Hi, In a recent security review some systems I manage were flagged due to supporting "weak" ciphers, specifically the ones listed below. So first question is are people generally modifying the list of ciphers supported by the ssh client and sshd? On CentOS 6 currently it looks like if I remove all the ciphers they are concerned about then I am left with Ciphers aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and /etc/ssh/ssh_config. Is just using these three ciphers like to cause me any problems? Could having so few ciphers be creating a security concern itself? Thanks The following weak client-to-server encryption algorithms are supported by the remote service: rijndael-cbc at lysator.liu.se arcfour256 arcfour128 aes256-cbc 3des-cbc aes192-cbc blowfish-cbc cast128-cbc arcfour aes128-cbc The following weak server-to-client encryption algorithms are supported by the remote service: rijndael-cbc at lysator.liu.se arcfour256 arcfour128 aes256-cbc 3des-cbc aes192-cbc blowfish-cbc cast128-cbc arcfour aes128-cbc
On CentOS 7 I put the following at the end of ssh KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256 I believe that prevents the CBC ciphers from being used. CentOS 6 I *think* does not support curve25519 so that one may not be an option for CentOS 6. That really should be patched in CentOS 5 and 6. For the DH key exchange, I generate custom 2048 and 4096 DH keys pushd /etc/ssh ssh-keygen -G moduli-2048.candidates -b 2048 ssh-keygen -T moduli-2048 -f moduli-2048.candidates ssh-keygen -G moduli-4096.candidates -b 4096 ssh-keygen -T moduli-4096 -f moduli-4096.candidates cp moduli moduli-backup cat moduli-2048 moduli-4096 > moduli systemctl restart sshd.service On 10/18/2016 03:28 PM, Clint Dilks wrote:> Hi, > > In a recent security review some systems I manage were flagged due to > supporting "weak" ciphers, specifically the ones listed below. So first > question is are people generally modifying the list of ciphers supported by > the ssh client and sshd? > > On CentOS 6 currently it looks like if I remove all the ciphers they are > concerned about then I am left with Ciphers > aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and > /etc/ssh/ssh_config. Is just using these three ciphers like to cause me > any problems? Could having so few ciphers be creating a security concern > itself? > > Thanks > > > > The following weak client-to-server encryption algorithms are supported by > the remote service: > rijndael-cbc at lysator.liu.se > arcfour256 > arcfour128 > aes256-cbc > 3des-cbc > aes192-cbc > blowfish-cbc > cast128-cbc > arcfour > aes128-cbc > > The following weak server-to-client encryption algorithms are supported by > the remote service: > rijndael-cbc at lysator.liu.se > arcfour256 > arcfour128 > aes256-cbc > 3des-cbc > aes192-cbc > blowfish-cbc > cast128-cbc > arcfour > aes128-cbc > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
On 10/18/2016 03:28 PM, Clint Dilks wrote:> So first > question is are people generally modifying the list of ciphers supported by > the ssh client and sshd?I suspect that "generally" people are not. I do, because I can, and so that I can offer at least some advice to people who aim to do so.> On CentOS 6 currently it looks like if I remove all the ciphers they are > concerned about then I am left with Ciphers > aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and > /etc/ssh/ssh_config.If you're going to go down this road, you should probably look at key exchanges and HMACs as well. On CentOS 7, I use: KexAlgorithms curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com On CentOS 6, I believe you'd have to drop all of the @openssh.com items.> Is just using these three ciphers like to cause me > any problems? Could having so few ciphers be creating a security concern > itself?I don't think it'd be a security concern, just compatibility issues. So far, I've had minimal problems with restricted algorithms. I do have to make an exception for a slightly old WD MyBook World edition.
