Bug 2333

Summary: forbid old Ciphers, KexAlgorithms and MACs by default
Product: Portable OpenSSH Reporter: kolAflash
Component: MiscellaneousAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm
Priority: P5    
Version: 6.6p1   
Hardware: Other   
OS: Linux   

Description kolAflash 2015-01-08 05:38:57 AEDT 
OpenSSH shouldn't allow old Ciphers, KexAlgorithms and MACs by default, if they are not explicitly enabled in the the servers or users configuration file.
(should be still possible to enable those by configuration file, if user wishes so)


I'm thinking of disabling (by default) these:
Ciphers
  arcfour256,
  arcfour128,
  3des-cbc,
  arcfour

Maybe also disable by default:
Ciphers
  blowfish-cbc,
  cast128-cbc,
  aes192-cbc,
  aes256-cbc
I'm not quite sure about these.
Especially about blowfish. I guess it's deprecated by twofish?

Also disable these (by default):
KexAlgorithms
  diffie-hellman-group-exchange-sha1,
  diffie-hellman-group14-sha1,
  diffie-hellman-group1-sha1

And disable these (by default):
MACs
  hmac-md5-etm@openssh.com,
  hmac-sha1-etm@openssh.com,
  umac-64-etm@openssh.com,
  hmac-sha1-96-etm@openssh.com,
  hmac-md5-96-etm@openssh.com,
  hmac-md5,hmac-sha1,
  umac-64@openssh.com,
  hmac-sha1-96,
  hmac-md5-96


Maybe NIST curves should be disabled by default too.
At least since OpenSSH has ed25519!


--

These are the algorithms I currently got enabled:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-ripemd160@openssh.com


These are my sources of information:

https://stribika.github.io/2015/01/04/secure-secure-shell.html

https://bettercrypto.org/static/applied-crypto-hardening.pdf
Comment 1 kolAflash 2015-01-08 06:10:56 AEDT 
An alternative approach could be a warning, if those old ones are in use.

Putty (graphical SSH client) currently already warns about ciphers arcfour and des by default.
Nevertheless Putty also still lacks a default warning for 3des and all the others mentioned here.

http://www.chiark.greenend.org.uk/~sgtatham/putty/
Comment 2 Damien Miller 2015-01-08 08:30:23 AEDT 
We continually review the defaults and deprecate unsafe crypto as fast as we feel we can, but we need to ship an SSH implementation that works with others out there. The default algorithms that are selected (ecdh curve25519 / aes-ctr / umac-64-etm) are quite safe and there is no downgrade attack.

There is no realistic threat against the NIST EC curves, nor against hmac-md5.

You're welcome to make these changes to you own configurations.
Comment 3 kolAflash 2015-01-08 20:53:56 AEDT 
I don't know any halfway recent SSH implementation that shouldn't work without these.

Nevertheless:
What about a user-warning in interactive mode?
Comment 4 Damien Miller 2021-04-23 14:58:14 AEST 
closing resolved bugs as of 8.6p1 release