Open SourceAvailable release OpenSSH 6.2, an open implementation of the client and server to work on protocols SSH (1.3, 1.5 and 2.0) and SFTP.

Among the most notable improvements include:

– Added support for multiple authentication methods required in the protocol SSH 2. The list of methods is given through a new configuration directive AuthenticationMethods, which separated by commas names of one or more authentication methods. A necessary condition for the completion of authentication is the successful completion of each of these methods. For example, you can specify the need to authenticate the public key or GSSAPI, before password authentication;

– The implementation of the SSH protocol 2 adds support for authenticated encryption with a block cipher AES-GCM, helps to ensure the integrity of the transmitted encrypted stream. The new codes are available as aes128-gcm and aes256-gcm and use the same packet format when working in AES-GCM, defined in RFC 5647, in conjunction with simplified and changed the rules for choosing a key exchange;

– The implementation of the SSH protocol 2 added and enabled by default, support EtM-mode (encrypt-then-mac) wildcard MAC (Message Authentication Code). Difference between the new regime is that the MAC computation is based on the size of the package and the package is encrypted, and not on the basis of non-encrypted data. Such an approach is seen as more secure;

– Added support for an algorithm to compute MAC-code UMAC-128 for use in a encrypt-then-mac;

– In the sshd and ssh-keygen added support KRL (Key Revocation Lists), a compact binary format for revocation lists keys and certificates that requires just one additional bit for each certificate revoked by serial number. KRL to generate utility can be used ssh-keygen. Loading in sshd via the path to the file through a directive RevokedKeys;

– Directive setting sshd AllowTcpForwarding now support the “local” and “remote” in addition to the previously used values ​​”yes” and “no”. Using the new parameters allows separate permit local or external redirect connections;

– Added a new directive AuthorizedKeysCommand to configure sshd to download content authorized_keys in the form of arbitrary decision-O team, not only in the form of opening the finished file. Polzovtelya identifier under which the command is to dynamically generate authorized_keys set by Directive AuthorizedKeysCommandUser;

– In the sftp-server added support options “-d”, indicating the initial directory that allows you to choose a path other than the user’s home directory;

– In the ssh-keygen added support for snapshots keys (fingerprinting), placed in storage PKCS # 11. To create the impression you want to use the command “ssh-keygen-lD pkcs11_provider”;

– When using the SSH2 protocol in ssh, which is the default, is now heading to the SSH protocol version sent by the client immediately, without waiting for a response from the version of the protocol on the server, thereby reducing the time to establish the connection;

– The team added support for ssh escape-sequences “~ v” and “~ V” to increase or decrease the detail log. Escape-Team “-?” now prompts depending on the context and shows only help on commands specific for the current situation;

– The portable version of sshd support isolation mode using seccomp-filter is now available for Linux-based systems that are built to architecture ARM.

Advertisements