Am 19.10.2016 um 00:58 schrieb Gordon Messmer <gordon.messmer at gmail.com>:> On 10/18/2016 03:28 PM, Clint Dilks wrote: >> So first >> question is are people generally modifying the list of ciphers supported by >> the ssh client and sshd? > > I suspect that "generally" people are not. I do, because I can, and so that I can offer at least some advice to people who aim to do so. > >> On CentOS 6 currently it looks like if I remove all the ciphers they are >> concerned about then I am left with Ciphers >> aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and >> /etc/ssh/ssh_config. > > If you're going to go down this road, you should probably look at key exchanges and HMACs as well. On CentOS 7, I use: > > KexAlgorithms curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 > Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr > MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com > > On CentOS 6, I believe you'd have to drop all of the @openssh.com items.Is there any command to find the supported list of KeyAlgos, MACs and Ciphers for the particular system (e.g. EL{5,6,7})? Similar to $ openssl ciphers -v ...>> Is just using these three ciphers like to cause me >> any problems? Could having so few ciphers be creating a security concern >> itself? > > I don't think it'd be a security concern, just compatibility issues. So far, I've had minimal problems with restricted algorithms. I do have to make an exception for a slightly old WD MyBook World edition.-- LF
Hello Clint, On Wed, 2016-10-19 at 11:28 +1300, Clint Dilks wrote:> The following weak client-to-server encryption algorithms are supported by > the remote service: > rijndael-cbc at lysator.liu.se > arcfour256 > arcfour128 > aes256-cbc > 3des-cbc > aes192-cbc > blowfish-cbc > cast128-cbc > arcfour > aes128-cbcWhere did you get the idea that AES (~ Rijndael) is a weak cipher? RC4 (arcfour) is indeed considered insecure and Blowfish uses a block size that is too small for comfort. CAST-128 might still be quite usable and even though triple DES only provides about 80 bits of security it is still not considered broken. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research
Am 19.10.2016 um 17:30 schrieb Leonard den Ottolander <leonard at den.ottolander.nl>:> Hello Clint, > > On Wed, 2016-10-19 at 11:28 +1300, Clint Dilks wrote: >> The following weak client-to-server encryption algorithms are supported by >> the remote service: >> rijndael-cbc at lysator.liu.se >> arcfour256 >> arcfour128 >> aes256-cbc >> 3des-cbc >> aes192-cbc >> blowfish-cbc >> cast128-cbc >> arcfour >> aes128-cbc > > Where did you get the idea that AES (~ Rijndael) is a weak cipher? > > RC4 (arcfour) is indeed considered insecure and Blowfish uses a block > size that is too small for comfort. CAST-128 might still be quite usable > and even though triple DES only provides about 80 bits of security it is > still not considered broken.Isn't there a collision attack for DES? -- LF
On 10/19/2016 08:30 AM, Leonard den Ottolander wrote:> Where did you get the idea that AES (~ Rijndael) is a weak cipher?It's not the cipher, but the mode. CBC has several known weaknesses in TLS, and is frequently regarded as potentially insecure as a result. https://www.openssl.org/~bodo/tls-cbc.txt
On Thu, Oct 20, 2016 at 4:30 AM, Leonard den Ottolander < leonard at den.ottolander.nl> wrote:> Hello Clint, > > On Wed, 2016-10-19 at 11:28 +1300, Clint Dilks wrote: > > The following weak client-to-server encryption algorithms are supported > by > > the remote service: > > rijndael-cbc at lysator.liu.se > > arcfour256 > > arcfour128 > > aes256-cbc > > 3des-cbc > > aes192-cbc > > blowfish-cbc > > cast128-cbc > > arcfour > > aes128-cbc > > Where did you get the idea that AES (~ Rijndael) is a weak cipher? > > RC4 (arcfour) is indeed considered insecure and Blowfish uses a block > size that is too small for comfort. CAST-128 might still be quite usable > and even though triple DES only provides about 80 bits of security it is > still not considered broken. > > Regards, > Leonard. >Morning Leonard, I believe the vulnerability scan was done using OpenVAS http://www.openvas.org/ Medium (CVSS: 4.3) NVT: SSH Weak Encryption Algorithms Supported Summary The remote SSH server is configured to allow weak encryption algorithms. Vulnerability Detection Result The following weak client-to-server encryption algorithms are supported by the remote service: rijndael-cbc at lysator.liu.se arcfour256 arcfour128 aes256-cbc 3des-cbc aes192-cbc blowfish-cbc cast128-cbc arcfour aes128-cbc The following weak server-to-client encryption algorithms are supported by the remote service: rijndael-cbc at lysator.liu.se arcfour256 arcfour128 aes256-cbc 3des-cbc aes192-cbc blowfish-cbc cast128-cbc arcfour aes128-cbc Solution Disable the weak encryption algorithms. Vulnerability Insight The ?arcfour? cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems with weak keys, and should not be used anymore. The ?none? algorithm specifies that no encryption is to be done. Note that this method provides no confidentiality protection, and it is NOT RECOMMENDED to use it. A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to recover plaintext from a block of ciphertext. Vulnerability Detection Method Check if remote ssh service supports Arcfour, none or CBC ciphers. Details:SSH Weak Encryption Algorithms Supported OID:1.3.6.1.4.1.25623.1.0.105611 Version used: $Revision: 3160 $ References Other: URL:https://tools.ietf.org/html/rfc4253#section-6.3 URL:https://www.kb.cert.org/vuls/id/958563 Thanks> > -- > mount -t life -o ro /dev/dna /genetic/research > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Maybe Matching Threads
- SSH Weak Ciphers
- enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
- enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
- [Bug 2333] New: forbid old Ciphers, KexAlgorithms and MACs by default
- enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS