update openssh demo

.circleci/config.yml

@@ -478,7 +478,6 @@ jobs:
                   docker push $TARGETNAME/ngtcp2-server:latest &&
                   docker push $TARGETNAME/ngtcp2-client:latest
 
-# Not actively maintained:
   ubuntu_x64_openssh:
     description: A template for building and pushing OQS demo Docker images on
       Ubuntu that do not use OQS-OpenSSL, but rather liboqs in another form
@@ -501,6 +500,12 @@ jobs:
             docker build --build-arg MAKE_DEFINES="-j 18" -t oqs-openssh-img . &&
             docker run --rm --name oqs-openssh oqs-openssh-img connect-test.sh
           working_directory: openssh
+      - run:
+          name: Test OpenSSH (main/master)
+          command: |
+            docker build --build-arg LIBOQS_RELEASE=main --build-arg MAKE_DEFINES="-j 18" -t oqs-openssh-img-main . &&
+            docker run --rm --name oqs-openssh-main oqs-openssh-img-main connect-test.sh
+          working_directory: openssh
       - when:
           condition:
             equal: [ main, << pipeline.git.branch >> ]
@@ -624,8 +629,8 @@ workflows:
       #    context: openquantumsafe
       #- ubuntu_x64_ngtcp2:
       #    context: openquantumsafe
-      #- ubuntu_x64_openssh:
-      #    context: openquantumsafe
+      - ubuntu_x64_openssh:
+         context: openquantumsafe
       # Disabled in CI as failing to conclude test properly as per
       # https://github.com/open-quantum-safe/oqs-demos/pull/167#issuecomment-1383673300
       # - ubuntu_x64_openlitespeed:

openssh/Dockerfile

@@ -1,18 +1,21 @@
 # Multi-stage build: First the full builder image:
 
+# define the alpine image version to use
+ARG ALPINE_VERSION=3.20
+
 # Default location where all binaries wind up:
 ARG DEFAULT_INSTALL_DIR=/opt/oqs-ssh
 ARG INSTALL_DIR=${DEFAULT_INSTALL_DIR}
 
 # liboqs version
 # ATTENTION: Changing this could mean that further adaptions in sshd_config and ssh_config are required
-ARG LIBOQS_RELEASE="main"
+ARG LIBOQS_RELEASE="0.11.0"
 
 # liboqs build defines (https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs)
 ARG LIBOQS_BUILD_DEFINES=
 
 # Open quantum safe OpenSSH release
-ARG OQS_OPENSSH_RELEASE="OQS-v8"
+ARG OQS_OPENSSH_RELEASE="OQS-v9"
 
 # openssh build defines (https://github.com/open-quantum-safe/openssh#step-2-build-the-fork)
 ARG OPENSSH_BUILD_OPTIONS=
@@ -25,7 +28,7 @@ ARG MAKE_INSTALL="install-nokeys"
 ARG OQS_USER="oqs"
 ARG OQS_PASSWORD="Pa55W0rd"
 
-FROM alpine:3.13 as intermediate
+FROM alpine:${ALPINE_VERSION} as intermediate
 # Take in all global args
 ARG INSTALL_DIR
 ARG LIBOQS_RELEASE
@@ -36,7 +39,7 @@ ARG MAKE_DEFINES
 ARG MAKE_INSTALL
 ARG OQS_USER
 
-LABEL version="2"
+LABEL version="3"
 
 ENV DEBIAN_FRONTEND noninteractive
 
@@ -59,7 +62,11 @@ RUN git clone --depth 1 --branch ${LIBOQS_RELEASE} https://github.com/open-quant
 # build liboqs static (does not work with shared lib!)
 WORKDIR /opt/liboqs
 # RUN mkdir build && cd build && cmake .. ${LIBOQS_BUILD_DEFINES} -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/opt/ossh-src/oqs && make ${MAKE_DEFINES} && make install
-RUN mkdir build-static && cd build-static && cmake .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_BUILD_TYPE=${LIBOQS_BUILD_TYPE} -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX=/opt/ossh-src/oqs && make ${MAKE_DEFINES} && make install
+RUN mkdir build-static && \
+    cd build-static && \
+    cmake .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_BUILD_TYPE=${LIBOQS_BUILD_TYPE} -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX=/opt/ossh-src/oqs && \
+    make ${MAKE_DEFINES} && \
+    make install
 
