Hi there Tails Dev team,
I've been a little vocal about this on Twitter and I've been a little lazy about emailing you about this problem with Tails. I recently switched to Subgraph, but I was running Tails as my daily driver for nearly a year. Server side (yawnbox.com) I harden my sshd config by defining which ciphers, MACs, and Kex Algorithms I will permit clients to use. This is good for transport security and also for defending against SSH brute force attackers (that must be using outdated software) because client negotiation is rejected when they don't have strong MAC algorithm preauth. Here is my current sshd config (I disable the DSA and ECDSA keys per BetterCrypto.org): HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key Ciphers [email protected],[email protected],[email protected],aes256-ctr MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256 KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256 When I attempt to SSH to yawnbox.com from Tails 2.2.1, this is my error: no matching mac found: client hmac-sha1,hmac-md5,hmac-ripemd160 server [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256 My "fix" is to simply sudo+delete Tails' defined Ciphers and MACs lines in /etc/ssh/ssh_config. Current Tails 2.2.1 limitations: Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc,3des-cbc MACs hmac-sha1,hmac-md5,hmac-ripemd160 I am flabbergasted that 3DES is an acceptable cipher here, and I am flabbergasted that SHA1 and MD5 are the priority/usable MACs. OpenSSH-client 6.7 needs a minor update in Tails 2.2.1, but as of OpenSSH 6.6, Tails can handle BetterCrypto.org's (server) recommendations: Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes128-ctr MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 An important note from BetterCrypto.org: "For systems where – during the lifetime of the keys – it is expected that low-entropy situations occur, RSA keys should be preferred over DSA keys: For DSA, if there is ever insufficient entropy at the time keys are used for signing this may lead to repeated ephemeral keys. An attacker who can guess an ephemeral private key used in such a signature can compromise the DSA secret key." It seems prudent to explicitly configure Tails by disabling the use of DSA keys in ssh_config since people often use low-end systems. I hope you all are well, and good luck with the 2.3 release tomorrow. Cheers Christopher @yawnbox _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
