Moving to OpenSSH 5.7 for better certificate support and ECDSA keys

  • OpenSSH 5.4 that ships with pfSense 2.0RC1 introduced a new CA based authentication (X.509 like). It is very simple to setup and greatly simplifies key deployments.

    The certificate format introduced by OpenSSH 5.4 ("v00") has already been deprecated in OpenSSH 5.6 for a new "v01" version and it will no longer be supported about 13 months from now.

    • Revised the format of certificate keys. The new format, identified as
        ssh-{dss,rsa} includes the following changes:
          - Adding a serial number field. This may be specified by the CA at
            the time of certificate signing.

    - Moving the nonce field to the beginning of the certificate where
          it can better protect against chosen-prefix attacks on the
          signature hash (currently infeasible against the SHA1 hash used)
        - Renaming the "constraints" field to "critical options"
        - Addng a new non-critical "extensions" field. The "permit-*"
          options are now extensions, rather than critical options to
          permit non-OpenSSH implementation of this key format to degrade
          gracefully when encountering keys with options they do not
      The older format is still supported for authentication and may still
      be used when signing certificates (use "ssh-keygen -t v00 …").
      The v00 format, introduced in OpenSSH 5.4, will be supported for at
      least one year from this release, after which it will be deprecated
      and removed.

    Now, OpenSSH 5.7 also introduced full support for ECDSA that provides a number of benefits including ultra-small keys and greater security (even compared to RSA4096).

    I'm wondering if there is a plan to switch to OpenSSH 5.6 or 5.7 in a near future. If not, is there a simple way to recompile a newer version myself and add it to my "embedded" distribution?


    PS: BTW, there is security advisory regarding OpenSSH 5.6/5.7 when used to generated "old" V00 certificates. It has been patched in 5.8 and should not be used anyway so it's not a big issue.

  • Rebel Alliance Developer Netgate

    We use whatever version of OpenSSH comes with the base FreeBSD version upon which a given pfSense version is built. Though there is nothing stopping you from using pkg_add to overwrite that with another version.

    Since we don't have any way to do those kinds of certificates in the GUI, it's not likely that we'd upgrade OpenSSH just to support them for 2.0. 2.1 will be based on a newer version of FreeBSD yet (8.2/8.3 at least, maybe 9 depending on the timetable) so it will have whatever comes by then.

  • Thanks for the answer. I understand the policy.

    Is there an easy way for me to add a more recent version of OpenSSH to my 2.0RC1 embedded install (Alix) and make that change permanent?

    Thanks again

  • Rebel Alliance Developer Netgate

    No way to make it "permanent" on any install as it would be overwritten on every upgrade.

    I had thought you could pkg_add -r openssh-portable, but that appears to only be at version 5.2p1.

Log in to reply