 2020 11:43 UTC (Sat) by Sesse (subscriber, #53779)
Parent article: OpenSSH 8.2 releasedDeprecation of older key exchange types is all fun and games, but not when you have older switches you want to SSH to (and that are no longer getting new OS releases). What's the real alternative? Surely SHA-1 can't be so broken that telnet is better :-)

(“-oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc” frequently helps, but not in all cases.)

(Log in to post comments) Download

OpenSSH 8.2 released

Posted Feb 15, 2020 12:51 UTC (Sat) by pizza (subscriber, #46) [Link]

..Surely a $50K barrier to entry (rsa-sha1) is better than forcing us to use a mechanism whose barrier to entry is $0 (ie telnet)

(See also: https with SSL3/TLS1.0/TLS1.1 vs plain http)

OpenSSH 8.2 released

Posted Feb 15, 2020 14:22 UTC (Sat) by qyliss (guest, #131684) [Link]

SSL3/TLS1.0/TLS1.1 leave users of modern protocols open to downgrade attacks. Using those means making everybody liable to downgrade attacks, unlike plain HTTP. They’re not just being disabled out of spite.

OpenSSH 8.2 released

Posted Feb 15, 2020 17:53 UTC (Sat) by pizza (subscriber, #46) [Link]

Yep, and by all means, remove support for them on the _server_ side of things so they require up-to-date clients to speak.

But on the client side, there's a very long tail of crap we need to communicate with that will *never* see updates to TLS 1.2 or beyond. and it is highly delusional to pretend that there is no cost to replacing them.

By all means, have the clients COMPLAIN VERY LOUDLY or require special command line switches or whatever to speak with this older gear.

(The software for configuring the RAID controllers in two of my servers maxes out at TLS1.0, as does the https support in all of the network switches I have deployed. Granted, this stuff is all on private networks, but I don't want to have to keep around a VM with ancient software on it to administer things.)

Accessing no-longer-secure systems

Posted Feb 15, 2020 22:14 UTC (Sat) by tialaramex (subscriber, #21167) [Link]

Probably the most practical / least disruptive approach is to have a proxy whose purpose is to manage this differential for you.

The proxy would present as a modern service (modern protocols and key support) but behind the scenes simply connect to the real backend using older insecure protocols and keys.

This way the insecurity is limited to those who consciously choose to use the proxy that doesn't deliver security. I guess this could either be an appliance one purchases (with lets hope a longer support lifetime than the devices you've had problems with) or software.

Accessing no-longer-secure systems

Posted Feb 15, 2020 23:56 UTC (Sat) by pizza (subscriber, #46) [Link]

No, the most practical / least disruptive approach is to disable https altogether, and go back to plain http with plaintext credentials.

Mission accomplished, I guess.

OpenSSH 8.2 released

Posted Feb 16, 2020 3:49 UTC (Sun) by mirabilos (subscriber, #84359) [Link]

Full ACK.

I’ll also be running into this (AIUI it’s about server keys, not about user keys) and very annoyed.

OpenSSH 8.2 released

Posted Mar 3, 2020 0:53 UTC (Tue) by rodgerd (guest, #58896) [Link]

It also means a pile of code lying around that can act as a rich source of vulnerabilities, particularly if it gets next-to-no-attention from developers on a day to day basis.

OpenSSH 8.2 released

Posted Feb 15, 2020 13:42 UTC (Sat) by dumain (subscriber, #82016) [Link]

The alternative to OpenSSH 8.2 isn't Telnet but a second,older, copy of ssh under a different name.

Keeping an extra copy of ssh around might require a bit of work but is better to require people to do extra work to be insecure than requiring extra work to be secure. If you want to you can even rename the older ssh binary to telnet.

OpenSSH 8.2 released

Posted Feb 16, 2020 6:25 UTC (Sun) by djm (subscriber, #11651) [Link]

No alternative is needed - the weak algorithms aren't being removed so you can enable them (e.g. 'ssh -oCiphers=+ssh-rsa ..') without needing anything remotely custom.

