OpenSSH is an open-source implementation of the Secure Shell (SSH) Protocol, comprising a suite of tools that provide secure and encrypted remote operation, key management and server service.
The popular open-source secure shell tool latest release, OpenSSH 8.2 includes key changes to further secure the remote login channel from advanced cyber-attacks. It adds support for FIDO/U2F hardware authenticator, and has deprecated SSH-RSA public key signature algorithm, with planned move to disable it by default in future releases.
OpenSSH support for FIDO devices is possible by new public key types' ecdsa-sk' and 'ed25519-sk', along with the corresponding certificate types, according to the OpenSSH 8.2 release note.
Why the support for FIDO Universal 2nd Factor authentication?
FIDO U2F is an open authentication standard which enables users to securely access online services using a single security key, without the need for drivers or client software. And FIDO2 is the latest generation of the U2F protocol, necessitated as a result of advanced security threats growing in complexity as hackers are now able to easily break the encryption systems.
It uses tokens which are mostly connected via USB, but could also be attached via Bluetooth or NFC. For OpenSSH, communication with the token is via a middleware library like Yubico's libfido2 which is capable of sharing with any standard USB HID U2F or FIDO2 token.
The hardware security key adds extra layer of authentication to an account on top of the regular password, allowing users to quickly log into their accounts more securely by simply pressing a button after inserting the USB security key.
Deprecation of SSH-RSA public key Signature Algorithm
Initially, OpenSSH uses the SSH-RSA public key Signature Algorithm for generating the public key signature for end-to-end encryption, however given that the SHA-1 algorithm is susceptible to advanced cyber attack, OpenSSH has gone ahead to deprecate the “ssh-rsa” public key algorithm.
For instance, the infamous Spectre and Meltdown, leveraged the OpenSSH application installed on PC, whereby an attacker-owned process exploits memory read vulnerabilities to steal secret SSH private keys from the restricted memory of the system.
Starting with OpenSSH 8.2, it uses alternate methods such as RSA SHA-2 and ssh-ed25519 signature algorithm for better enhanced security, coupled with hardware security key support which enables two-factor authentication for secure connection with a remote device.
No comments