Bug#774711: recommendations for changing openssh defaults
It's now January 2016, one year since this bug was filed.
Some updates:
1) The recent 1:7.1p1-1 upload NEWS mentioned the following:
========================================================================
OpenSSH 7.0 disables several pieces of weak, legacy, and/or unsafe
cryptography.
* Support for the legacy SSH version 1 protocol is disabled by default at
compile time. Note that this also means that the Cipher keyword in
ssh_config(5) is effectively no longer usable; use Ciphers instead for
protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1",
and "ssh-keygen1" binaries which you can use if you have no alternative
way to connect to an outdated SSH1-only server; please contact the
server administrator or system vendor in such cases and ask them to
upgrade.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
disabled by default at run-time. It may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
default at run-time. These may be re-enabled using the instructions at
http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
Future releases will retire more legacy cryptography, including:
* Refusing all RSA keys smaller than 1024 bits (the current minimum is
768 bits).
* Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc,
all arcfour variants, and the rijndael-cbc aliases for AES.
* MD5-based HMAC algorithms will be disabled by default.
========================================================================
2) I also just noticed that the 1:6.7p1-1 changelog listed:
sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour* are
disabled by default. The full set of algorithms remains available if
configured explicitly via the Ciphers and MACs sshd_config options.
That is in the server, so I guess the references in NEWS above to
cbc/arcfour going away soon must mean the client.
3) An interesting paper was released that mentions loss of security in ssh
when using sha1 in key exchange,
http://www.mitls.org/pages/attacks/SLOTH
As mentioned above diffie-hellman-group1-sha1 was already disabled by
default. Perhaps this is more evidence diffie-hellman-group14-sha1 and
diffie-hellman-group-exchange-sha1 should be as well?
I don't know what implications this has for rsa's use of sha1, but it's
looking worse all the time. Maybe it would be good to have a plan, rsa keys
are going to be really hard to get rid of and will probably require a
multi-year warning.
4) The recent Juniper VPN firewall hack reminds us and provides further
evidence that the NIST curves are compromised and should be disabled
immediately,
http://blog.cryptographyengineering.com/2015/12/on-juniper-backdoor.html
5) the md5 and sha1 MACs should start going away, probably umac-64* too.
This should be easy, there are plenty of alternatives.
It's good to see some progress on this front, I think disabling a few more
things will get us to a much more secure state.
Thanks,
--
Matt Taggart
taggart@debian.org
Reply to: