is presented Release OpenSSH 9.0 , open customer implementation and server for work on SSH 2.0 and SFTP protocols. The new version of the SCP utility is transferred by default to use SFTP instead of the outdated SCP / RCP protocol.
The SFTP protocol uses more predictable name processing methods and does not use the processing of GLOB-templates in file names through the shell on the other hosting challenges. . In particular, when applying the SCP and RCP, the server decides which files and directories to send the client, and the client only checks the correctness of the names of the objects that in case of the absence of proper checks on the client side allows the server to transfer other file names that differ from the requested.
SFTP protocol is deprived of these problems, but does not support the disclosure of the specialists, such as “~ /”. To eliminate this difference, starting with OpenSSH 8.7 in the implementation of the SFTP server, the [email protected] protocol extension is supported for opening paths ~ / and ~ user /.
When using SFTP, users can also encounter incompatibility caused by the need to double shielding of special distribution paths in SCP and RCP queries to prevent them from interpretation on the remote side. In SFTP, such shielding is not required and extra quotes can lead to error data transfer. At the same time, the developers of OpenSSh refused to add an extension to repeat the behavior of SCP in this case, so double shielding is considered as a disadvantage that does not make sense to repeat.
Other changes in the new release:
- In SSH and SSHD, the default key sharing algorithm “[email protected]” (ECDH / X25519 + NTRI Prime), resistant to the selection on quantum computers and combined with ECDH / X25519 to block the possible problems in NTRU Prime, which can emerge in the future. In the KEXALGORITHMS list, defining the selection of key exchange methods, the algorithm mentioned is now put in the first place and is more prioritizing than ECDH and DH algorithms.
Quantum computers have not yet reached a level that allows you to crack traditional keys, but the use of hybrid protection will protect Users from attacks associated with the preservation of intercepted SSH sessions with the calculation that they can be decrypted in the future when the necessary quantum computers appear.
- in SFTP-Server Added “Copy-Data” extension, allowing you to copy data on the server side, without transit sending to the client, if the source and target file are on the same server.
- In the SFTP utility, the “CP” command has been added to initiate file copying client on the server side.