Release 20.05

Information

Warning

Please note, that this release requires suSSHi Chef 19.08 or newer.

New Features

  • Improved Container Security

    Starting with version 20.05, all processes of the suSSHi Gateway container will be changed to an unprivileged user named “susshi” after startup. This “privilege dropping” increases the security of the container, because in case of a possible security problem an attacker would only inherit the limited rights of the user “susshi” (default UID 900, GID 900).

    For more information regarding unprivileged user and volume mapping, continue reading here.

  • suSSHi Proxy Bastions

    With the suSSHi Proxy Bastions feature, a suSSHi Proxy can act as a SSH endpoint for users having the need for port-forwarding only, but no interactive session is required. This can be used when a proxy is deployed in a remote environment like a cloud tenant and the users don’t need SSH access to a target host within the remote environment, but want to establish a port forwarding to applications like RDP, for example.

    To start a suSSHi Proxy Bastion session, the user just uses <gateway-user>@<proxy-realm> syntax as the gateway user:

    ssh -L 8443:webserver:443 -l myuser@proxy15 <gateway>
    ssh -D 1080 -l myuser@proxy15 <gateway>
    
  • Client and Target Hostkey Exchange Algorithms

    New properties in Partition settings allow control over allowed hostkey algorithms on client and target side. The default is to allow all available algorithms. You may change this to disable RSA-SHA1, for example.

  • Client and Target Key Exchange (KEX) Algorithms

    New properties in suSSHi Chef’s Partition settings allow control over accepted Key Exchange Algorithms (KEX) on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.

  • Client and Target HMAC Algorithms

    New properties in suSSHi Chef’s Partition settings allow control over allowed HMAC algorithms beside already existing settings for ciphers on client and target side. The default is to allow all available algorithms. You may change this to disable weaker algorithms.

  • Hostkey Update and Rotation

    suSSHi supports the OpenSSH “Hostkey update and rotation” protocol extension (hostkeys-00@openssh.com) allowing a server to inform a client of all its hostkeys after user-authentication has completed. With this option enabled, the client gets a list of all configured hostkeys of the suSSHi Gateway and thus can update it’s own list of known hostkeys.

    With this option, all supporting SSH clients can learn new key types they have not encountered before, allowing them to potentially upgrade from weaker key algorithms to better ones. It also supports graceful key rotation, as the gateway may offer multiple keys of the same type for a period of time (to allow customers to learn them with this enhancement) before the obsolete key is removed from those offered.

    suSSHi now supports multiple hostkeys of the same type with sortable order, which gives the opportunity to share / propagate new keys upfront with the Hostkey Update and Rotation feature.

  • Password Split-String

    With this new feature, suSSHi allows a user to provide the password for an authentication at the target during an authentication at the gateway at the same time by specifying the two passwords separated from each other by the specified split-string: <gateway_pw><split-string><target_pw>.

    It is important not to choose a string that is too simple or too short (e.g. only @), as the selected combination must not occur in any password. The default is therefore set to ::@:: (<gateway_pw>::@::<target_pw>).

Improvements

  • Upgraded to latest libssh version 0.9.4.

  • Change logfile naming to uniq IDs (otherwise overwrite could happen).

  • Adjust some system logging.

  • Better error message on usage of -N (or other error) in setting up PubkeySSHAgent mode.

  • Make password-auth with target work if client supports password-auth only and no keyboard-interactive authentication.

  • Enhancement of the SFTP inspection module to also support SFTP protocol versions 4-6 correctly. These SFTP versions are supported by very few products. OpenSSH, for example, still uses SFTP protocol version 3 even in its latest version 8.2.

  • Improved compatibility for VanDyke’s SecureCRT in Auth-Agent Authentication.

Bug Fixes

  • Fix issue in PubkeySSHAgent mode when server returns with exit status message while still in authentication phase. This could happen on short-run exec-commands.

  • Fix issue to get short-run exec-commands in PubkeySSHAgent mode more stable.

  • Fix issue in PubkeySSHAgent mode when client sends close on auth-agent channel very quickly.

  • Fix issue with less frequently occurring crashes with scp and sftp in PubKeySSHAgent mode.

  • Minor fixes to allow suSSHi Gateway to run in IPv4/IPv6 container deployments correctly.