OpenSSH 8.0 Released - Addresses SCP Vulnerability, New SSH Additions

Written by Michael Larabel in BSD on 18 April 2019 at 05:55 AM EDT. 12 Comments
BSD
Theo de Raadt and the OpenBSD developers maintaining OpenSSH today unveiled OpenSSH 8.0.

OpenSSH 8.0 does have an important security fix if you use scp for copying files to/from remote systems. Up until now when copying files from remote systems to a local directory, SCP was not verifying the filenames of what was being sent from the server to client and that could allow a hostile server to create or clobber unexpected local files with attack-controlled data regardless of what file(s) were actually requested for copying from the remote server.

While this client-side checking has been added to SCP, the OpenSSH developers recommend against using it and instead use sftp, rsync, or other alternatives. "The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead."

New to OpenSSH 8.0 meanwhile is support for ECDSA keys in PKCS#11 tokens, experimental quantum-computing resistant key exchange method, the default RSA key size from ssh-keygen has been increased to 3072 bits, more SSH utilities supporting a "-v" flag for greater verbosity, and a wide range of fixes throughout including a number of portability fixes.

More details on OpenSSH 8.0 via OpenSSH.com.
12 Comments
Related News
NetBSD 9.4 Released With Security & Stability Fixes
OpenBSD 7.5 Released - Faster Performance For Many-Core ARM Servers
NetBSD 10.0 Released With Much Improved Hardware Support & Faster Performance
FreeBSD 13.3 Released With Better WiFi Support, LLVM objdump Added
NetBSD 10.0 Should Be Released Soon - Likely Last RC Debuts
FreeBSD 13.3-RC1 Improves WiFi Stability, Takes Care Of Some Kernel Panics
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Fedora Linux 40 Cleared For Release Next Week
Fedora Linux 40 Available For Download As A Wonderful Upgrade
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
GNU Portability Library's Tool Rewritten In Python For 8~100x Better Performance