 # builds and installs OQS-OpenSSH
 WORKDIR /opt/ossh-src
@@ -78,7 +85,7 @@ STOPSIGNAL SIGTERM
 
 ## second stage: Only create minimal image without build tooling and intermediate build results generated above:
 
-FROM alpine:3.13 as dev
+FROM alpine:${ALPINE_VERSION} as dev
 # Take in all global args
 ARG DEFAULT_INSTALL_DIR
 ARG INSTALL_DIR
@@ -93,7 +100,9 @@ RUN apk update \
 COPY --from=intermediate ${INSTALL_DIR} ${INSTALL_DIR}
 
 # Create a normal user to be able to log into the system via ssh
-RUN addgroup --gid 1000 --system ${OQS_USER} && adduser --uid 1000 --system ${OQS_USER} --ingroup ${OQS_USER} --shell /bin/sh && echo -e -e "${OQS_PASSWORD}\n${OQS_PASSWORD}\n" | passwd ${OQS_USER}
+RUN addgroup --gid 1000 --system ${OQS_USER} && \
+    adduser --uid 1000 --system ${OQS_USER} --ingroup ${OQS_USER} --shell /bin/sh && \
+    echo -e -e "${OQS_PASSWORD}\n${OQS_PASSWORD}\n" | passwd ${OQS_USER}
 
 # Set up login shell: Add ssh-binaries to path for ssh login shell, fix /etc/profile not executing /etc/profile.d/*
 RUN sed -i "s|PATH=|PATH=${INSTALL_DIR}/bin:|;s|/etc/profile.d/\*\.sh|/etc/profile.d/\*|" /etc/profile

openssh/README.md

@@ -44,7 +44,7 @@ The first command adds user `<user>` (yourself) to the group `docker`, and the s
 ## General information
 
 The Dockerfile 
-- obtains all source code required for building the quantum safe cryptography (QSC) algorithms and the [QSC-enabled version of OpenSSH (7.9-2020-08_p1)](https://github.com/open-quantum-safe/openssh/releases/tag/OQS-OpenSSH-snapshot-2020-08)
+- obtains all source code required for building the quantum safe cryptography (QSC) algorithms and the [QSC-enabled version of OpenSSH (9.7)](https://github.com/open-quantum-safe/openssh/releases/tag/OQS-OpenSSH-snapshot-2024-08)
 - builds all libraries and applications
 - creates a second user `oqs` with the default password `Pa55W0rd`
 - by default starts the openssh daemon\*
@@ -57,7 +57,7 @@ The Dockerfile
 
 ## Updating the liboqs version
 
-Currently the used version of liboqs is [0.4.0](https://github.com/open-quantum-safe/liboqs/releases/tag/0.4.0). Be aware that upon changing this version, which can be done in the [Dockerfile](Dockerfile), the default algorithms may change. If this is the case [sshd_config](sshd_config)/[sshd_config](sshd_config) must be updated accordingly.
+Currently the used version of liboqs is [0.11.0](https://github.com/open-quantum-safe/liboqs/releases/tag/0.11.0). Be aware that upon changing this version, which can be done in the [Dockerfile](Dockerfile), the default algorithms may change. If this is the case [sshd_config](sshd_config)/[sshd_config](sshd_config) must be updated accordingly.
 
 # Usage
 
@@ -79,7 +79,7 @@ By default this is `/opt/oqs-ssh`. When it is changed, every occurrence of this
 
 ## LIBOQS_BUILD_DEFINES
 
-This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs).
+This permits changing the build options for the underlying library with the quantum safe algorithms. All possible options are documented [here](https://github.com/open-quantum-safe/liboqs/blob/main/CONFIGURE.md).
 
