Core Shell/ Tunnel 3.10.x – OpenSSH 9.8

News
, ,
1

:warning: Known Issue
This issue is Codinn Store version specific – you may lost your App Store Premium license after upgrade to Core Shell/ Tunnel 3.10 or later. It is required that reinstall 3.10 or later from App Store again, then switch back to Codinn Store version.

Version 3.10.4 - 2024-08-28

Version 3.10.4 is a hotfix release for fixing:

  • Core Shell: SFTP XPC component terminated unexpectedly when uploading or downloading files.
  • Core Tunnel: SSH XPC component terminated unexpectedly when using dynamic port forwarding.

Special thanks to Golo Königshoff (@DerGolo) and Fabian Heusel for helping this release.

Version 3.10.3 - 2024-08-20

Version 3.10.3 is a hotfix release for fixing:

  • Crash if remote authentication prompt contains "@".

Special thanks to @jamespauly for helping this release.

Core Shell Version 3.10.2 - 2024-08-16

Version 3.10.2 (Core Shell) is a hotfix release for fixing:

  • The terminal size does not change with the shell window.

Special thanks to Craig Altenburg (@Curuvar) for helping this release.

Version 3.10.1 - 2024-08-12

Version 3.10.1 is a hotfix release for fixing:

  • Codinn Store version: activation window should be dark when system in dark mode.

Special thanks to Craig Altenburg (@Curuvar) for helping this release.

Version 3.10 - 2024-08-09

Core Shell/Tunnel 3.10 employs a more reliable iCloud synchronization method, and allows automatic profiles backup.

Moreover, the codebase of embedded OpenSSH has been updated to version 9.8. See https://community.codinn.com/t/4652/3 for the OpenSSH changes.

:warning: NOTE
Due to changes in the synchronization method, data cannot be synchronized between 3.10 and 3.8.9 (or earlier versions).

Added

  • New backup file formats .coreshell/ .coretunnel.
  • Add a RequiredRSASize directive to set a minimum RSA key length.
  • Add a ChannelTimeout directive specifies how long an inactive channel should remain open before it is automatically closed.
  • Add a EnableEscapeCommandline directive used to enable or disable the ability for users to enter escape commands on the command line.
  • Add a ObscureKeystrokeTiming directive used to add random delays between keystrokes to make it more difficult for an attacker to infer the content of typed data based on the timing of keystrokes.

Removed

  • Remove support for .coressh backup file format.

Changed

  • A more reliable iCloud synchronization method.

Fixed

  • Core Shell: profiles window randomly opens when using URL scheme launches a SSH terminal session (@zanthony)
  • Core Shell: unable to upload or download multiple files at the same time
  • Fixed randomly crash issues

Special thanks to Zach Anthony (@zanthony) and David Olrik (@davidolrik) for helping this release.

Codinn Store:

Setapp:

App Store:

3

OpenSSH – Change history between versions 8.8 and 9.8

For detailed release notes of OpenSSH, please refer to OpenSSH: Release Notes

Potentially-incompatible changes

  • ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438

  • ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime.

    This option defaults to "no", disabling the ~C command-line that was previously enabled by default. Turning off the command-line allows platforms that support sandboxing of the ssh(1) client (currently only OpenBSD) to use a stricter default sandbox policy.

  • ssh(1), sshd(8): the RFC4254 connection/channels protocol provides a TCP-like window mechanism that limits the amount of data that can be sent without acceptance from the peer. In cases where this limit was exceeded by a non-conforming peer SSH implementation, ssh(1)/sshd(8) previously discarded the extra data.

    From OpenSSH 9.6, ssh(1)/sshd(8) will now terminate the connection if a peer exceeds the window limit by more than a small grace factor. This change should have no effect of SSH implementations that follow the specification.

New features

  • ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo.

    We are making this change now (i.e. ahead of cryptographically- relevant quantum computers) to prevent "capture now, decrypt later" attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available.

  • ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8).

    ssh(1) will terminate a connection if the server offers an RSA key that falls below this limit, as the SSH protocol does not include the ability to retry a failed key exchange.

  • sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings.

  • ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499

  • ssh(1): add support for configuration tags to ssh(1). This adds a ssh_config(5) "Tag" directive and corresponding "Match tag" predicate that may be used to select blocks of configuration similar to the pf.conf(5) keywords of the same name.

  • ssh(1): add a "match localnetwork" predicate. This allows matching on the addresses of available network interfaces and may be used to vary the effective client configuration based on network location.

  • ssh(1): add keystroke timing obfuscation to the client. This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword.

  • ssh(1), sshd(8): Introduce a transport-level ping facility. This adds a pair of SSH transport protocol messages SSH2_MSG_PING/PONG to implement a ping capability. These messages use numbers in the "local extensions" number space and are advertised using a "ping@openssh.com" ext-info message with a string version number of "0".

  • ssh(1): add a %j token that expands to the configured ProxyJump hostname (or the empty string if this option is not being used) that can be used in a number of ssh_config(5) keywords. bz3610

  • ssh(1): add ChannelTimeout support to the client, mirroring the same option in the server and allowing ssh(1) to terminate quiescent channels.

  • ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): add support for reading ED25519 private keys in PEM PKCS8 format. Previously only the OpenSSH private key format was supported.

  • ssh(1), sshd(8): introduce a protocol extension to allow renegotiation of acceptable signature algorithms for public key authentication after the server has learned the username being used for authentication. This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a "Match user" block.

  • ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys.

Bugfixes

  • ssh(1): make ConnectTimeout apply to multiplexing sockets and not just to network connections.

  • ssh(1): don't incorrectly disable hostname canonicalization when CanonicalizeHostname=yes and ProxyJump was expicitly set to "none". bz3567

  • ssh(1): interactive mode for ControlPersist sessions if they originally requested a tty.

  • sftp(1): correct handling of the limits@openssh.com option when the server returned an unexpected message.

  • ssh(1): release GSS OIDs only at end of authentication, avoiding unnecessary init/cleanup cycles. bz2982

  • ssh(1): when connecting to a destination with both the AddressFamily and CanonicalizeHostname directives in use, the AddressFamily directive could be ignored. bz5326

  • ssh(1): fix the multiplexing "channel proxy" mode, broken when keystroke timing obfuscation was added. (GHPR#463)