openssh bugs - Jan 2015 - [Bug 2333] New: forbid old Ciphers, KexAlgorithms and MACs by default

https://bugzilla.mindrot.org/show_bug.cgi?id=2333

            Bug ID: 2333
           Summary: forbid old Ciphers, KexAlgorithms and MACs by default
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kolAflash at kolahilft.de

OpenSSH shouldn't allow old Ciphers, KexAlgorithms and MACs by default,
if they are not explicitly enabled in the the servers or users
configuration file.
(should be still possible to enable those by configuration file, if
user wishes so)


I'm thinking of disabling (by default) these:
Ciphers
  arcfour256,
  arcfour128,
  3des-cbc,
  arcfour

Maybe also disable by default:
Ciphers
  blowfish-cbc,
  cast128-cbc,
  aes192-cbc,
  aes256-cbc
I'm not quite sure about these.
Especially about blowfish. I guess it's deprecated by twofish?

Also disable these (by default):
KexAlgorithms
  diffie-hellman-group-exchange-sha1,
  diffie-hellman-group14-sha1,
  diffie-hellman-group1-sha1

And disable these (by default):
MACs
  hmac-md5-etm at openssh.com,
  hmac-sha1-etm at openssh.com,
  umac-64-etm at openssh.com,
  hmac-sha1-96-etm at openssh.com,
  hmac-md5-96-etm at openssh.com,
  hmac-md5,hmac-sha1,
  umac-64 at openssh.com,
  hmac-sha1-96,
  hmac-md5-96


Maybe NIST curves should be disabled by default too.
At least since OpenSSH has ed25519!


--

These are the algorithms I currently got enabled:

KexAlgorithms
curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256

Ciphers
chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at
openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-ripemd160-etm at openssh.com,umac-128-etm at
openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-ripemd160 at
openssh.com


These are my sources of information:

https://stribika.github.io/2015/01/04/secure-secure-shell.html

https://bettercrypto.org/static/applied-crypto-hardening.pdf

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2333

--- Comment #1 from kolAflash at kolahilft.de ---
An alternative approach could be a warning, if those old ones are in
use.

Putty (graphical SSH client) currently already warns about ciphers
arcfour and des by default.
Nevertheless Putty also still lacks a default warning for 3des and all
the others mentioned here.

http://www.chiark.greenend.org.uk/~sgtatham/putty/

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2333

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX
                 CC|                            |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
We continually review the defaults and deprecate unsafe crypto as fast
as we feel we can, but we need to ship an SSH implementation that works
with others out there. The default algorithms that are selected (ecdh
curve25519 / aes-ctr / umac-64-etm) are quite safe and there is no
downgrade attack.

There is no realistic threat against the NIST EC curves, nor against
hmac-md5.

You're welcome to make these changes to you own configurations.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2333

--- Comment #3 from kolAflash at kolahilft.de ---
I don't know any halfway recent SSH implementation that shouldn't work
without these.

Nevertheless:
What about a user-warning in interactive mode?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2333

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.