suSSHi Gateway
Overview
Release |
Upgrade Path |
Image |
---|---|---|
24.09 |
>= 20.08 |
|
24.02 |
>= 20.08 |
|
24.01 |
>= 20.08 |
|
23.10 |
>= 20.08 |
|
22.10 |
>= 20.08 |
|
21.12 |
>= 20.08 |
|
21.10 |
>= 20.08 |
|
21.05.2 |
>= 20.08 |
|
21.03 |
>= 20.08 |
|
20.08.2 |
>= 19.12 |
|
20.06 |
>= 19.12 |
|
20.05 |
>= 19.12 |
|
Release 24.09
Information
This release also includes library and container updates.
Improvements
Add support for ChaCha20-Poly1305, expanding the range of cryptographic options available for secure communications.
Improve debugging capabilities by adding output messages to identify and diagnose issues when a public key is rejected or not accepted in Auth Agent forwarding mode.
Respond with an individual disconnection message if a client fails to send a password prompt within a specified time period, improving connection handling and user feedback.
Bug Fixes
In dual-stack mode, the MHD returns IPv4 addresses in an IPv6-mapped format. This version allows regular IPv4 addresses to be used in MONITOR_CLIENTS again.
Release 24.02
Information
This release also includes library and container updates.
Improvements
Improved debugging capability by adding output messages to identify and diagnose issues when a public key is rejected or not accepted in Auth Agent forwarding mode.
Updated the Dockerfile to include the new image path of the build container image.
These changes enhance the debugging capabilities and streamline the Docker build process, contributing to a more efficient and reliable development and deployment environment.
Release 24.01
Information
This release also includes library and container updates.
Improvements
Update libSSH to 0.10.6
Improve logging in System Events and Syslog for failed / unsuccessful sessions.
Add control over public key algorithms allowed in public key authentication (requires suSSHi Chef 23.12 or newer)
Address general protocol flaw in SSH (see CVE-2023-48795 - detailed description below).
CVE-2023-48795: General Protocol Flaw
Implement protocol extensions to thwart the so-called “Terrapin attack” discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk.
The SSH Binary Packet Protocol (BPP) has a weakness allowing the Man in the Middle (MitM) attacker to manipulate several messages during handshake. This is possible only when the client negotiates cipher ChaCha20-poly1305 or AES-CBC with Encrypt-then-MAC integrity mechanism.
This happens during handshake, when the packets are not yet encrypted and authenticated. Inserting meaningless messages at this point allows manipulating the sequence numbers of one peers before encryption is turned on using the NEWKEYS message and removing first encrypted message can go undetected.
The practical outcome can be removing the first message of conversation EXT_INFO (from RFC8308), which carries in information about supported SHA2 algorithm with RSA signatures and could cause downgrade to SHA1.
This suSSHi release addresses this protocol weakness through a new “strict KEX” protocol extension that will be automatically enabled when both the client and server support it. This extension makes two changes to the SSH transport protocol to improve the integrity of the initial key exchange.
Firstly, it requires endpoints to terminate the connection if any unnecessary or unexpected message is received during key exchange (including messages that were previously legal but not strictly required like SSH2_MSG_DEBUG). This removes most malleability from the early protocol.
Secondly, it resets the Message Authentication Code counter at the conclusion of each key exchange, preventing previously inserted messages from being able to make persistent changes to the sequence number across completion of a key exchange. Either of these changes should be sufficient to thwart the Terrapin Attack.
Security Notes
Update libSSH to 0.10.6, which addresses the following security vulnerabilities: * CVE-2023-48795: Avoid potential downgrade attacks by implementing strict kex. * Other CVEs addressed by libSSH do not apply to suSSHi.
Release 23.10
Warning
Please note, that this release requires suSSHi Chef 23.10 or newer.
Information
This is a maintenance release including library and container updates.
Improvements
Add support for IPv6 only container setup and add support for IPv6 monitor server reachability.
Improve handling of different IP addresses of the same target.
Bug Fixes
Fix issue with subsequent connections to targets with multiple IP addresses.
Fix segfault / corrupted double-linked list issues on subsequent connections to targets with multiple IP addresses.
In PAA mode, keepalive@openssh.com CHANNEL REQUEST replies should not be ignored but forwarded.
Release 22.10
Warning
Please note, that this release requires suSSHi Chef 20.12 or newer.
Information
This is a maintenance release including library and container updates.
Release 21.12
Warning
Please note, that this release requires suSSHi Chef 20.12 or newer.
Information
This is a maintenance release.
Bug Fixes
Fixed an issue where susshi-play did not work correctly due to a missing library.
Fixed an issue where the maximum session duration was not always handled correctly and could lead to longer sessions.
Fixed an issue where Agent-Forwarding Flag was not correctly reported to suSSHi Chef.
Release 21.10
Warning
Please note, that this release requires suSSHi Chef 20.12 or newer.
Information
This is a maintenance release.
Improvements
Improved overall throughput performance by reducing memory alloc/free a lot.
Updated to latest libssh 0.9.6.
Improve ability to send report to suSSHi Chef on fatal session ending.
Add inspection for
expand-path@openssh.com
extension which is used with newer OpenSSH versions using SCP over SFTP (scp -s option for now).
Bug Fixes
Fix a few memory alloc/free situations to optimize code and memory consumption.
Fix issue where sometimes Nagle algorithm was disabled for SFTP sessions as well.
Fix issue for unconditional memory freeing on issue banner sending.
Release 21.05.2
Warning
Please note, that this release requires suSSHi Chef 20.12 or newer.
Information
This is a maintenance release.
Bug Fixes
Fix issue where the Target Preferred Address Family was not correctly set when changed in suSSHi Chef.
Fix issue with “Happy Eyeball” implementation for better failover between address families.
Fix issue where report messages of failed sessions have not been send to suSSHi Chef but only to the gateway logs.
Fix for a very unlikely issue where connections through a proxy fail, but then the process gets stuck in a busy loop.
Fix issue when target host name resolves to multiple IPs, but the selected one can not be found in suSSHi Chef.
Release 21.03
Warning
Please note, that this release requires suSSHi Chef 20.08 or newer.
New Features
New Target Authentication Features for password / keyboard-interactive based authentication:
User Dialog (default, same behaviour as today)
Dynamic One Time Password (DOTP)
Static Password
Preserve Password
Improvements
Updated container base image (Ubuntu 20.04 LTS) and underlying software.
Image size decreased by more than 15%.
Include additional info line in session log containing user, client and target information.
Deny login attempt with only user given (reserved for suSSHi Gateway Bastion mode) immediately, without asking suSSHi Chef. This will further improve DOS protection.
Bug Fixes
Fix issue with X11 sessions not working with MobaXterm / PuTTy caused by PuTTy window-size tuning
winadj@putty.projects.tartarus.org
.Fix issue with X11 sessions not correctly forwarded in Public Key Agent Authentication mode.
Release 20.08.2
Warning
Please note, that this release requires suSSHi Chef 19.08 or newer.
Improvements
Add log message to session log about max log filesize in case of exec logging.
Try to fix permissions for unprivileged user on startup, if the mapped volumes have wrong permissions to improve user experience.
Add new error message (Code 4013) when client does not responds with no identities from SSH agent.
Improved stability of system event daemon by switching from GNUTLS to OpenSSL.
Use list of preferred host key algorithms also when scanning hosts (Release 20.08.1).
Bug Fixes
When a client used the SSH keepalive function, the idle timer was erroneously updated even when otherwise inactive.
ExecLogStopPatterns did not work as expected, if set in suSSHi Chef configuration.
When a large number of parallel SSH channels are open at the same time (e.g. when using the ssh socks proxy mode), a channel close or open confirm message could be misinterpreted.
Fixed an error where system event daemon was not started properly on container restart.
Fixed an error where stopping or restarting the container could case segmentation faults messages on Docker host (seen in
dmesg
).Fixed a very rare issue where, under certain circumstances, the impolite disconnect of a client or target was not detected and the worker process still continued.
Fixed an issue with dynamic port allocation on remote port forwarding when used together with non-dynamic port forwarding in same session (Release 20.08.2).
Release 20.06
New Features
Unix domain socket forwarding
OpenSSH supports local and remote Unix domain socket forwarding using the “streamlocal” extension. Forwarding is initiated as per TCP sockets but with a single path instead of a host and port. Prior to version 20.06, the OpenSSH protocol extension “Unix domain socket forwarding” were denied with an unknown channel type error.
With version 20.06, you can control whether to allow Unix domain socket forwarding or deny it. Logging of the socket forwarding session is supported as well. Because most applications using sockets run standard TCP communication when communicating over sockets, suSSHi logs all socket communication via SSH in a PCAP file with the pseudo IP address
127.1.1.1
representing the client and127.2.2.2
representing the server. Advanced network diagnostic tools like Wireshark provide a wide range of dissectors to further analyse the captured traffic.Remote Proxy Health Monitoring
The new Proxy Health Monitoring feature allows the status of the set up proxies to be queried in the Admin UI and via API. In order to use this feature, the gateway software must be updated to at least version 20.06.
Changes
Filename suffixes for PCAP files have changed to represent the type of captured traffic:
For Port-Forwarding, the new extension
.portfwd.pcap
is used.For X11 traffic,
.x11.pcap
is used respectively.Unix domain socket forwarding captures make use of the
.socket.pcap
extension.
