Sunday, January 17, 2016

Security Update: openssh

Yesterday, there was a security advisory regarding openssh client vulnerability that have been in the repository for few years back. Most of the focus is on the server side, but this time, the vulnerable part is the client side. Instead of backporting the relevant fixes, Pat decided to upgrade all OpenSSH packages in all supported Slackware releases to 7.1p2. As you may know, OpenSSH 7.0 introduced several changes which might be backward-incompatible changes:
  * Support for the legacy SSH version 1 protocol is disabled by
    default at compile time.
  * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
    is disabled by default at run-time. It may be re-enabled using
    the instructions at http://www.openssh.com/legacy.html
  * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
    by default at run-time. These may be re-enabled using the
    instructions at http://www.openssh.com/legacy.html
  * Support for the legacy v00 cert format has been removed.
  * The default for the sshd_config(5) PermitRootLogin option has
    changed from "yes" to "prohibit-password".
  * PermitRootLogin=without-password/prohibit-password now bans all

    interactive authentication methods, allowing only public-key,
    hostbased and GSSAPI authentication (previously it permitted
    keyboard-interactive and password-less authentication if those
    were enabled).