Hello list, To my astonishment the openssh versions on both C6 and C7 will by default negotiate an MD5 HMAC. C6 client, C7 server: debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none C7 client & server: debug2: mac_setup: setup hmac-md5-etm at openssh.com debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none debug2: mac_setup: setup hmac-md5-etm at openssh.com debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none I reported this issue upstream: https://bugzilla.redhat.com/show_bug.cgi?id=1417263 https://bugzilla.redhat.com/show_bug.cgi?id=1417264 You might want to add MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-512,hmac-sha2-256-etm at openssh.com,hmac-sha2-256,hmac-sha1-etm at openssh.com,hmac-sha1,hmac-ripemd160-etm at openssh.com,hmac-ripemd160 at openssh.com,hmac-ripemd160,umac-128 at openssh.com,umac-128-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-sha1-96,umac-64-etm at openssh.com,umac-64 at openssh.com to your C7 ssh_config and sshd_config, or MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,umac-64 at openssh.com,hmac-sha1-96 to your C6 ssh_config and sshd_config. You might also want to prune your cipher list to exclude RC4 = arcfour ciphers with the option "Ciphers". Compare http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/ Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research
On 01/27/2017 10:03 AM, Leonard den Ottolander wrote:> To my astonishment the openssh versions on both C6 and C7 will by > default negotiate an MD5 HMAC.Cryptographers still consider MD5 secure for HMAC use. Wikipedia's references (currently 6, 7, and 8) in this article are useful: https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
Hello Gordon, On Fri, 2017-01-27 at 10:26 -0800, Gordon Messmer wrote:> Cryptographers still consider MD5 secure for HMAC use. Wikipedia's > references (currently 6, 7, and 8) in this article are useful: > > https://en.wikipedia.org/wiki/Hash-based_message_authentication_codehttps://en.wikipedia.org/wiki/MD5 seems to disagree: "The security of the MD5 has been severely compromised, with its weaknesses having been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use"." SHA-1 is not as severely broken as MD5, so the argument that Schneier made in 2009 that SHA-1 is still suitable as a HMAC cannot necessarily be extended to MD5. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research
> Am 27.01.2017 um 19:03 schrieb Leonard den Ottolander <leonard at den.ottolander.nl>: > > You might want to add > > MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-512,hmac-sha2-256-etm at openssh.com,hmac-sha2-256,hmac-sha1-etm at openssh.com,hmac-sha1,hmac-ripemd160-etm at openssh.com,hmac-ripemd160 at openssh.com,hmac-ripemd160,umac-128 at openssh.com,umac-128-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-sha1-96,umac-64-etm at openssh.com,umac-64 at openssh.com > > to your C7 ssh_config and sshd_config, or > > MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,umac-64 at openssh.com,hmac-sha1-96 > > to your C6 ssh_config and sshd_config.The next EL6 release (6.9) will have them marked as deprecated algorithms (disabled by default). -- LF
On 01/29/2017 02:35 PM, Leon Fauster wrote:> The next EL6 release (6.9) will have them marked as deprecated algorithms (disabled by default).The client will no longer attempt to use hmac-md5. The server will continue to accept them. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/6.9_Technical_Notes/chap-Red_Hat_Enterprise_Linux-6.9_Technical_Notes-Deprecated_Functionality.html