hi, intrigeri wrote (28 Dec 2015 13:14:14 GMT) : > [email protected] wrote (27 May 2014 12:30:21 GMT) : >> I created that ticket in Redmine from a bug report:
>> https://labs.riseup.net/code/issues/7315 >> Summary: The SSH client configuration in Tails is too restrictive to >> allow connecting to OpenBSD by default. I find this weird. > Yes. This, and the fact we're soon be shipping 6.7p1, that supports > newer and stronger crypto, as pointed out recently by Alfredo (Cc'd). > Dear lazyweb (an in particular dkg, DrWhax and jvoisin): what SSH > client settings should we use for ciphers, MACs and HostKeyAlgorithms > in Tails based on Debian Jessie? So, late in 2011 we've introduced custom configuration for the crypto used by the OpenSSH client, and since then we have never updated it. This has been causing inter-operability issues reported almost two years ago, and currently this is also arguably decreasing security, since one practical effect of our current settings is to disable newer and stronger crypto that the OpenSSH client we ship supports. I hereby propose that we: 1. acknowledge we have not been able, so far, to properly maintain custom Ciphers and MACs settings for the OpenSSH client; 2. acknowledge that our failure at #1 has been causing both usability and security issues; 3. acknowledge that the OpenSSH upstream project, and the maintainers of the corresponding package in Debian, are doing a pretty decent job at deprecating dangerous crypto, at enabling newer and stronger options, and at communicating about it (see e.g. https://sources.debian.net/src/openssh/1:7.2p2-1/debian/NEWS/#L1); 4. as a result, drop our custom Ciphers and MACs settings from config/chroot_local-includes/etc/ssh/ssh_config, and instead rely on the defaults offered by the openssh-client Debian package; 5. in the future, welcome any well-conducted attempt at reintroducing such customization (e.g. for the sake of fine-tuning the place where we put the inter-operability / security cursor), provided there is substantial change that makes us trust that such custom settings will be maintained. Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
