I was interested in what crypto features the ssh in each Debian release supported, to see what disabling some would mean, so I gathered the info. Let me know if you see any errors.
Current versions of openssh as of Sept 10, 2015: | squeeze-lts | 1:5.5p1-6+squeeze6 | | wheezy | 1:6.0p1-4+deb7u2 | | jessie | 1:6.7p1-5 | | stretch | 1:6.9p1-1 | | sid | 1:6.9p1-2 | Tables of crypto features that the openssh in each release of Debian supports. Gathered with ssh -Q(jessie and newer), ssh_config(5) and source(wheezy and squeeze). (These will look better with a fixed width font) Key types | sq | wh | je | st | si | type | ===================================================================== | X | X | X | X | X | ssh-rsa | | X | X | X | X | X | ssh-dss | | X | X | X | X | X | [email protected] | | X | X | X | X | X | [email protected] | | X | X | X | X | X | [email protected] | | X | X | X | X | X | [email protected] | | | X | X | X | X | ecdsa-sha2-nistp256 | | | X | X | X | X | ecdsa-sha2-nistp384 | | | X | X | X | X | ecdsa-sha2-nistp521 | | | X | X | X | X | [email protected] | | | X | X | X | X | [email protected] | | | X | X | X | X | [email protected] | | | | X | X | X | ssh-ed25519 | | | | X | X | X | [email protected] | KexAlgorithms | sq | wh | je | st | si | type | ================================================================= | X | X | X | | X | diffie-hellman-group-exchange-sha256 | | X | X | X | | X | diffie-hellman-group-exchange-sha1 | | X | X | X | | X | diffie-hellman-group14-sha1 | | X | X | X | | X | diffie-hellman-group1-sha1 | | | X | X | | X | ecdh-sha2-nistp256 | | | X | X | | X | ecdh-sha2-nistp384 | | | X | X | | X | ecdh-sha2-nistp521 | | | | X | | X | [email protected] | Ciphers | sq | wh | je | st | si | type | ========================================================== | X | X | X | X | X | aes128-ctr | | X | X | X | X | X | aes192-ctr | | X | X | X | X | X | aes256-ctr | | X | X | X | X | X | arcfour | | X | X | X | X | X | arcfour256 | | X | X | X | X | X | arcfour128 | | X | X | X | X | X | aes128-cbc | | X | X | X | X | X | 3des-cbc | | X | X | X | X | X | blowfish-cbc | | X | X | X | X | X | cast128-cbc | | X | X | X | X | X | aes192-cbc | | X | X | X | X | X | aes256-cbc | | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | MACs | sq | wh | je | st | si | type | ============================================================= | X | X | X | X | X | hmac-md5 | | X | X | X | X | X | hmac-sha1 | | X | X | X | X | X | [email protected] | | X | X | X | X | X | hmac-ripemd160 | | ? | X | X | X | X | [email protected] | | X | X | X | X | X | hmac-sha1-96 | | X | X | X | X | X | hmac-md5-96 | | X | X | X | X | X | hmac-sha2-256 | | X | X | | | | hmac-sha2-256-96 | * | X | X | X | X | X | hmac-sha2-512 | | X | X | | | | hmac-sha2-512-96 | * | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | | | | X | X | X | [email protected] | * https://bugzilla.mindrot.org/show_bug.cgi?id=2023 After I have a chance to look at these and think about the implications, I will send another message with thoughts about what disabling weaker things would mean. HTH, -- Matt Taggart [email protected]