 By default, the image is built such as to have maximum portability regardless of CPU type and optimizations available, i.e. to run on the widest possible range of cloud machines.
 

openssh/USAGE.md

@@ -1,6 +1,6 @@
 # Purpose 
 
-This is an [opensshd](https://https.openssh.com) docker image based on the [OQS OpenSSH 7.9 fork](https://github.com/open-quantum-safe/openssh), which allows ssh to quantum-safely negotiate session keys and use quantum-safe authentication with algorithms from the [Post-Quantum Cryptography Project by NIST](https://csrc.nist.gov/projects/post-quantum-cryptography).
+This is an [opensshd](https://https.openssh.com) docker image based on the [OQS OpenSSH 9.7 fork](https://github.com/open-quantum-safe/openssh), which allows ssh to quantum-safely negotiate session keys and use quantum-safe authentication with algorithms from the [Post-Quantum Cryptography Project by NIST](https://csrc.nist.gov/projects/post-quantum-cryptography).
 
 This image has a built-in non-root user to permit execution without particular [docker privileges](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). This is necessary as logging in as root in ssh is not recommended practice. But it is worth to note that this user, per default called `oqs`, is not set as the default user when the image starts. The reason for that is that the the start up script needs root permissions to generate all host keys and start the sshd service. This means that when executing a command as the user `oqs`, the `docker exec` command needs to be used together with the option `--user oqs`.
 
@@ -175,7 +175,7 @@ docker exec -it <name-or-hash-of-container> /opt/oqs-ssh/scripts/key-gen.sh
 
 For a list of all signature and key exchange algorithms see [here](https://github.com/open-quantum-safe/openssh#supported-algorithms). Be aware that there is a limitation of what algorithms are enabled in PQS-OpenSSH per default, more information in the section **Enabling additional PQC algorithms** below. It is recommended to only use the hybrid variants to maintain established classical security. The post-quantum safe algorithms have not yet received enough confidence to be relied on as the only security mechanism.
 
-The image's default key exchange algorithm is `ecdh-nistp384-kyber-768-sha384`. For host and identity keys (server and client authentication, respectively) the `ssh-ecdsa-nistp384-dilithium3` algorithm is used. Those algorithms may be changed by adjusting the files `ssh_config` and `sshd_config` respectively.
+The image's default key exchange algorithm is `ecdh-nistp384-kyber-768-sha384`. For host and identity keys (server and client authentication, respectively) the `ssh-ecdsa-nistp384-mldsa65` algorithm is used. Those algorithms may be changed by adjusting the files `ssh_config` and `sshd_config` respectively.
 
 **In `ssh_config` (client side)**
 - `KexAlgorithms`: Comma-separated list of enabled key-exchange algorithms. Priority given by order. Names according to [this KEX naming scheme](https://github.com/open-quantum-safe/openssh#key-exchange).
@@ -203,9 +203,9 @@ The generation of the host and identity keys happens via the script [key-gen.sh]
 Which keys to generate is determined using the configuration files (`ssh_config` and `sshd_config`). The need for a specific key is determined based on the following parameters:
 1. `IdentityFile` (in `ssh_config`) for **identity keys**: For every entry (there may be multiple) the corresponding identity key is generated.
    - e.g. `IdentityFile ~/.ssh/id_ed25519` or
-   - `IdentityFile ~/.ssh/id_ssh-ecdsa-nistp384-dilithium3`
+   - `IdentityFile ~/.ssh/id_ssh-ecdsa-nistp384-mldsa65`
 2. `HostKey` (in `sshd_config`) for **host keys**: For every entry (there may be multiple) the corresponding host key is generated.
-   - e.g. `HostKey /opt/oqs-ssh/ssh_host_ssh-ecdsa-nistp384-dilithium3_key` or
+   - e.g. `HostKey /opt/oqs-ssh/ssh_host_ssh-ecdsa-nistp384-mldsa65_key` or
    - `HostKey /opt/oqs-ssh/ssh_host_ssh-falcon512_key`
 