The IP addresses used in
.pcap
files have changed from1.1.1.1
(client) and2.2.2.2
(server) to127.1.1.1
(client) and127.2.2.2
(server).
Improvements
Include client and target software identification in session log.
Bug Fixes
In SFTP logging, a ‘handle’ (which is a response to Path requests) was not handled correctly in some cases. Thus wrong paths could be logged in further logging. The bug first appeared with release 20.05.
In PubKeyAgent authentication mode, remote port forwarding (e.g. the
-R
option in OpenSSH) did not work correctly under certain circumstances.
Release 20.05
Information
Warning
Please note, that this release requires suSSHi Chef 19.08 or newer.
New Features
Improved Container Security
Starting with version 20.05, all processes of the suSSHi Gateway container will be changed to an unprivileged user named “susshi” after startup. This “privilege dropping” increases the security of the container, because in case of a possible security problem an attacker would only inherit the limited rights of the user “susshi” (default UID 900, GID 900).
For more information regarding unprivileged user and volume mapping, continue reading here.
suSSHi Proxy Bastions
With the suSSHi Proxy Bastions feature, a suSSHi Proxy can act as a SSH endpoint for users having the need for port-forwarding only, but no interactive session is required. This can be used when a proxy is deployed in a remote environment like a cloud tenant and the users don’t need SSH access to a target host within the remote environment, but want to establish a port forwarding to applications like RDP, for example.
To start a suSSHi Proxy Bastion session, the user just uses
<gateway-user>@<proxy-realm>
syntax as the gateway user:ssh -L 8443:webserver:443 -l myuser@proxy15 <gateway> ssh -D 1080 -l myuser@proxy15 <gateway>
Client and Target Hostkey Exchange Algorithms
New properties in Partition settings allow control over allowed hostkey algorithms on client and target side. The default is to allow all available algorithms. You may change this to disable
RSA-SHA1
, for example.Client and Target Key Exchange (KEX) Algorithms
New properties in suSSHi Chef’s Partition settings allow control over accepted Key Exchange Algorithms (KEX) on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.
Client and Target HMAC Algorithms
New properties in suSSHi Chef’s Partition settings allow control over allowed HMAC algorithms beside already existing settings for ciphers on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.
Hostkey Update and Rotation
suSSHi supports the OpenSSH “Hostkey update and rotation” protocol extension (
hostkeys-00@openssh.com
) allowing a server to inform a client of all its hostkeys after user-authentication has completed. With this option enabled, the client gets a list of all configured hostkeys of the suSSHi Gateway and thus can update it’s own list of known hostkeys.With this option, all supporting SSH clients can learn new key types they have not encountered before, allowing them to potentially upgrade from weaker key algorithms to better ones. It also supports graceful key rotation, as the gateway may offer multiple keys of the same type for a period of time (to allow customers to learn them with this enhancement) before the obsolete key is removed from those offered.
suSSHi now supports multiple hostkeys of the same type with sortable order, which gives the opportunity to share / propagate new keys upfront with the Hostkey Update and Rotation feature.
Password Split-String
With this new feature, suSSHi allows a user to provide the password for an authentication at the target during an authentication at the gateway at the same time by specifying the two passwords separated from each other by the specified split-string:
<gateway_pw><split-string><target_pw>
.It is important not to choose a string that is too simple or too short (e.g. only @), as the selected combination must not occur in any password. The default is therefore set to ::@:: (
<gateway_pw>::@::<target_pw>
).
Improvements
Upgraded to latest libssh version 0.9.4.
Change logfile naming to uniq IDs (otherwise overwrite could happen).
Adjust some system logging.
Better error message on usage of
-N
(or other error) in setting up PubkeySSHAgent mode.Make password-auth with target work if client supports password-auth only and no keyboard-interactive authentication.
Enhancement of the SFTP inspection module to also support SFTP protocol versions 4-6 correctly. These SFTP versions are supported by very few products. OpenSSH, for example, still uses SFTP protocol version 3 even in its latest version 8.2.
Improved compatibility for VanDyke’s SecureCRT in Auth-Agent Authentication.
Bug Fixes
Fix issue in PubkeySSHAgent mode when server returns with exit status message while still in authentication phase. This could happen on short-run exec-commands.
Fix issue to get short-run exec-commands in PubkeySSHAgent mode more stable.
Fix issue in PubkeySSHAgent mode when client sends close on auth-agent channel very quickly.
Fix issue with less frequently occurring crashes with scp and sftp in PubKeySSHAgent mode.
Minor fixes to allow suSSHi Gateway to run in IPv4/IPv6 container deployments correctly.