Moving to OpenSSH 5.7 for better certificate support and ECDSA keys

alphazo

OpenSSH 5.4 that ships with pfSense 2.0RC1 introduced a new CA based authentication (X.509 like). It is very simple to setup and greatly simplifies key deployments.

The certificate format introduced by OpenSSH 5.4 ("v00") has already been deprecated in OpenSSH 5.6 for a new "v01" version and it will no longer be supported about 13 months from now.

http://www.openssh.com/txt/release-5.6

• Revised the format of certificate keys. The new format, identified as
    ssh-{dss,rsa}-cert-v01@openssh.com includes the following changes:
     
      - Adding a serial number field. This may be specified by the CA at
        the time of certificate signing.

- Moving the nonce field to the beginning of the certificate where
      it can better protect against chosen-prefix attacks on the
      signature hash (currently infeasible against the SHA1 hash used)
   
    - Renaming the "constraints" field to "critical options"
   
    - Addng a new non-critical "extensions" field. The "permit-*"
      options are now extensions, rather than critical options to
      permit non-OpenSSH implementation of this key format to degrade
      gracefully when encountering keys with options they do not
      recognize.
   
  The older format is still supported for authentication and may still
  be used when signing certificates (use "ssh-keygen -t v00 …").
  The v00 format, introduced in OpenSSH 5.4, will be supported for at
  least one year from this release, after which it will be deprecated
  and removed.

Now, OpenSSH 5.7 also introduced full support for ECDSA that provides a number of benefits including ultra-small keys and greater security (even compared to RSA4096).

I'm wondering if there is a plan to switch to OpenSSH 5.6 or 5.7 in a near future. If not, is there a simple way to recompile a newer version myself and add it to my "embedded" distribution?

Thanks
alphazo

PS: BTW, there is security advisory regarding OpenSSH 5.6/5.7 when used to generated "old" V00 certificates. It has been patched in 5.8 and should not be used anyway so it's not a big issue. https://lwn.net/Articles/426458/

jimp

We use whatever version of OpenSSH comes with the base FreeBSD version upon which a given pfSense version is built. Though there is nothing stopping you from using pkg_add to overwrite that with another version.

Since we don't have any way to do those kinds of certificates in the GUI, it's not likely that we'd upgrade OpenSSH just to support them for 2.0. 2.1 will be based on a newer version of FreeBSD yet (8.2/8.3 at least, maybe 9 depending on the timetable) so it will have whatever comes by then.

alphazo

Thanks for the answer. I understand the policy.

Is there an easy way for me to add a more recent version of OpenSSH to my 2.0RC1 embedded install (Alix) and make that change permanent?

Thanks again
Alphazo

jimp

No way to make it "permanent" on any install as it would be overwritten on every upgrade.

I had thought you could pkg_add -r openssh-portable, but that appears to only be at version 5.2p1.