Thank you Colin, that's great news. I think we should have a discussion about which algorithms to deprecate, when, for the whole distribution. I'd like a consistent approach to when we stop supporting md5/sha-1/rc4 etc. Of course different protocols may have different threat models so it may not be appropriate to apply a single blanket rule for any algorithm, but supporting 16.04 LTS in 2021 makes me think that we ought to be willing to cut the algorithms known to be weak today.
OpenSSH's choices for e.g. 7.1 will probably make a lot of sense for today but may make less sense in five years, when we're still supporting 7.1 but they've moved on. Other upstreams may not be as reliable as OpenSSH, either, and second guessing their choices may make more sense. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 Status in openssh package in Ubuntu: Confirmed Bug description: We should enhance Security by disabling SHA1 or, if not possible (older Clients) by changing the KexAlgorithms, Ciphers and MACs order. For e.g. by : 1. If we add Support for older Clients we should change this: #### OpenSSH Security #### KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected] 2. If we just Support new Clients we should change this : [...] HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key [...] #### OpenSSH Security #### KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256 Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected] For more Information about my report go here: https://github.com/scaleway/image-ubuntu/pull/35 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