 In order to generate the host keys and start the `sshd` the image needs to be run as the `root` user, meaning the `docker run` command shall not contain the `--user oqs` option.
@@ -218,10 +218,10 @@ The location where `key-gen.sh` is looking for `ssh_config`/`sshd_config` is the
 
 Post-quantum safe algorithms must (in theory) be enabled at docker image build time when compiling [OQS-OpenSSH](https://github.com/open-quantum-safe/openssh). For this reason, in this pre-built image on Dockerhub no more algorithms can be enabled. However, before jumping over to the [build instructions](https://github.com/open-quantum-safe/oqs-demos/tree/main/openssh), please continue reading as there is a big BUT.
 
-Long story short: Thus far, no more algorithms may be enabled for this Docker image than described [here](https://github.com/open-quantum-safe/openssh/tree/OQS-OpenSSH-snapshot-2020-08#supported-algorithms). Find out **More details on the why** below.
+Long story short: Thus far, no more algorithms may be enabled for this Docker image than described [here](https://github.com/open-quantum-safe/openssh/tree/OQS-OpenSSH-snapshot-2024-08#supported-algorithms). Find out **More details on the why** below.
 
 ### More details on the why
-It is not quite straight forward how to figure out what PQC algorithms are actually enabled, where to enable them and how. The supported algorithms in release `OQS-OpenSSH-snapshot-2020-08` (the one used when building this Docker image) are listed [in this section](https://github.com/open-quantum-safe/openssh/tree/OQS-OpenSSH-snapshot-2020-08#supported-algorithms). Be especially aware of the limitation for the signature algorithms, where only all L1 signature algorithms and all **Rainbow Classic** variants are enabled by default. **Classic** rainbow only, documentation has it slightly wrong there. This is corrected and clarified in more detail [in newer releases](https://github.com/open-quantum-safe/openssh#digital-signature).
+It is not quite straight forward how to figure out what PQC algorithms are actually enabled, where to enable them and how. The supported algorithms in release `OQS-OpenSSH-snapshot-2024-08` (the one used when building this Docker image) are listed [in this section](https://github.com/open-quantum-safe/openssh/tree/OQS-OpenSSH-snapshot-2024-08#supported-algorithms). Be especially aware of the limitation for the signature algorithms, where only all L1 signature algorithms and all **Rainbow Classic** variants are enabled by default. **Classic** rainbow only, documentation has it slightly wrong there. This is corrected and clarified in more detail [in newer releases](https://github.com/open-quantum-safe/openssh#digital-signature).
 
 Enabling more algorithms would require changing [openssh/oqs_templates/generate.yml](https://github.com/open-quantum-safe/openssh/blob/OQS-master/oqs-template/generate.yml) according to [this documentation](https://github.com/open-quantum-safe/openssh/wiki/Using-liboqs-supported-algorithms-in-the-fork#code-generation). Additionally, you need to make sure that the algorithms are enabled in [liboqs](https://github.com/open-quantum-safe/liboqs) as well (see [here for more information](https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs#oqs_enable_kem_algoqs_enable_sig_alg)). Enabling more algorithms in `liboqs` can be done at Docker build time using the build option `LIBOQS_BUILD_DEFINES`. But enabling them in `OpenSSH` would require changing [openssh/oqs_templates/generate.yml](https://github.com/open-quantum-safe/openssh/blob/OQS-master/oqs-template/generate.yml) after checking out `openssh` in the [Dockerfile](https://github.com/open-quantum-safe/oqs-demos/tree/main/openssh/Dockerfile), and in this docker image this is just not implemented at this moment in time.
 
