[Bug 1499392] Re: OpenSSH Security and SHA1
Colin Watson
cjwatson at canonical.com
Mon Oct 5 22:21:28 UTC 2015
Backporting algorithm tightening may make sense, but I don't want to end
up in a situation where users are trying to deal with interoperability
issues but none of the upstream docs make sense. If we're advocating
specific changes that upstream aren't currently already considering, we
should take that up with upstream.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1499392
Title:
OpenSSH Security and SHA1
Status in openssh package in Ubuntu:
Confirmed
Bug description:
We should enhance Security by disabling SHA1 or, if not possible
(older Clients) by changing the KexAlgorithms, Ciphers and MACs order.
For e.g. by :
1. If we add Support for older Clients we should change this:
#### OpenSSH Security ####
KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-ripemd160-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128 at openssh.com
2. If we just Support new Clients we should change this :
[...]
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
[...]
#### OpenSSH Security ####
KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-ripemd160-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128 at openssh.com
For more Information about my report go here:
https://github.com/scaleway/image-ubuntu/pull/35
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions
More information about the foundations-bugs
mailing list