Bug#774711: update of current openssh crypto support
It's been a while since I have updated #774711 with current status of
openssh crypto. Since my last update the following things were deprecated,
7.4:
* cipher: drops 3des-cbc from client proposal
7.2:
* cipher: drops blowfish-cbc, cast128-cbc, all arcfour variants
and the rijndael-cbc aliases for AES
* HMAC: drops MD5-based and truncated HMAC algorithms
* increase the minimum modulus size supported for
diffie-hellman-group-exchange to 2048 bits
7.0:
* protocol: v.1 disabled by default at compile time
* 1024-bit diffie-hellman-group1-sha1 key exchange disabled by default
at run time
* ssh-dss, ssh-dss-cert-* host and user keys is disabled
by default at run-time
* legacy v00 cert format has been removed
We also know that around Aug 2017 the following is coming:
* protocol: fully dropping support for v.1 (already disabled)
* ciphers: removing Blowfish and RC4
* HMAC: remove RIPE-MD160
* keys: refuse RSA keys smaller than 1024 bits
Of the things I listed that should be considered for removal in my mail
to this bug on 10 Sep 2015
( https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774711#65 )
only the following things remain supported:
Keys:
* NIST curves
Kex:
* NIST curves
* diffie-hellman-group14-sha1
* diffie-hellman-group-exchange-sha1 (min 2048 now at least)
Ciphers: done!
MACs:
* sha1
* umac-64
Anyone know the upstream status of these remaining things?
Thanks,
--
Matt Taggart
taggart@debian.org
Reply to: