Language Selection

English French German Italian Portuguese Spanish

OpenSSH 8.2 was released on 2020-02-14.

Filed under
Security
BSD

It is now possible[1] to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release.

This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.

Read more

Also: DragonFlyBSD Improves Its TMPFS Implementation For Better Throughput Performance

OpenSSH 8.2 Released With FIDO/U2F Support

  • OpenSSH 8.2 Released With FIDO/U2F Support

    OpenSSH 8.2 is out this Valentine's Day as the leading SSH suite. Besides working to disable the SSH-RSA public key signature algorithm due to SHA1 collision attacks, OpenSSH 8.2 also comes with new features.

    The shiny new feature of OpenSSH 8.2 is support for FIDO/U2F hardware authenticators. FIDO/U2F two-factor authentication hardware can now work with OpenSSH 8.2+, including ssh-keygen can be used to generate a FIDO token backed key. Communication to the hardware token with OpenSSH is managed by a middleware library specified via the SSH/SSHD configuration, including the option for its own built-in middleware for supporting USB tokens.

OpenSSH adds support for FIDO/U2F security keys

New Qt5 and OpenSSH in [Slackware] Current

  • New Qt5 and OpenSSH in [Slackware] Current

    Another big thing happening in -current is the new OpenSSH 8.2 release which will bring some incompatible changes, especially if you are still using ssh-rsa as the algorithm. To test whether your machine is affected, try to run this command in your shell

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

    If you managed to connect using the above command, it means that your OpenSSH software is fine, but if you don't, then it needs to be upgraded.

Corbet at LWN

  • OpenSSH 8.2 released

    OpenSSH 8.2 is out. This release removes support for the ssh-rsa key algorithm, which may disrupt connectivity to older servers; see the announcement for a way to check whether a given server can handle newer, more secure algorithms. Also new in this release is support for FIDO/U2F hardware tokens.

OpenSSH Now Supports FIDO/U2F Security Keys

  • OpenSSH Now Supports FIDO/U2F Security Keys

    OpenSSH is, by far, the single most popular tool for logging into remote servers and desktops. SSH logins are generally considered fairly safe, but not 100%. If you’re not satisfied with the out the box security offered by OpenSSH, you can always opt to go with SSH key authentication. If that’s not enough, there’s always 2 Factor Authentication, which would then require you to enter a PIN generated by an application such as OTPClient or Authy.

    As of OpenSSH 8.2, there’s a newly supported option, FIDO/U2F security keys. What this means is that you can now use 2FA hardware keys (such as the Yubi Key) to authenticate your SSH login attempt.

    2FA is often considered the easiest method of adding an additional layer of security to SSH logins. However, for many, Hardware Keys are considered the single most secure means of preventing hackers from brute-forcing your SSH passwords. To make things easy, the OpenSSH developers have made it possible to generate a FIDO token-backed key using the ssh-keygen command. So anyone used to creating SSH keys shouldn’t have any problem getting up to speed with integrating hardware keys into SSH.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Sparky 2020.03.1

New iso images of Sparky 2020.03.1 of the (semi-)rolling line have been generated. Read more

Android Leftovers

Android Leftovers

today's leftovers

  • SMLR 321: Stay 127.0.0.1

    Tony Bemus, Tom Lawrence, Phil Porada and Jay LaCroix

  • 2020-03-27 | Linux Headlines

    Ardour and Ubuntu Flavors call for testing of their upcoming major releases, Google aims to ease the burden of developing for ARM on x86, and Blender gains a new Corporate Gold-level sponsor.

  • Some Of The Features To Look Forward To With Linux 5.7

    With the Linux 5.7 cycle kicking off in April with its merge window opening upon the release of Linux 5.6, here is a look at some of the changes and new features that have been on our radar for this next version of the Linux kernel.

  • AMDVLK 2020.Q1.4 Vulkan Driver Brings Direct Display Improvements

    AMDVLK 2020.Q1.4 is out today as the fourth and last open-source AMD Radeon Vulkan driver code drop of the quarter. AMDVLK 2020.Q1.4 simply notes that the immediate and mailbox modes have been enabled for the Vulkan direct display functionality. AMD has supported the VK_EXT_direct_mode_display direct mode display extension back to 2018. Vulkan's direct display mode is for taking exclusive control of display(s) and geared for VR HMD use-cases. What's new now is supporting the immediate and mailbox swapchain presentation modes under the direct display functionality.

  • Linux Mount And Umount Command for using a partition of hard disk 2020
  • Cyber Warranties: Market Fix or Marketing Trick?

    Theoretical work suggests both the breadth of the warranty and the price of a product determine whether the warranty functions as a quality signal. Our analysis has not touched upon the price of these products. It could be that firms with ineffective products pass the cost of the warranty on to buyers via higher prices. Future studies could analyze warranties and price together to probe this issue.

