OpenSSH not anymore depending on OpenSSL

openssh

OpenSSH is an important set of programs that is used to encrypt communication and connect to servers over SSH. This is the standard way used by many system administrators to remotely manage thousands of servers. For long time developers have planned to remove the OpenSSL package as this is not required for the communication and protocol functionality but they use the crypto of OpenSSL.

Now and starting with the next version of OpenSSH it is possible to have the package compiled with the key make OPENSSL = no, to remove the OpenSSL dependencies. According to the release notes with this setting administrator reduce certain set of cryptographic standards from the old protocol SSH- 1 (that include algorithms to curve25519, aes-ctr, chacha, ed25519).

The protocol that should be used is SSH- 2 that comes to add more security and is more reliable while I think that the first version is not anymore used. By this new release it will be important to directly exclude OpenSSL and any other package that is not used to reduce the vulnerability surface in your infrastructure.

OpenBSD and OpenSSH developers have recently launched a project called LibreSSL that comes to clean OpenSSL code from glitches and security troubles especially after the critical Heartbleed vulnerability which left 2/3 websites in the cyberspace vulnerable for more than 2 years.

Share
You can leave a response, or trackback from your own site.