Bug#774711: recommendations for changing openssh defaults

To: 774711@bugs.debian.org
Subject: Bug#774711: recommendations for changing openssh defaults
From: Matt Taggart <taggart@debian.org>
Date: Thu, 07 Jan 2016 12:09:21 -0800
Message-id: <[🔎] 20160107200921.CA327217@taggart.lackof.org>
Reply-to: Matt Taggart <taggart@debian.org>, 774711@bugs.debian.org

It's now January 2016, one year since this bug was filed.

Some updates:

1) The recent 1:7.1p1-1 upload NEWS mentioned the following:

========================================================================
  OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
  cryptography.

   * Support for the legacy SSH version 1 protocol is disabled by default at
     compile time.  Note that this also means that the Cipher keyword in
     ssh_config(5) is effectively no longer usable; use Ciphers instead for
     protocol 2.  The openssh-client-ssh1 package includes "ssh1", "scp1",
     and "ssh-keygen1" binaries which you can use if you have no alternative
     way to connect to an outdated SSH1-only server; please contact the
     server administrator or system vendor in such cases and ask them to
     upgrade.
   * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
     disabled by default at run-time.  It may be re-enabled using the
     instructions at http://www.openssh.com/legacy.html
   * Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
     default at run-time.  These may be re-enabled using the instructions at
     http://www.openssh.com/legacy.html
   * Support for the legacy v00 cert format has been removed.

  Future releases will retire more legacy cryptography, including:

   * Refusing all RSA keys smaller than 1024 bits (the current minimum is
     768 bits).
   * Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
     all arcfour variants, and the rijndael-cbc aliases for AES.
   * MD5-based HMAC algorithms will be disabled by default.
========================================================================

2) I also just noticed that the 1:6.7p1-1 changelog listed:
  sshd(8): The default set of ciphers and MACs has been altered to
  remove unsafe algorithms.  In particular, CBC ciphers and arcfour* are
  disabled by default.  The full set of algorithms remains available if
  configured explicitly via the Ciphers and MACs sshd_config options.
That is in the server, so I guess the references in NEWS above to
cbc/arcfour going away soon must mean the client.

3) An interesting paper was released that mentions loss of security in ssh 
when using sha1 in key exchange,
  http://www.mitls.org/pages/attacks/SLOTH
As mentioned above diffie-hellman-group1-sha1 was already disabled by 
default. Perhaps this is more evidence diffie-hellman-group14-sha1 and 
diffie-hellman-group-exchange-sha1 should be as well?
I don't know what implications this has for rsa's use of sha1, but it's 
looking worse all the time. Maybe it would be good to have a plan, rsa keys 
are going to be really hard to get rid of and will probably require a 
multi-year warning.

4) The recent Juniper VPN firewall hack reminds us and provides further 
evidence that the NIST curves are compromised and should be disabled 
immediately,
http://blog.cryptographyengineering.com/2015/12/on-juniper-backdoor.html

5) the md5 and sha1 MACs should start going away, probably umac-64* too. 
This should be easy, there are plenty of alternatives.

It's good to see some progress on this front, I think disabling a few more 
things will get us to a much more secure state.

Thanks,

-- 
Matt Taggart
taggart@debian.org

Reply to:

Prev by Date: openssh_7.1p1-6_source.changes ACCEPTED into unstable
Next by Date: Bug#810546: openssh-client: hostkey verification fails checking/matching HostKeyAlgorithm; misreports offending HostKey
Previous by thread: openssh_7.1p1-6_source.changes ACCEPTED into unstable
Next by thread: Bug#810546: openssh-client: hostkey verification fails checking/matching HostKeyAlgorithm; misreports offending HostKey
Index(es):
- Date
- Thread