    In conclusion, cyber warranties—particularly cyber-product warranties—do not transfer enough risk to be a market fix as imagined in Woods.5 But this does not mean they are pure marketing tricks either. The most valuable feature of warranties is in preventing vendors from exaggerating what their products can do. Consumers who read the fine print can place greater trust in marketing claims so long as the functionality is covered by a cyber-incident warranty.

  • Dr. Lucie Guibault on What Scientists Should Know About Open Access

    These actions are not surprising given the urgency of the current situation. In our previous post, “Now Is the Time for Open Access Policies—Here’s Why” we explain that rapid and unrestricted access to scientific research and educational materials is necessary to overcome this crisis. However, while we applaud the recent moves by organizations, publishers, and governments to open access to scientific research related to COVID-19, we believe the same level of sharing should be applied to all scientific research. Not only for the public good but also for the good of science. Science can only function properly if results, data, and insights are made openly available. “Universality is a fundamental principle of science,” explains the open access consortium cOAlition S, “only results that can be discussed, challenged, and, where appropriate, tested and reproduced by others qualify as scientific.”

  • What If C++ Abandoned Backward Compatibility?

    Some C++ luminaries have submitted an intriguing paper to the C++ standards committee. The paper presents an ambitious vision to evolve C++ in the direction of safety and simplicity. To achieve this, the authors believe it is worthwhile to give up backwards source and binary compatibility, and focus on reducing the cost of migration (e.g. by investing in tool support), while accepting that the cost of each migration will be nonzero. They're also willing to give up the standard linking model and require whole-toolchain upgrades for each new version of C++. I think this paper reveals a split in the C++ community. I think the proposal makes very good sense for organizations like Google with large legacy C++ codebases that they intend to continue investing in heavily for a long period of time. (I would include Mozilla in that set of organizations.) The long-term gains from improving C++ incompatibly will eventually outweigh the ongoing migration costs, especially because they're already adept at large-scale systematic changes to their code (e.g. thanks to gargantuan monorepo, massive-scale static and dynamic checking, and risk-mitigating deployment systems). Lots of existing C++ software really needs those safety improvements.

  • POCL 1.5-RC1 Released As The Portable OpenCL Implementation For CPUs + Other Targets

    POCL 1.5 is on the way for release in April as the first feature update to this Portable OpenCL implementation since the previous release last September.  POCL for those that don't know about it is a portable OpenCL implementation that can be run on CPUs of various architectures. Beyond that, this OpenCL 1.2~2.0 implementation has also gained support for running OpenCL on NVIDIA GPUs over CUDA, on AMD GPUs via HSA, and other accelerator targets thanks to building off LLVM's Clang. 

  • How much power and influence do Open Source foundations have?

    “I finally switched over to Linux full time. Yay! How much power and influence do open source foundations have and how much does it affect me as a consumer of open source software?" - Evan First off, welcome to Club Linux, Evan! You'll find the waters here to be, overall, warm and relaxing. As for the question of how much influence various foundations actually have in the Open Source, Free Software, and Linux world… well… that's a tricky question that will take us, meandering, through the wilderness.

  • The Warren Campaign Is Gone—but Its Tech May Live On [Ed: Warren chose Microsoft as staffers for her campaign, so no wonder all her work is now being outsourced to a proprietary prison of Microsoft (GitHub)]

    BEFORE IT ENDED earlier this month, Elizabeth Warren’s presidential campaign developed a reputation for two things: detailed plans to solve concrete problems and a robust ground game. Those attributes came together on the campaign’s tech team, which built a grassroots organizing machine on the backend. That wasn’t enough to win Warren the nomination, but veterans from the team are trying to make sure their work wasn’t all for naught. They’re making seven in-house software projects available to everyone for free on GitHub, the most popular destination for open-source software on the web, in the hope that other Democratic campaigns can build on what they developed during the campaign. “We believe we’ll be the biggest open-sourcing of political tech that has happened,” said Mike Conlow, who was the campaign’s chief technology strategist. Few political campaigns are big and well-funded enough to develop their own software. Fewer still make that software open source. The tools themselves are not exactly revolutionary; they’re more in the vein of filling in gaps in commercially available political tech. In its early days, the campaign relied on off-the-shelf software. But as the tech team grew to nearly 20 people, it was able to take on software projects of its own. “We were focused on choosing projects where we didn’t think there was an adequate vendor tool out there on the market,” Conlow added. Campaign organizers noticed, for example, that the onboarding process for new volunteers could use more of a personal touch than the system they were using provided. When a new volunteer signed up, they would only receive an automated message. So the team built a tool, which they called Switchboard, that made it easy for organizers to personally reach out to volunteers as soon as they signed up.