Bug#774711: tables of debian openssh crypto features
I was interested in what crypto features the ssh in each Debian release
supported, to see what disabling some would mean, so I gathered the info.
Let me know if you see any errors.
Current versions of openssh as of Sept 10, 2015:
| squeeze-lts | 1:5.5p1-6+squeeze6 |
| wheezy | 1:6.0p1-4+deb7u2 |
| jessie | 1:6.7p1-5 |
| stretch | 1:6.9p1-1 |
| sid | 1:6.9p1-2 |
Tables of crypto features that the openssh in each release of Debian
supports. Gathered with ssh -Q(jessie and newer), ssh_config(5) and
source(wheezy and squeeze). (These will look better with a fixed width font)
Key types
| sq | wh | je | st | si | type |
=====================================================================
| X | X | X | X | X | ssh-rsa |
| X | X | X | X | X | ssh-dss |
| X | X | X | X | X | ssh-rsa-cert-v00@openssh.com |
| X | X | X | X | X | ssh-dss-cert-v00@openssh.com |
| X | X | X | X | X | ssh-rsa-cert-v01@openssh.com |
| X | X | X | X | X | ssh-dss-cert-v01@openssh.com |
| | X | X | X | X | ecdsa-sha2-nistp256 |
| | X | X | X | X | ecdsa-sha2-nistp384 |
| | X | X | X | X | ecdsa-sha2-nistp521 |
| | X | X | X | X | ecdsa-sha2-nistp256-cert-v01@openssh.com |
| | X | X | X | X | ecdsa-sha2-nistp384-cert-v01@openssh.com |
| | X | X | X | X | ecdsa-sha2-nistp521-cert-v01@openssh.com |
| | | X | X | X | ssh-ed25519 |
| | | X | X | X | ssh-ed25519-cert-v01@openssh.com |
KexAlgorithms
| sq | wh | je | st | si | type |
=================================================================
| X | X | X | | X | diffie-hellman-group-exchange-sha256 |
| X | X | X | | X | diffie-hellman-group-exchange-sha1 |
| X | X | X | | X | diffie-hellman-group14-sha1 |
| X | X | X | | X | diffie-hellman-group1-sha1 |
| | X | X | | X | ecdh-sha2-nistp256 |
| | X | X | | X | ecdh-sha2-nistp384 |
| | X | X | | X | ecdh-sha2-nistp521 |
| | | X | | X | curve25519-sha256@libssh.org |
Ciphers
| sq | wh | je | st | si | type |
==========================================================
| X | X | X | X | X | aes128-ctr |
| X | X | X | X | X | aes192-ctr |
| X | X | X | X | X | aes256-ctr |
| X | X | X | X | X | arcfour |
| X | X | X | X | X | arcfour256 |
| X | X | X | X | X | arcfour128 |
| X | X | X | X | X | aes128-cbc |
| X | X | X | X | X | 3des-cbc |
| X | X | X | X | X | blowfish-cbc |
| X | X | X | X | X | cast128-cbc |
| X | X | X | X | X | aes192-cbc |
| X | X | X | X | X | aes256-cbc |
| | | X | X | X | aes128-gcm@openssh.com |
| | | X | X | X | aes256-gcm@openssh.com |
| | | X | X | X | chacha20-poly1305@openssh.com |
| | | X | X | X | rijndael-cbc@lysator.liu.se |
MACs
| sq | wh | je | st | si | type |
=============================================================
| X | X | X | X | X | hmac-md5 |
| X | X | X | X | X | hmac-sha1 |
| X | X | X | X | X | umac-64@openssh.com |
| X | X | X | X | X | hmac-ripemd160 |
| ? | X | X | X | X | hmac-ripemd160@openssh.com |
| X | X | X | X | X | hmac-sha1-96 |
| X | X | X | X | X | hmac-md5-96 |
| X | X | X | X | X | hmac-sha2-256 |
| X | X | | | | hmac-sha2-256-96 | *
| X | X | X | X | X | hmac-sha2-512 |
| X | X | | | | hmac-sha2-512-96 | *
| | | X | X | X | umac-64-etm@openssh.com |
| | | X | X | X | umac-128-etm@openssh.com |
| | | X | X | X | hmac-sha2-256-etm@openssh.com |
| | | X | X | X | hmac-sha2-512-etm@openssh.com |
| | | X | X | X | umac-128@openssh.com |
| | | X | X | X | hmac-md5-etm@openssh.com |
| | | X | X | X | hmac-sha1-etm@openssh.com |
| | | X | X | X | hmac-ripemd160-etm@openssh.com |
| | | X | X | X | hmac-sha1-96-etm@openssh.com |
| | | X | X | X | hmac-md5-96-etm@openssh.com |
* https://bugzilla.mindrot.org/show_bug.cgi?id=2023
After I have a chance to look at these and think about the implications, I
will send another message with thoughts about what disabling weaker things
would mean.
HTH,
--
Matt Taggart
taggart@debian.org
Reply to: