OpenSSH Security

OpenSSH is developed with the same rigorous security process that the OpenBSD group is famous for. If you wish to report a security issue in OpenSSH, please contact the private developers list <openssh@openssh.com>.

For more information, see the OpenBSD security page.

• October 3, 2017
  All version of OpenSSH prior to 7.6 supporting read-only mode in sftp-server (introduced in 5.5). Incorrect open(2) flags in sftp-server permitted creation of zero-length files when the server was running in read-only mode (invoked using the -R command-line flag).
  This bug is corrected in OpenSSH 7.6. For more information, please refer to the release notes.

• March 9, 2016
  All versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled. Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth(1).

  Mitigate by setting X11Forwarding=no in sshd_config, or on the commandline. This is the default, but some vendors enable the feature.

  For more information see the advisory.
  This bug is corrected in OpenSSH 7.2p2 and in OpenBSD's stable branch. For more information, please refer to the release notes.

• January 14, 2016
  OpenSSH clients between versions 5.4 and 7.1 are vulnerable to information disclosure that may allow a malicious server to retrieve information including under some circumstances, user's private keys. This may be mitigated by adding the undocumented config option UseRoaming no to ssh_config.
  For more information see CVE-2016-0777 and CVE-2016-0778.
  This bug is corrected in OpenSSH 7.1p2 and in OpenBSD's stable branch. For more information, please refer to the release notes.

• August 21, 2015
  OpenSSH 7.0 contained a logic error in PermitRootLogin= prohibit-password/without-password that could, depending on compile-time configuration, permit password authentication to root while preventing other forms of authentication.
  This bug is corrected in OpenSSH 7.1. For more information, please refer to the release notes

• August 11, 2015
  OpenSSH 6.7 through 6.9 assign weak permissions to TTY devices.
  Keyboard-interactive authentication in OpenSSH prior to 7.0 may allow circumvention of MaxAuthTries.
  These bugs are corrected in OpenSSH 7.0. For more information, please refer to the release notes

• June 30, 2015
  OpenSSH prior to 6.9 suffered from a race condition that could allow non-trusted X11 forwarding sessions to be treated as trusted. For more information, please refer to the release notes

• November 8, 2013:
  OpenSSH versions 6.2 and 6.3 are vulnerable to the memory corruption problem described in the gcmrekey.adv advisory and the OpenSSH 6.4 release notes.

• February 2, 2011:
  Portable OpenSSH prior to version 5.8p2 is vulnerable to the local host key theft attack described in portable-keysign-rand-helper.adv advisory and the OpenSSH 5.8p2 release notes.

• January 24, 2011:
  OpenSSH versions 5.6 and 5.7 are vulnerable to a potential leak of private key data described in the legacy-cert.adv advisory and the OpenSSH 5.8 release notes.

• February 23, 2009:
  OpenSSH prior to version 5.2 is vulnerable to the protocol weakness described in CPNI-957037 "Plaintext Recovery Attack Against SSH". However, based on the limited information available it appears that this described attack is infeasible in most circumstances. For more information please refer to the cbc.adv advisory and the OpenSSH 5.2 release notes.

• July 22, 2008:
  Portable OpenSSH 5.1 and newer are not vulnerable to the X11UseLocalhost=no hijacking attack on HP/UX (and possibly other systems) described in the OpenSSH 5.1 release notes.

• April 3, 2008:
  OpenSSH 5.0 and newer are not vulnerable to the X11 hijacking attack described in CVE-2008-1483 and the OpenSSH 5.0 release notes.

• March 31, 2008:
  OpenSSH 4.9 and newer do not execute ~/.ssh/rc for sessions whose command has been overridden with a sshd_config(5) ForceCommand directive. This was a documented, but unsafe behaviour (described in OpenSSH 4.9 release notes).

• September 5, 2007:
  OpenSSH 4.7 and newer do not fall back to creating trusted X11 authentication cookies when untrusted cookie generation fails (e.g. due to deliberate resource exhaustion), as described in the OpenSSH 4.7 release notes.

• November 7, 2006:
  OpenSSH 4.5 and newer fix a weakness in the privilege separation monitor that could be used to spoof successful authentication (described in the OpenSSH 4.5 release notes). Note that exploitation of this vulnerability would require an attacker to have already subverted the network-facing sshd(8) process, and no vulnerabilities permitting this are known.

• September 27, 2006:
  OpenSSH 4.4 and newer is not vulnerable to the unsafe signal handler vulnerability described in the OpenSSH 4.4 release notes.

• September 27, 2006:
  OpenSSH 4.4 and newer is not vulnerable to the SSH protocol 1 denial of service attack described in the OpenSSH 4.4 release notes.

• February 1, 2006:
  OpenSSH 4.3 and newer are not vulnerable to shell metacharacter expansion in scp(1) local-local and remote-remote copies (CVE-2006-0225), as described in the OpenSSH 4.3 release notes.

• September 1, 2005:
  OpenSSH 4.2 and newer does not allow delegation of GSSAPI credentials after authentication using a non-GSSAPI method as described in the OpenSSH 4.2 release notes.

