Remove custom SSH ciphers, MACs and HostKeyAlgorithms settings
Tails cannot connect with SSH to recent OpenBSD systems because the restricted set of MACs that is set in Tails doesn't match any MAC accepted in OpenBSD by default.
OpenBSD accepts by default:
I would find it very surprising if none of the MAC accepted by OpenBSD were good enough to our standards. So maybe our lists have to be review to the light of this finding.
Drop custom OpenSSH client ciphers and MACs settings.
We did a pretty bad job at maintaining them.
#1 Updated by sajolida about 5 years ago
Topic raised on tails-dev: https://mailman.boum.org/pipermail/tails-dev/2014-May/005895.html.
#6 Updated by BitingBird over 4 years ago
https://stribika.github.io/2015/01/04/secure-secure-shell.html seems to be an interesting and up-to-date reference
According to it, we should not allow hmac-sha1 and hmac-md5.
Recommended /etc/ssh/sshd_config snippet: MACs email@example.com,firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,email@example.com
#11 Updated by intrigeri over 3 years ago
Ciphers firstname.lastname@example.org,email@example.com,aes256-ctr,aes256-cbc,firstname.lastname@example.org,aes128-ctr,aes128-cbc MACs hmac-sha1,hmac-ripemd160
#12 Updated by intrigeri over 3 years ago
Raised the discussion on tails-dev@ again (https://mailman.boum.org/pipermail/tails-dev/2015-December/009956.html).
#14 Updated by intrigeri over 3 years ago
- Type of work changed from Research to Discuss
Proposed to drop these custom settings altogether: https://mailman.boum.org/pipermail/tails-dev/2016-March/010446.html
#18 Updated by intrigeri about 3 years ago
- Status changed from Confirmed to In Progress
- Assignee changed from intrigeri to anonym
- % Done changed from 0 to 40
- QA Check changed from Dev Needed to Ready for QA
- Feature Branch set to feature/7315-drop-custom-ssh-crypto-settings
Done. anonym, this change is so trivial that it would seem to be a waste of our time that both of us build and ISO and test it, so I have been bold and didn't test it myself. If you want me to do it, just say so.