suSSHi Gateway

Overview

Release

Upgrade Path

Image

24.02

>= 20.08

registry.susshi.io/susshi:24.02

24.01

>= 20.08

registry.susshi.io/susshi:24.01

23.10

>= 20.08

registry.susshi.io/susshi:23.10

22.10

>= 20.08

registry.susshi.io/susshi:22.10

21.12

>= 20.08

registry.susshi.io/susshi:21.12

21.10

>= 20.08

registry.susshi.io/susshi:21.10

21.05.2

>= 20.08

registry.susshi.io/susshi:21.05.2

21.03

>= 20.08

registry.susshi.io/susshi:21.03

20.08.2

>= 19.12

registry.susshi.io/susshi:20.08.2

20.06

>= 19.12

registry.susshi.io/susshi:20.06

20.05

>= 19.12

registry.susshi.io/susshi:20.05

Release 24.02

Information

  • This release also includes library and container updates.

Improvements

  • Improved debugging capability by adding output messages to identify and diagnose issues when a public key is rejected or not accepted in Auth Agent forwarding mode.

  • Updated the Dockerfile to include the new image path of the build container image.

These changes enhance the debugging capabilities and streamline the Docker build process, contributing to a more efficient and reliable development and deployment environment.

Release 24.01

Information

  • This release also includes library and container updates.

Improvements

  • Update libSSH to 0.10.6

  • Improve logging in System Events and Syslog for failed / unsuccessful sessions.

  • Add control over public key algorithms allowed in public key authentication (requires suSSHi Chef 23.12 or newer)

  • Address general protocol flaw in SSH (see CVE-2023-48795 - detailed description below).

CVE-2023-48795: General Protocol Flaw

Implement protocol extensions to thwart the so-called “Terrapin attack” discovered by Fabian Bäumer, Marcus Brinkmann and Jörg Schwenk.

The SSH Binary Packet Protocol (BPP) has a weakness allowing the Man in the Middle (MitM) attacker to manipulate several messages during handshake. This is possible only when the client negotiates cipher ChaCha20-poly1305 or AES-CBC with Encrypt-then-MAC integrity mechanism.

This happens during handshake, when the packets are not yet encrypted and authenticated. Inserting meaningless messages at this point allows manipulating the sequence numbers of one peers before encryption is turned on using the NEWKEYS message and removing first encrypted message can go undetected.

The practical outcome can be removing the first message of conversation EXT_INFO (from RFC8308), which carries in information about supported SHA2 algorithm with RSA signatures and could cause downgrade to SHA1.

This suSSHi release addresses this protocol weakness through a new “strict KEX” protocol extension that will be automatically enabled when both the client and server support it. This extension makes two changes to the SSH transport protocol to improve the integrity of the initial key exchange.

Firstly, it requires endpoints to terminate the connection if any unnecessary or unexpected message is received during key exchange (including messages that were previously legal but not strictly required like SSH2_MSG_DEBUG). This removes most malleability from the early protocol.

Secondly, it resets the Message Authentication Code counter at the conclusion of each key exchange, preventing previously inserted messages from being able to make persistent changes to the sequence number across completion of a key exchange. Either of these changes should be sufficient to thwart the Terrapin Attack.

Security Notes

  • Update libSSH to 0.10.6, which addresses the following security vulnerabilities: * CVE-2023-48795: Avoid potential downgrade attacks by implementing strict kex. * Other CVEs addressed by libSSH do not apply to suSSHi.

Release 23.10

Warning

Please note, that this release requires suSSHi Chef 23.10 or newer.

Information

  • This is a maintenance release including library and container updates.

Improvements

  • Add support for IPv6 only container setup and add support for IPv6 monitor server reachability.

  • Improve handling of different IP addresses of the same target.

Bug Fixes

  • Fix issue with subsequent connections to targets with multiple IP addresses.

  • Fix segfault / corrupted double-linked list issues on subsequent connections to targets with multiple IP addresses.

  • In PAA mode, keepalive@openssh.com CHANNEL REQUEST replies should not be ignored but forwarded.

Release 22.10

Warning

Please note, that this release requires suSSHi Chef 20.12 or newer.

Information

  • This is a maintenance release including library and container updates.

Release 21.12

Warning

Please note, that this release requires suSSHi Chef 20.12 or newer.

Information

  • This is a maintenance release.

Bug Fixes

  • Fixed an issue where susshi-play did not work correctly due to a missing library.

  • Fixed an issue where the maximum session duration was not always handled correctly and could lead to longer sessions.

  • Fixed an issue where Agent-Forwarding Flag was not correctly reported to suSSHi Chef.

Release 21.10

Warning

Please note, that this release requires suSSHi Chef 20.12 or newer.

Information

  • This is a maintenance release.

