OpenSSH 8.0 Released - Addresses SCP Vulnerability, New SSH Additions
Written by Michael Larabel in BSD on 18 April 2019 at 05:55 AM EDT. 12 Comments
BSD --
Theo de Raadt and the OpenBSD developers maintaining OpenSSH today unveiled OpenSSH 8.0.

OpenSSH 8.0 does have an important security fix if you use scp for copying files to/from remote systems. Up until now when copying files from remote systems to a local directory, SCP was not verifying the filenames of what was being sent from the server to client and that could allow a hostile server to create or clobber unexpected local files with attack-controlled data regardless of what file(s) were actually requested for copying from the remote server.

While this client-side checking has been added to SCP, the OpenSSH developers recommend against using it and instead use sftp, rsync, or other alternatives. "The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead."

New to OpenSSH 8.0 meanwhile is support for ECDSA keys in PKCS#11 tokens, experimental quantum-computing resistant key exchange method, the default RSA key size from ssh-keygen has been increased to 3072 bits, more SSH utilities supporting a "-v" flag for greater verbosity, and a wide range of fixes throughout including a number of portability fixes.

More details on OpenSSH 8.0 via OpenSSH.com.

About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related BSD News
Popular News This Week