Bug#774711: recommendations for changing openssh defaults
Also here are some interesting upstream messages that are relevant to this bug. FYI: SSH1 now disabled at compile-time by default Wed Mar 25 2015 https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-March/033701.html Obsolete MD5 Tue May 5 2015 https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-May/033867.html Weak DH primes and openssh Thu May 28 2015 https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-May/033966.html -- Matt Taggart tagg...@debian.org
Bug#774711: recommendations for changing openssh defaults
Given the recent news about advances in causing SHA1 collisions, I think it's even more important for openssh to start not accepting known weak crypto (including sha1) by default. https://sites.google.com/site/itstheshappening/ I don't see any upstream bugs about this. Should this bug be forwarded? Or maybe separate bugs should be filed for MD5, SHA1, NIST, etc? Thanks, -- Matt Taggart tagg...@debian.org
Bug#774711: recommendations for changing openssh defaults
Matt Taggart writes: > Jens Thiele writes: >> Afair I have seen small default primes with this one. I can't reproduce it (maybe my memory was just wrong). >> Did you inspect this? > I didn't. I just did a quick test connecting 100 times from jessie to wheezy and wheezy to wheezy[1]. Looks like primes are from the target system /etc/ssh/moduli file and always 4095 bits => not really "small" (thought I did see <=1024 bits) (Only downside in this test: the number of primes of that length in ssh/moduli is relatively small => they are reused quite often.) But maybe someone can inspect this in more detail. [1] using something like: unset GNOME_KEYRING_CONTROL GNOME_DESKTOP_SESSION_ID GNOME_KEYRING_PID \ && dumpcap -q -i wlan0 -w - \ |su nobody -c "tshark -d tcp.port==,ssh -Tfields \ -e ssh.dh.g -e ssh.dh.p \ -Y \ 'ssh and (ssh.dh.g or ssh.dh.p)' -r -" \ |head -n100|sort|uniq -c|tee /tmp/primes
Bug#774711: recommendations for changing openssh defaults
Jens Thiele writes: > Hi, > > thanks for your great work I should make it clear, I was only applying the advice I found in https://stribika.github.io/2015/01/04/secure-secure-shell.html to what versions exist in Debian, stribika and others get credit for that work. Also I realized I had some mistakes in my charts/recommendations: * I forgot to fill in the Kex stretch column (but it's the same as sid) * I said "aes*-gcm: since squeeze" but it's only existed since jessie * I said to keep aes*-cbc, but the above page doesn't list them in the recommended Ciphers list (I guess they aren't AE?), so drop them. So for current openssh communicating with squeeze, that leaves only Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 in common but it will still work. I haven't looked at lenny. > > * diffie-hellman-group-exchange-sha256: has existed since squeeze at least > > Afair I have seen small default primes with this one. Did you inspect this? I didn't. -- Matt Taggart tagg...@debian.org
Bug#774711: recommendations for changing openssh defaults
Matt Taggart writes: > Hi, Hi, thanks for your great work > * diffie-hellman-group-exchange-sha256: has existed since squeeze at least Afair I have seen small default primes with this one. Did you inspect this? greetings, jens
Bug#774711: recommendations for changing openssh defaults
Hi, Based on the charts I already sent and using the recommendations from: https://stribika.github.io/2015/01/04/secure-secure-shell.html and the openssh 7.0 release notes: http://www.openssh.com/txt/release-7.0 Here are some suggestions for changing the default things that are attempted. I think non-default support for all should be left in for some time, so that if needed they can be enabled on a case-to-case basis. Again, this is only about changing the defaults, not removing things (yet). Also, Colin has expressed interesting in trying to stick with upstreams defaults as much as possible. So the recommendations here are maybe things we want to see happen in upstream rather than just in Debian. As Debian is one of the more conservative distros, if _we_ think it can be dropped from the default, hopefully upstream does too! These are recommendations for stretch/sid primarily, but I also think they should be considered for jessie (or at least backported to jessie-backports, and wheezy-backports-sloppy once in stretch). Keys get rid of * ssh-dss*: too small (1024), disabled upstream in 7.0 * NIST curves: known bad keep: * ssh-rsa*: existed forever, sha1 not a problem (as explained in above URL) * ssh-ed25519*: introduced in jessie Kex === get rid of * NIST curves: known bad * diffie-hellman-group1-sha1: too small (1024) and sha1 * diffie-hellman-group14-sha1: sha1 * diffie-hellman-group-exchange-sha1: sha1 keep * curve25519-sha256: introduced in jessie * diffie-hellman-group-exchange-sha256: has existed since squeeze at least Ciphers === get rid of * 3des-cbc: DES is broken * arcfour: RC4 is broken, disabled upstream in 7.0 * cast128-cbc: block size too small(64), disabled upstream in 7.0 * blowfish-cbc: disabled upstream in 7.0 * rijndael-...@lysator.liu.se: disabled upstream in 7.0 keep * aes*-cbc: since squeeze * aes*-ctr: since squeeze * aes*-gcm: since squeeze * chacha20-poly1...@openssh.com: since jessie MACs get rid of * *md5*: MD5 is weak, disabled upstream in 7.0 * *sha1*: SHA1 is weak * umac-64*: tag too small (64) keep * hmac-ripemd160: since squeeze * hmac-sha2-*: since squeeze * umac-128: since jessie * hmac-ripemd160-...@openssh.com: since jessie * hmac-sha2-*-e...@openssh.com: since jessie I _think_ because options remain in each thing that were available in all older releases, these recommendations should allow interop back to squeeze. (and futher if enabled case-by-case of course) Thanks, -- Matt Taggart tagg...@debian.org