Improvements

  • Improved overall throughput performance by reducing memory alloc/free a lot.

  • Updated to latest libssh 0.9.6.

  • Improve ability to send report to suSSHi Chef on fatal session ending.

  • Add inspection for expand-path@openssh.com extension which is used with newer OpenSSH versions using SCP over SFTP (scp -s option for now).

Bug Fixes

  • Fix a few memory alloc/free situations to optimize code and memory consumption.

  • Fix issue where sometimes Nagle algorithm was disabled for SFTP sessions as well.

  • Fix issue for unconditional memory freeing on issue banner sending.

Release 21.05.2

Warning

Please note, that this release requires suSSHi Chef 20.12 or newer.

Information

  • This is a maintenance release.

Bug Fixes

  • Fix issue where the Target Preferred Address Family was not correctly set when changed in suSSHi Chef.

  • Fix issue with “Happy Eyeball” implementation for better failover between address families.

  • Fix issue where report messages of failed sessions have not been send to suSSHi Chef but only to the gateway logs.

  • Fix for a very unlikely issue where connections through a proxy fail, but then the process gets stuck in a busy loop.

  • Fix issue when target host name resolves to multiple IPs, but the selected one can not be found in suSSHi Chef.

Release 21.03

Warning

Please note, that this release requires suSSHi Chef 20.08 or newer.

New Features

  • New Target Authentication Features for password / keyboard-interactive based authentication:

    • User Dialog (default, same behaviour as today)

    • Dynamic One Time Password (DOTP)

    • Static Password

    • Preserve Password

Improvements

  • Updated container base image (Ubuntu 20.04 LTS) and underlying software.

  • Image size decreased by more than 15%.

  • Include additional info line in session log containing user, client and target information.

  • Deny login attempt with only user given (reserved for suSSHi Gateway Bastion mode) immediately, without asking suSSHi Chef. This will further improve DOS protection.

Bug Fixes

  • Fix issue with X11 sessions not working with MobaXterm / PuTTy caused by PuTTy window-size tuning winadj@putty.projects.tartarus.org.

  • Fix issue with X11 sessions not correctly forwarded in Public Key Agent Authentication mode.

Release 20.08.2

Warning

Please note, that this release requires suSSHi Chef 19.08 or newer.

Improvements

  • Add log message to session log about max log filesize in case of exec logging.

  • Try to fix permissions for unprivileged user on startup, if the mapped volumes have wrong permissions to improve user experience.

  • Add new error message (Code 4013) when client does not responds with no identities from SSH agent.

  • Improved stability of system event daemon by switching from GNUTLS to OpenSSL.

  • Use list of preferred host key algorithms also when scanning hosts (Release 20.08.1).

Bug Fixes

  • When a client used the SSH keepalive function, the idle timer was erroneously updated even when otherwise inactive.

  • ExecLogStopPatterns did not work as expected, if set in suSSHi Chef configuration.

  • When a large number of parallel SSH channels are open at the same time (e.g. when using the ssh socks proxy mode), a channel close or open confirm message could be misinterpreted.

  • Fixed an error where system event daemon was not started properly on container restart.

  • Fixed an error where stopping or restarting the container could case segmentation faults messages on Docker host (seen in dmesg).

  • Fixed a very rare issue where, under certain circumstances, the impolite disconnect of a client or target was not detected and the worker process still continued.

  • Fixed an issue with dynamic port allocation on remote port forwarding when used together with non-dynamic port forwarding in same session (Release 20.08.2).

Release 20.06

New Features

  • Unix domain socket forwarding

    OpenSSH supports local and remote Unix domain socket forwarding using the “streamlocal” extension. Forwarding is initiated as per TCP sockets but with a single path instead of a host and port. Prior to version 20.06, the OpenSSH protocol extension “Unix domain socket forwarding” were denied with an unknown channel type error.

    With version 20.06, you can control whether to allow Unix domain socket forwarding or deny it. Logging of the socket forwarding session is supported as well. Because most applications using sockets run standard TCP communication when communicating over sockets, suSSHi logs all socket communication via SSH in a PCAP file with the pseudo IP address 127.1.1.1 representing the client and 127.2.2.2 representing the server. Advanced network diagnostic tools like Wireshark provide a wide range of dissectors to further analyse the captured traffic.

  • Remote Proxy Health Monitoring

    The new Proxy Health Monitoring feature allows the status of the set up proxies to be queried in the Admin UI and via API. In order to use this feature, the gateway software must be updated to at least version 20.06.

Changes

  • Filename suffixes for PCAP files have changed to represent the type of captured traffic:

    • For Port-Forwarding, the new extension .portfwd.pcap is used.

    • For X11 traffic, .x11.pcap is used respectively.

    • Unix domain socket forwarding captures make use of the .socket.pcap extension.