OpenSSH 8.2 released

Posted Feb 16, 2020 9:57 UTC (Sun) by Sesse (subscriber, #53779) [Link]

There are (already) limitations on minimum RSA key lengths that you cannot get around without a recompile.

OpenSSH 8.2 released

Posted Feb 16, 2020 19:15 UTC (Sun) by josh (subscriber, #17465) [Link]

Are there any devices that support SSH and RSA but don't support key lengths of 1024 or greater?

OpenSSH 8.2 released

Posted Feb 16, 2020 19:18 UTC (Sun) by Sesse (subscriber, #53779) [Link]

OpenSSH 8.2 released

Posted Feb 20, 2020 8:08 UTC (Thu) by smurf (subscriber, #17840) [Link]

Yes. I've got a managed switch (in a secure internal network!) that sports a 768bit RSA host key. There also are a bunch out there that want to use DSA keys. Ugh, but can't be helped.

Seriously, that level of backwards incompatibility is disappointing. Keeping an older release isn't always feasible either; these may have security bugs or compiler incompatibilities that require significant efort to work around.

Keep the old (client) code behind an '-o insecure-old-server=true' flag which refuses to talk to new servers (so it can't be the default) but don't remove it entirely. PLEASE.

OpenSSH 8.2 released

Posted Feb 20, 2020 14:32 UTC (Thu) by smoogen (subscriber, #97) [Link]

Embedded hardware inside of very expensive capex (say the melter on a steel-mill which is a $10 million minimum replacement or some textile mill or plastic extruder or in a hospital a giant MRI device) usually will be in service for 20 to 40 years. Even when the hardware is serviceble, it is assumed that it will need to interact with other parts which have not been upgraded. so you keep whatever was done at the time of building for at least 20 years. That means all the hardware you finally got upgraded to have ssh in the last 20 years (versus telnet before) is locked with whatever SSL and SSH algorithms from when the base model was manufactured. So an industrial IT department is locked with needing multiple copies of browsers and tools to deal with these 'forced' upgrades.

And after a while, management looks at the costs and dictates to do what @pizza said was the lowest common denominator: turn off ssh/ssl and move back to http and telnet.

OpenSSH 8.2 released

Posted Feb 22, 2020 8:58 UTC (Sat) by niner (subscriber, #26151) [Link]

Well if you're running such equipment, you should be able to afford putting a gateway box in front of the machine running up-to-date software and have your machine only be connected to that box. It shouldn't be that hard to secure that meter of cable between them.

OpenSSH 8.2 released

Posted Feb 22, 2020 16:11 UTC (Sat) by smoogen (subscriber, #97) [Link] Google pm interview cheat sheet.

The issue usually is that would require redesigning other hardware and networks and dealing with budgets that the sysadmin who is stuck trying to fix the perambulator on the wizbang does not have access to. By the time it does get fixed it will be 4-5 years from now and probably 1 or 2 reorgs. Usually the small device you are looking at is going to be under 'operational expenses' while the big hardware is 'capital expenses' and they come from different approval organizations.

If the sysadmin is lucky they can just keep a directory or VM of 'old' software which they fire up to deal with certain things. Otherwise they end up with having to keep a central noc machine running Potato or Woody which talks to all that hardware til finally some sort of filter does happen.

OpenSSH 8.2 released

Posted Mar 3, 2020 0:55 UTC (Tue) by rodgerd (guest, #58896) [Link]

If your switches are stuck on ancient, insecure algorithms and the vendor no longer supports them, they're insecure. So the 'real alternative' would be upgrading to switches that are supported, not security theatre.

Openssh 8.2p1

OpenSSH 8.2 released

Posted Mar 3, 2020 3:32 UTC (Tue) by pizza (subscriber, #46) [Link]

Openssh 8.2p1 Exploit

So does this 'real alternative' include a source of CapEx funding other than the droppings of spherical unicorns?