Copssh version 5.8.0 bundle contains 32/64-bit client/server installers containing the latest OpenSSH 7.4p1 with potentially-incompatible changes, security and bug fixes:
This release includes a number of changes that may affect existing
* This release removes server support for the SSH v.1 protocol.
* ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the
only mandatory cipher in the SSH RFCs, this may cause problems
connecting to older devices using the default configuration,
but it's highly likely that such devices already need explicit
configuration for key exchange and hostkey algorithms already
* sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client.
* ssh-agent will refuse to load PKCS#11 modules outside a whitelist
of trusted paths by default. The path whitelist may be specified
* sshd(8): When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, sshd will now
refuse to accept the certificate unless they are identical.
The previous (documented) behaviour of having the certificate
forced-command override the other could be a bit confusing and
* sshd(8): Remove the UseLogin configuration directive and support
for having /bin/login manage login sessions.
Changes since OpenSSH 7.3
This is primarily a bugfix release.
* ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
outside a trusted whitelist (run-time configurable). Requests to
load modules could be passed via agent forwarding and an attacker
could attempt to load a hostile PKCS#11 module across the forwarded
agent channel: PKCS#11 modules are shared libraries, so this would
result in code execution on the system running the ssh-agent if the
attacker has control of the forwarded agent-socket (on the host
running the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the ssh
client). Reported by Jann Horn of Project Zero.
* sshd(8): When privilege separation is disabled, forwarded Unix-
domain sockets would be created by sshd(8) with the privileges of
'root' instead of the authenticated user. This release refuses
Unix-domain socket forwarding when privilege separation is disabled
(Privilege separation has been enabled by default for 14 years).
Reported by Jann Horn of Project Zero.
* sshd(8): Avoid theoretical leak of host private key material to
privilege-separated child processes via realloc() when reading
keys. No such leak was observed in practice for normal-sized keys,
nor does a leak to the child processes directly expose key material
to unprivileged users. Reported by Jann Horn of Project Zero.
* sshd(8): The shared memory manager used by pre-authentication
compression support had a bounds checks that could be elided by
some optimising compilers. Additionally, this memory manager was
incorrectly accessible when pre-authentication compression was
disabled. This could potentially allow attacks against the
privileged monitor process from the sandboxed privilege-separation
process (a compromise of the latter would be required first).
This release removes support for pre-authentication compression
from sshd(8). Reported by Guido Vranken using the Stack unstable
optimisation identification tool (http://css.csail.mit.edu/stack/)
* sshd(8): Fix denial-of-service condition where an attacker who
sends multiple KEXINIT messages may consume up to 128MB per
connection. Reported by Shi Lei of Gear Team, Qihoo 360.
* sshd(8): Validate address ranges for AllowUser and DenyUsers
directives at configuration load time and refuse to accept invalid
ones. It was previously possible to specify invalid CIDR address
ranges (e.g. email@example.com/55) and these would always match,
possibly resulting in granting access where it was not intended.
Reported by Laurence Parry.
* ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
version in PuTTY by Simon Tatham. This allows a multiplexing
client to communicate with the master process using a subset of
the SSH packet and channels protocol over a Unix-domain socket,
with the main process acting as a proxy that translates channel
IDs, etc. This allows multiplexing mode to run on systems that
lack file- descriptor passing (used by current multiplexing
code) and potentially, in conjunction with Unix-domain socket
forwarding, with the client and multiplexing master process on
different machines. Multiplexing proxy mode may be invoked using
"ssh -O proxy ..."
* sshd(8): Add a sshd_config DisableForwarding option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
as anything else we might implement in the future. Like the
'restrict' authorized_keys flag, this is intended to be a simple
and future-proof way of restricting an account.
* sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
method. This is identical to the currently-supported method named
* sshd(8): Improve handling of SIGHUP by checking to see if sshd is
already daemonised at startup and skipping the call to daemon(3)
if it is. This ensures that a SIGHUP restart of sshd(8) will
retain the same process-ID as the initial execution. sshd(8) will
also now unlink the PidFile prior to SIGHUP restart and re-create
it after a successful restart, rather than leaving a stale file in
the case of a configuration error. bz#2641
* sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
directives to appear in sshd_config Match blocks.
* sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
those supported by AuthorizedKeysCommand (key, key type,
fingerprint, etc.) and a few more to provide access to the
contents of the certificate being offered.
* Added regression tests for string matching, address matching and
string sanitisation functions.
* Improved the key exchange fuzzer harness.
* ssh(1): Allow IdentityFile to successfully load and use
certificates that have no corresponding bare public key. bz#2617
certificate id_rsa-cert.pub (and no id_rsa.pub).
* ssh(1): Fix public key authentication when multiple
authentication is in use and publickey is not just the first
method attempted. bz#2642
* regress: Allow the PuTTY interop tests to run unattended. bz#2639
* ssh-agent(1), ssh(1): improve reporting when attempting to load
keys from PKCS#11 tokens with fewer useless log messages and more
detail in debug messages. bz#2610
* ssh(1): When tearing down ControlMaster connections, don't
pollute stderr when LogLevel=quiet.
* sftp(1): On ^Z wait for underlying ssh(1) to suspend before
suspending sftp(1) to ensure that ssh(1) restores the terminal mode
correctly if suspended during a password prompt.
* ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
* ssh(1), sshd(8): Correctly report errors during sending of ext-
* sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
sequence NEWKEYS message.
* sshd(8): Correct list of supported signature algorithms sent in
the server-sig-algs extension. bz#2547
* sshd(8): Fix sending ext_info message if privsep is disabled.
* sshd(8): more strictly enforce the expected ordering of privilege
separation monitor calls used for authentication and allow them
only when their respective authentication methods are enabled
in the configuration
* sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
on Unix/BSD but potentially crashy on Cygwin.
* Fix false positive reports caused by explicit_bzero(3) not being
recognised as a memory initialiser when compiled with
* sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
* On environments configured with Turkish locales, fall back to the
C/POSIX locale to avoid errors in configuration parsing caused by
that locale's unique handling of the letters 'i' and 'I'. bz#2643
* sftp-server(8), ssh-agent(1): Deny ptrace on OS X using
* ssh(1), sshd(8): Unbreak AES-CTR ciphers on old (~0.9.8) OpenSSL.
* Fix compilation for libcrypto compiled without RIPEMD160 support.
* contrib: Add a gnome-ssh-askpass3 with GTK+3 support. bz#2640
* sshd(8): Improve PRNG reseeding across privilege separation and
force libcrypto to obtain a high-quality seed before chroot or
* All: Explicitly test for broken strnvis. NetBSD added an strnvis
and unfortunately made it incompatible with the existing one in
OpenBSD and Linux's libbsd (the former having existed for over ten
years). Try to detect this mess, and assume the only safe option
if we're cross compiling.