@@ -234,9 +234,9 @@ To enable classical SSH support on client side, edit/add lines in [ssh_config]([
 ```
 KexAlgorithms [email protected],[email protected]
 
-HostKeyAlgorithms ssh-ecdsa-nistp384-dilithium3,ssh-ed25519
+HostKeyAlgorithms ssh-ecdsa-nistp384-mldsa65,ssh-ed25519
 
-PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-dilithium3,ssh-ed25519
+PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-mldsa65,ssh-ed25519
 
 IdentityFile ~/.ssh/id_ed25519
 ```
@@ -246,9 +246,9 @@ For adding support for classical SSH on server side, edit/add lines in [sshd_con
 ```
 KexAlgorithms [email protected],curve25519-sha256
 
-HostKeyAlgorithms ssh-ecdsa-nistp384-dilithium3,ssh-ed25519
+HostKeyAlgorithms ssh-ecdsa-nistp384-mldsa65,ssh-ed25519
 
-PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-dilithium3,ssh-ed25519
+PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-mldsa65,ssh-ed25519
 
 HostKey /opt/oqs-ssh/ssh_host_ed25519_key
 ```

openssh/connect-test.sh

@@ -8,7 +8,7 @@ rc-service oqs-sshd stop
 # default options
 OPTIONS=${OPTIONS:="-q -o BatchMode=yes -o StrictHostKeyChecking=no"}
 
-SIG=${SIG_ALG:="ecdsa-nistp384-dilithium3"}
+SIG=${SIG_ALG:="ecdsa-nistp384-mldsa65"}
 KEM=${KEM_ALG:="[email protected]"}
 
 # Generate new identity keys, overwrite old keys

openssh/serverstart.sh

@@ -4,7 +4,7 @@
 
 OPTIONS=${OPTIONS:=""}
 
-SIG=${SIG_ALG:="ecdsa-nistp384-dilithium3"}
+SIG=${SIG_ALG:="ecdsa-nistp384-mldsa65"}
 KEM=${KEM_ALG:="[email protected]"}
 
 # Optionally set port

openssh/ssh_config

@@ -25,10 +25,10 @@
 KexAlgorithms [email protected]
 
 # The host key algorithms ssh accepts
-HostKeyAlgorithms ssh-ecdsa-nistp384-dilithium3
+HostKeyAlgorithms ssh-ecdsa-nistp384-mldsa65
 
 # The algorithms used for public key authentication
-PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-dilithium3
+PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-mldsa65
 
 # Define how unknown host keys should be handled
 #StrictHostKeyChecking ask
@@ -45,7 +45,7 @@ Port 2222
 
 #IdentityFile ~/.ssh/id_ssh-falcon512
 
-IdentityFile ~/.ssh/id_ssh-ecdsa-nistp384-dilithium3
+IdentityFile ~/.ssh/id_ssh-ecdsa-nistp384-mldsa65
 #IdentityFile ~/.ssh/id_ssh-ecdsa-nistp256-falcon512
 
 #IdentityFile ~/.ssh/id_ssh-rsa3072-falcon512

openssh/sshd_config

@@ -18,10 +18,10 @@
 KexAlgorithms [email protected]
 
 # Host key algorithms, these determine the generated host keys
-HostKeyAlgorithms ssh-ecdsa-nistp384-dilithium3
+HostKeyAlgorithms ssh-ecdsa-nistp384-mldsa65
 
 # Those determine the accepted public keys for public key authentication
-PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-dilithium3
+PubkeyAcceptedKeyTypes ssh-ecdsa-nistp384-mldsa65
 
 # The port sshd is listening on
 Port 2222
@@ -35,7 +35,7 @@ Port 2222
 
 #HostKey /opt/oqs-ssh/ssh_host_ssh-falcon512_key
 
-HostKey /opt/oqs-ssh/ssh_host_ssh-ecdsa-nistp384-dilithium3_key
+HostKey /opt/oqs-ssh/ssh_host_ssh-ecdsa-nistp384-mldsa65_key
 #HostKey /opt/oqs-ssh/ssh_host_ssh-ecdsa-nistp256-falcon512_key
 
 #HostKey /opt/oqs-ssh/ssh_host_ssh-rsa3072-falcon512_key