Bug#774711: recommendations for changing openssh defaults

To: 774711@bugs.debian.org
Cc: taggart@debian.org
Subject: Bug#774711: recommendations for changing openssh defaults
From: Matt Taggart <taggart@debian.org>
Date: Thu, 10 Sep 2015 17:09:16 -0700
Message-id: <[🔎] 20150911000916.ADB89201@taggart.lackof.org>
Reply-to: Matt Taggart <taggart@debian.org>, 774711@bugs.debian.org

Hi,

Based on the charts I already sent and using the recommendations from:

  https://stribika.github.io/2015/01/04/secure-secure-shell.html

and the openssh 7.0 release notes:

  http://www.openssh.com/txt/release-7.0

Here are some suggestions for changing the default things that are 
attempted. I think non-default support for all should be left in for some 
time, so that if needed they can be enabled on a case-to-case basis. Again, 
this is only about changing the defaults, not removing things (yet).

Also, Colin has expressed interesting in trying to stick with upstreams 
defaults as much as possible. So the recommendations here are maybe things 
we want to see happen in upstream rather than just in Debian. As Debian is 
one of the more conservative distros, if _we_ think it can be dropped from 
the default, hopefully upstream does too!

These are recommendations for stretch/sid primarily, but I also think they 
should be considered for jessie (or at least backported to 
jessie-backports, and wheezy-backports-sloppy once in stretch).

Keys
====
get rid of
* ssh-dss*: too small (1024), disabled upstream in 7.0
* NIST curves: known bad

keep:
* ssh-rsa*: existed forever, sha1 not a problem (as explained in above URL)
* ssh-ed25519*: introduced in jessie

Kex
===
get rid of
* NIST curves: known bad
* diffie-hellman-group1-sha1: too small (1024) and sha1
* diffie-hellman-group14-sha1: sha1
* diffie-hellman-group-exchange-sha1: sha1

keep
* curve25519-sha256: introduced in jessie
* diffie-hellman-group-exchange-sha256: has existed since squeeze at least

Ciphers
=======
get rid of
* 3des-cbc: DES is broken
* arcfour: RC4 is broken, disabled upstream in 7.0
* cast128-cbc: block size too small(64), disabled upstream in 7.0
* blowfish-cbc: disabled upstream in 7.0
* rijndael-cbc@lysator.liu.se: disabled upstream in 7.0

keep
* aes*-cbc: since squeeze
* aes*-ctr: since squeeze
* aes*-gcm: since squeeze
* chacha20-poly1305@openssh.com: since jessie

MACs
====
get rid of
* *md5*: MD5 is weak, disabled upstream in 7.0
* *sha1*: SHA1 is weak
* umac-64*: tag too small (64)

keep
* hmac-ripemd160: since squeeze
* hmac-sha2-*: since squeeze
* umac-128: since jessie
* hmac-ripemd160-etm@openssh.com: since jessie
* hmac-sha2-*-etm@openssh.com: since jessie

I _think_ because options remain in each thing that were available in all 
older releases, these recommendations should allow interop back to squeeze. 
(and futher if enabled case-by-case of course)

Thanks,

-- 
Matt Taggart
taggart@debian.org

Reply to:

Follow-Ups:
- Bug#774711: recommendations for changing openssh defaults
  - From: Jens Thiele <karme@karme.de>

Prev by Date: Bug#774711: tables of debian openssh crypto features
Next by Date: Bug#774711: recommendations for changing openssh defaults
Previous by thread: Bug#774711: tables of debian openssh crypto features
Next by thread: Bug#774711: recommendations for changing openssh defaults
Index(es):
- Date
- Thread