  • The IP addresses used in .pcap files have changed from 1.1.1.1 (client) and 2.2.2.2 (server) to 127.1.1.1 (client) and 127.2.2.2 (server).

Improvements

  • Include client and target software identification in session log.

Bug Fixes

  • In SFTP logging, a ‘handle’ (which is a response to Path requests) was not handled correctly in some cases. Thus wrong paths could be logged in further logging. The bug first appeared with release 20.05.

  • In PubKeyAgent authentication mode, remote port forwarding (e.g. the -R option in OpenSSH) did not work correctly under certain circumstances.

Release 20.05

Information

Warning

Please note, that this release requires suSSHi Chef 19.08 or newer.

New Features

  • Improved Container Security

    Starting with version 20.05, all processes of the suSSHi Gateway container will be changed to an unprivileged user named “susshi” after startup. This “privilege dropping” increases the security of the container, because in case of a possible security problem an attacker would only inherit the limited rights of the user “susshi” (default UID 900, GID 900).

    For more information regarding unprivileged user and volume mapping, continue reading here.

  • suSSHi Proxy Bastions

    With the suSSHi Proxy Bastions feature, a suSSHi Proxy can act as a SSH endpoint for users having the need for port-forwarding only, but no interactive session is required. This can be used when a proxy is deployed in a remote environment like a cloud tenant and the users don’t need SSH access to a target host within the remote environment, but want to establish a port forwarding to applications like RDP, for example.

    To start a suSSHi Proxy Bastion session, the user just uses <gateway-user>@<proxy-realm> syntax as the gateway user:

    ssh -L 8443:webserver:443 -l myuser@proxy15 <gateway>
ssh -D 1080 -l myuser@proxy15 <gateway>

  • Client and Target Hostkey Exchange Algorithms

    New properties in Partition settings allow control over allowed hostkey algorithms on client and target side. The default is to allow all available algorithms. You may change this to disable RSA-SHA1, for example.

  • Client and Target Key Exchange (KEX) Algorithms

    New properties in suSSHi Chef’s Partition settings allow control over accepted Key Exchange Algorithms (KEX) on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.

  • Client and Target HMAC Algorithms

    New properties in suSSHi Chef’s Partition settings allow control over allowed HMAC algorithms beside already existing settings for ciphers on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.

  • Hostkey Update and Rotation

    suSSHi supports the OpenSSH “Hostkey update and rotation” protocol extension (hostkeys-00@openssh.com) allowing a server to inform a client of all its hostkeys after user-authentication has completed. With this option enabled, the client gets a list of all configured hostkeys of the suSSHi Gateway and thus can update it’s own list of known hostkeys.

    With this option, all supporting SSH clients can learn new key types they have not encountered before, allowing them to potentially upgrade from weaker key algorithms to better ones. It also supports graceful key rotation, as the gateway may offer multiple keys of the same type for a period of time (to allow customers to learn them with this enhancement) before the obsolete key is removed from those offered.

    suSSHi now supports multiple hostkeys of the same type with sortable order, which gives the opportunity to share / propagate new keys upfront with the Hostkey Update and Rotation feature.

  • Password Split-String

    With this new feature, suSSHi allows a user to provide the password for an authentication at the target during an authentication at the gateway at the same time by specifying the two passwords separated from each other by the specified split-string: <gateway_pw><split-string><target_pw>.

    It is important not to choose a string that is too simple or too short (e.g. only @), as the selected combination must not occur in any password. The default is therefore set to ::@:: (<gateway_pw>::@::<target_pw>).

Improvements

  • Upgraded to latest libssh version 0.9.4.

  • Change logfile naming to uniq IDs (otherwise overwrite could happen).

  • Adjust some system logging.

  • Better error message on usage of -N (or other error) in setting up PubkeySSHAgent mode.

  • Make password-auth with target work if client supports password-auth only and no keyboard-interactive authentication.

  • Enhancement of the SFTP inspection module to also support SFTP protocol versions 4-6 correctly. These SFTP versions are supported by very few products. OpenSSH, for example, still uses SFTP protocol version 3 even in its latest version 8.2.

  • Improved compatibility for VanDyke’s SecureCRT in Auth-Agent Authentication.

Bug Fixes

  • Fix issue in PubkeySSHAgent mode when server returns with exit status message while still in authentication phase. This could happen on short-run exec-commands.

  • Fix issue to get short-run exec-commands in PubkeySSHAgent mode more stable.

  • Fix issue in PubkeySSHAgent mode when client sends close on auth-agent channel very quickly.

  • Fix issue with less frequently occurring crashes with scp and sftp in PubKeySSHAgent mode.

  • Minor fixes to allow suSSHi Gateway to run in IPv4/IPv6 container deployments correctly.