OpenSSH 10.3 Addresses Five Security Vulnerabilities and Retires Legacy Rekeying Feature

OpenSSH 10.3 Released

The latest version of OpenSSH, 10.3, has been released with significant security fixes and features enhancements.

Key Changes

• Legacy Rekeying Support Removed: OpenSSH 10.3 drops legacy rekeying support, making it incompatible with SSH clients and servers that do not support rekeying.
• Shell Injection via SSH User Names: A vulnerability in the SSH client allows shell metacharacters in user names to be expanded, potentially leading to arbitrary shell command execution.
• Certificate Principal Matching Bug: A bug in the sshd service incorrectly matches authorized_keys principals against principals listed in a certificate, affecting user-trusted CA keys.
• Empty Certificate Principals Now Treated as Non-Matching: An empty principals section in a certificate is now treated as never matching any principal, preventing unintentional access.
• ECDSA Algorithm Enforcement Fixed: sshd now correctly enforces the specified algorithms for ECDSA keys.

New Features and Improvements

• Per-Scope Penalties and Connection Diagnostics: ssshd introduces per-source penalties and connection diagnostics, improving performance and security.
• Multiplexing Commands: New multiplexing commands have been added to provide better control over connection information.
• GSSAPIDelegateCredentials Server Option: A new server option has been introduced to control delegated credentials acceptance.
• ED25519 Keys in PKCS8 Format: Support for writing ED25519 keys in PKCS8 format has been added to ssh-keygen.
• RevokedHostKeys Directive: Multiple files can now be accepted by the RevokedHostKeys directive in ssh_config.

Additional changes include fixes for PKCS#11 key PIN entry problems, FIDO/WebAuthn certificate signature handling improvements, a sshd crash fix, and a PAM username confusion fix.

About Author

Vaibhav

See author's posts