Bug 7961 - Upgrade OpenSSH
Summary: Upgrade OpenSSH
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.15.0
Assignee: Pierre Ossman
URL:
Keywords: relnotes, samuel_tester
Depends on:
Blocks: 7535
  Show dependency treegraph
 
Reported: 2022-07-04 13:10 CEST by William Sjöblom
Modified: 2023-05-25 09:40 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description William Sjöblom cendio 2022-07-04 13:10:20 CEST
We are currently using OpenSSH 8.7p1. We should upgrade OpenSSH to the latest version 9.0p1 (released 2022-04-08) and in turn upgrade OpenSSL and potentially other dependencies.
Comment 1 William Sjöblom cendio 2022-07-04 13:42:30 CEST
We are currently on OpenSSL 3.0.0 with the latest release being 3.0.4 (released 2022-06-21).
Comment 2 Pierre Ossman cendio 2022-07-04 15:44:40 CEST
Vulnerabilities affecting 3.0.0:

> CVE-2021-4044 
> CVE-2022-0778
> CVE-2022-1343

X.509, so not something we use.

> CVE-2021-4160

Only MIPS.

> CVE-2022-1292
> CVE-2022-2068

Affects the c_rehash script, which we don't use.

> CVE-2022-1434

Affects old cipher suite that isn't even compiled in.

> CVE-2022-1473

Doesn't look like it is relevant for OpenSSH's usage.

> CVE-2022-2274

Doesn't affect 3.0.0, but it does affect 3.0.4, so we need to include the fix for this.
Comment 3 Pierre Ossman cendio 2022-07-04 16:03:05 CEST
There is also CVE-2018-25032 for zlib. However, it seems irrelevant since it only affects non-standard settings. I cannot find any use of the referenced settings in our tree.
Comment 7 Pierre Ossman cendio 2022-07-06 14:02:21 CEST
Tested zlib by running a new client and server and seeing that graphics update still look correct.

Tested libtasn1 by checking that the client can still parse smart card certificates.
Comment 15 Pierre Ossman cendio 2022-07-06 16:58:31 CEST
A quick test has been done for x86_64, win32 and osx64. No obvious problems right now, but a more thorough test run is needed.
Comment 16 Pierre Ossman cendio 2022-07-07 13:13:49 CEST
I don't see any noteworthy user visible changes apart from the ssh-rsa deprecation, so that's all I've put in the release notes.
Comment 17 Pierre Ossman cendio 2022-07-07 15:33:40 CEST
Tested with SLES 12 as the server, and clients:

 * Linux (Fedora 35)
 * Windows 11 (32-bit and 64-bit)
 * macOS 12 (native)

Tested

 * Password auth
 * Public key auth
 * Smart card auth
 * Tunnels (smart cards and audio)

Also checked the log files for each run and didn't see anything suspicious.
Comment 18 William Sjöblom cendio 2022-07-07 15:46:55 CEST
Tested Kerberos auth against a Fedora 36 machine running server build #2744 with Client build #2648 on:
• ☑ Windows 11 (64-bit build)
• ☑ Windows 11 (32-bit build)
• ☑ Fedora 36 (AMD64)
• ☑ macOS (x86)

Log files looking good!
Comment 19 William Sjöblom cendio 2022-07-07 16:29:53 CEST
Tested the armhf client from client build #2648 on Ubuntu 13.04:
• ☑ Password
• ☑ Public key
• ☑ Kerberos
• ☑ Smart card

No surprises and the logs look very normal :)
Comment 20 William Sjöblom cendio 2022-07-08 09:30:49 CEST
I also did some torture-testing of the SSH transport part of the armhf client. This was done by showing an animated full-screen RGB noise (to make things hard for the application layer compression) and playing audio in the background.

This resulted in an average SSH CPU usage of roughly 50% for client build #2648 and somewhat higher for the 4.14.0 client. Memory usage was negligible for both clients. So, we seemingly have no obvious performance regressions in the upgraded SSH client.
Comment 21 Pierre Ossman cendio 2022-07-08 10:02:51 CEST
It tested performance on x86_64 as well by playing a YouTube video at full screen. No noticeable difference compared to 4.14.0 there either. Possibly a slight reduction in CPU usage.
Comment 22 Pierre Ossman cendio 2022-07-08 10:04:27 CEST
Everything seems to work fine.

For testing, things affected are:

 * ssh and openssl (transport, auth)
 * libtasn1 (cert reading)
 * zlib (compression in various places, most prominently in vnc)
Comment 23 Pierre Ossman cendio 2022-07-11 09:06:31 CEST
Also pushed one of our local modifications upstream:

https://github.com/openssh/openssh-portable/pull/330
Comment 24 Samuel Mannehed cendio 2022-07-28 15:36:46 CEST
I have tested client build 2665 and server build 2760. I tested the server on Fedora 36 and Ubuntu 22.04. I performed all tests on the following client platforms:

 * Fedora 36
 * Windows 11
 * macOS 12.4 (M1)

I verified the following:

 ✓ Accepting server host key works

 ✓ Password authentication
    ✓ Wrong password is rejected
    ✓ Correct password logs in

 ✓ OTP with Google-Authenticator
    ✓ Incorrect PIN is rejected
    ✓ Correct PIN logs in

 ✓ Kerberos authentication
    ✓ No ticket is rejected
    ✓ Ticket for wrong user is rejected
    ✓ Correct ticket logs in

 ✓ Public key authentication
    ✓ The public part of the key pair doesn't work
    ✓ Non existing file doesn't work
    ✓ A private key with too open permissions is rejected
    ✓ A key with too short length is rejected
    ✓ A proper private key logs in

 ✓ Smart card authentication
    ✓ Our smart card certificate filters work
    ✓ Incorrect PIN is rejected
    ✓ Correct PIN logs in
    ✓ Mapping of certificate to username works
    ✓ Auto connect works when only one certificate is available
    ✓ Auto disconnect works when unplugging the smart card reader
    ✓ Auto disconnect works when removing the smart card

 ✓ Playing a YouTube video in the session
    ✓ Graphical updates work well
    ✓ Audio playback works well and is synced with the image
    ✓ CPU usage of ssh process looks the same comparing to 4.14.0

All good!

I also took the opportunity to write updated tutorials for setting up OTP and Smart card authentication:

https://community.thinlinc.com/t/how-to-set-up-one-time-password-otp-authentication-in-thinlinc/409
https://community.thinlinc.com/t/how-to-set-up-authentication-in-thinlinc-with-pkcs-15-smart-cards/408

And I clarified our instructions for using our LAB.LKPG.CENDIO.SE kerberos test realm.

Note You need to log in before you can comment on or make changes to this bug.