• September 1, 2005:
  OpenSSH 4.2 and newer do not incorrectly activate GatewayPorts for dynamic forwardings (bug introduced in OpenSSH 4.0) as described in the OpenSSH 4.2 release notes.

• September 16, 2003:
  Portable OpenSSH 3.7.1p2 and newer are not vulnerable to "September 23, 2003: Portable OpenSSH Multiple PAM vulnerabilities", OpenSSH Security Advisory. (This issue does not affect OpenBSD versions)

• September 16, 2003:
  OpenSSH 3.7.1 and newer are not vulnerable to "September 16, 2003: OpenSSH Buffer Management bug", OpenSSH Security Advisory and CERT Advisory CA-2003-24.

• June 26, 2002:
  OpenSSH 3.4 and newer are not vulnerable to "June 26, 2002: OpenSSH Remote Challenge Vulnerability", OpenSSH Security Advisory.

• March 29, 2002:
  OpenSSH 3.2.1 and newer are not vulnerable to "April 21, 2002: Buffer overflow in AFS/Kerberos token passing code", OpenSSH Security Advisory: Versions prior to OpenSSH 3.2.1 allow privileged access if AFS/Kerberos token passing is compiled in and enabled (either in the system or in sshd_config).

• March 7, 2002:
  OpenSSH 3.1 and newer are not vulnerable to "March 7, 2002: Off-by-one error in the channel code", OpenSSH Security Advisory.

• November 24, 2001:
  OpenSSH 3.0.2 and newer do not allow users to pass environment variables to login(1) if UseLogin is enabled. The UseLogin option is disabled by default in all OpenSSH releases.

• May 21, 2001:
  OpenSSH 2.9.9 and newer are not vulnerable to "Sep 26, 2001: Weakness in OpenSSH's source IP based access control for SSH protocol v2 public key authentication.", OpenSSH Security Advisory.

• May 21, 2001:
  OpenSSH 2.9.9 and newer do not allow users to delete files named "cookies" if X11 forwarding is enabled. X11 forwarding is disabled by default.

• November 6, 2000:
  OpenSSH 2.3.1, a development snapshot which was never released, was vulnerable to "Feb 8, 2001: Authentication By-Pass Vulnerability in OpenSSH-2.3.1", OpenBSD Security Advisory. In protocol 2, authentication could be bypassed if public key authentication was permitted. This problem does exist only in OpenSSH 2.3.1, a three week internal development release. OpenSSH 2.3.0 and versions newer than 2.3.1 are not vulnerable to this problem.

• November 6, 2000:
  OpenSSH 2.3.0 and newer do not allow malicious servers to access the client's X11 display or ssh-agent. This problem has been fixed in OpenSSH 2.3.0.

• November 6, 2000:
  OpenSSH 2.3.0 and newer are not vulnerable to the "Feb 8, 2001: SSH-1 Daemon CRC32 Compensation Attack Detector Vulnerability", RAZOR Bindview Advisory CAN-2001-0144. A buffer overflow in the CRC32 compensation attack detector can lead to remote root access. This problem has been fixed in OpenSSH 2.3.0. However, versions prior to 2.3.0 are vulnerable.

• September 2, 2000:
  OpenSSH 2.2.0 and newer are not vulnerable to the "Feb 7, 2001: SSH-1 Session Key Recovery Vulnerability", CORE-SDI Advisory CORE-20010116. OpenSSH imposes limits on the connection rate, making the attack unfeasible. Additionally, the Bleichenbacher oracle has been closed completely since January 29, 2001.

• June 8, 2000:
  OpenSSH 2.1.1 and newer do not allow a remote attacker to execute arbitrary commands with the privileges of sshd if UseLogin is enabled by the administrator. UseLogin is disabled by default. This problem has been fixed in OpenSSH 2.1.1.

• OpenSSH was never vulnerable to the "Feb 5, 2001: SSH-1 Brute Force Password Vulnerability", Crimelabs Security Note CLABS200101.

• OpenSSH was not vulnerable to the RC4 cipher password cracking, replay, or modification attacks. At the time that OpenSSH was started, it was already known that SSH 1 used the RC4 stream cipher completely incorrectly, and thus RC4 support was removed.

• OpenSSH was not vulnerable to client forwarding attacks in unencrypted connections, since unencrypted connection support was removed at OpenSSH project start.

• OpenSSH was not vulnerable to IDEA-encryption algorithm attacks on the last packet, since the IDEA algorithm is not supported. The patent status of IDEA makes it unsuitable for inclusion in OpenSSH.

• OpenSSH does not treat localhost as exempt from host key checking, thus making it not vulnerable to the host key authentication bypass attack.

• OpenSSH was not vulnerable to uncontrollable X11 forwarding attacks because X11-forwarding is disabled by default and the user can de-permit it.

• OpenSSH has the SSH 1 protocol deficiency that might make an insertion attack difficult but possible. The CORE-SDI deattack mechanism is used to eliminate the common case. SSH 1 protocol support is disabled by default.