According to the change log, OpenSSH 9.0 suffered a “near miss” – a potential vulnerability that was found and fixed before anyone could attempt to exploit it:

“Near miss in sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions.  This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since OpenBSD 3.2 (released in 2002) and has been mandatory since OpenBSD 6.1 (released in 2017).”

This is interesting for several reasons:

1. While finding and fixing potential vulnerabilities is basic development work (indeed, security holes are always coding errors), what’s interesting here is that it’s one of the most widely-deployed, heavily-attacked piece of software in the world.
2. OpenBSD’s process of continual code auditing (like painting the Golden Gate bridge – get to the end and restart) paid off again.
3. The project’s philosophy of privilege separation worked exactly as it should.  This barrier prevented any exploitation of the bug.

Kudos to OpenBSD for finding and fixing, and always being transparent.

The OpenSSH project has also been looking to protect users against sophisticated snooping.

Starting with 9.0, OpenSSh defaults to the NTRU Prime algorithm, which is considered to be quantum-resistant.  According to Wikipedia:

“Unlike RSA and elliptic-curve cryptography, NTRU is not known to be vulnerable to attacks on quantum computers. The National Institute of Standards and Technology wrote in a 2009 survey that “[there] are viable alternatives for both public key encryption and signatures that are not vulnerable to Shor’s Algorithm” and that “[of] the various lattice based cryptographic schemes that have been developed, the NTRU family of cryptographic algorithms appears to be the most practical”. The European Union’s PQCRYPTO project (Horizon 2020 ICT-645622) is evaluating the provably secure Stehle–Steinfeld version of NTRU (not original NTRU algorithm itself) as a potential European standard. However the Stehle–Steinfeld version of NTRU is “significantly less efficient than the original scheme”.”

Older technologies are still available but I suspect will be phased out down the road once OpenSSH 9+ has gained ubiquity.

• Author
• Recent Posts

raindog308

Dread Lord of LowEnd Content at LowEndBox

I'm raindog308, techno polymath and long-time LowEndTalk community Administrator. My technical interests include all things Unix, perl, python, golang, shell scripting, vintage operating systems such as MVS, and relational database systems such as Oracle, PostgreSQL, and MySQL.

I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.

I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308

Latest posts by raindog308 (see all)

• Setup a Highly Available WordPress Site From Scratch, 2024 Edition!Part 6: MariaDB Multi-Master - April 16, 2024
• Setup a Highly Available WordPress Site From Scratch, 2024 Edition!Part 5: WordPress Install - April 15, 2024
• Setup a Highly Available WordPress Site From Scratch, 2024 Edition!Part 4: Gluster - April 14, 2024