Bug#774711: openssh: OpenSSH should have stronger ciphers selected at least on the server side.

To: Matthew Vernon <matthew@debian.org>, 774711@bugs.debian.org
Subject: Bug#774711: openssh: OpenSSH should have stronger ciphers selected at least on the server side.
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Thu, 21 May 2015 17:58:54 +0200
Message-id: <[🔎] 1432223934.19574.11.camel@scientia.net>
Reply-to: Christoph Anton Mitterer <calestyo@scientia.net>, 774711@bugs.debian.org
In-reply-to: <[🔎] 5b8uciulvr.fsf@chiark.greenend.org.uk>
References: <1420664308.4847.95.camel@scientia.net> <1420664308.4847.95.camel@scientia.net> <[🔎] 87iobm9vtd.fsf@karme.de> <[🔎] 5b8uciulvr.fsf@chiark.greenend.org.uk>

On Thu, 2015-05-21 at 13:59 +0100, Matthew Vernon wrote: 
> bits  count
> 1023  36
> 1535  32
I'd remove at least these completely.

> 2047  28
This I'd keep probably only with a warning (according to ECRYPT II it's
only safe in the range to aat best 2020-2030

> 3071  26
Still below "Long term protection", according to ECRYPT II

> 4095  31
> 6143  20
> 8191   6
More of these!


> A colleague reports that generating new 2047-bit moduli takes a few
> minutes, and that time taking scales non-linearly with length (~90
> minutes for 4095, ~40 hours for 8191). So I'm not sure if we should
> make some newer larger moduli and start shipping them, and/or start
> generating some at install time; the latter feels too invasive to me. 
It shouldn't be a problem if the groups are pre-competed (and thus known
to the attacker).


> iii) it's less clear what to do about the weaker KexAlgorithms -
> diffie-hellman-group1-sha1 uses Oakley Group 2 (1024 bits) and
> diffie-hellman-group14-sha1 uses Oakley Group 14 (2048 bits); RFC4253
> says that implementations MUST support these, and I don't know what
> clients might break if we were to stop doing so.
They should be kept in the client/server, but disabled per default (not
via patching the hardcoded defaults, but via a custom ssh[d]_config
file).

Or even better, they should be disabled upstream per default and
enabling them should be only possible when e.g. specifying some
"--allow-unsafe-algos" parameter as option to ssh[d].


> I'd be interested to hear the opinions of the other openssh
> maintainers, and perhaps we should ask upstream for their views (I've
> not seen anything on the upstream dev list as yet).
I've did that some months ago and as mentioned before I've even opened
bug reports about the related issues,... but there seems to be little
willingness to work on this issue.

Apparently focus is more on CSH (having a _C_ompatbile SH) than SSH
(having a _S_ecure SH)... but that seems to match Debian's security
philosophy quite well =)


Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to:

References:
- Bug#774711: openssh: OpenSSH should have stronger ciphers selected at least on the server side.
  - From: Jens Thiele <karme@karme.de>
- Bug#774711: openssh: OpenSSH should have stronger ciphers selected at least on the server side.
  - From: Matthew Vernon <matthew@debian.org>

Prev by Date: Bug#774711: openssh: OpenSSH should have stronger ciphers selected at least on the server side.
Next by Date: Bug#786987: openssh-server: please have DebianBanner default to no
Previous by thread: Bug#774711: openssh: OpenSSH should have stronger ciphers selected at least on the server side.
Next by thread: Bug#786987: openssh-server: please have DebianBanner default to no
Index(es):
- Date
- Thread