Project

General

Profile

Feature #7315

Remove custom SSH ciphers, MACs and HostKeyAlgorithms settings

Added by sajolida almost 5 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
Start date:
05/27/2014
Due date:
% Done:

100%

QA Check:
Pass
Feature Branch:
feature/7315-drop-custom-ssh-crypto-settings
Type of work:
Code
Blueprint:
Starter:
No
Affected tool:

Description

Tails cannot connect with SSH to recent OpenBSD systems because the restricted set of MACs that is set in Tails doesn't match any MAC accepted in OpenBSD by default.

Tails sets:

hmac-sha1,hmac-md5,hmac-ripemd160

OpenBSD accepts by default:

umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

See: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config

I would find it very surprising if none of the MAC accepted by OpenBSD were good enough to our standards. So maybe our lists have to be review to the light of this finding.


Related issues

Related to Tails - Bug #8677: Can't ssh to git.tails.boum.org from Tails Resolved 01/11/2015
Related to Tails - Feature #8027: Ship OpenSSH from wheezy-backports Rejected 10/07/2014
Blocked by Tails - Feature #6015: Tails based on Wheezy Resolved 07/28/2013

Associated revisions

Revision 16a585e5 (diff)
Added by intrigeri almost 3 years ago

Drop custom OpenSSH client ciphers and MACs settings.

We did a pretty bad job at maintaining them.

https://mailman.boum.org/pipermail/tails-dev/2016-March/010446.html

refs: #7315

Revision 102217c3
Added by anonym almost 3 years ago

Merge remote-tracking branch 'origin/feature/7315-drop-custom-ssh-crypto-settings' into testing

Fix-committed: #7315

History

#2 Updated by intrigeri almost 5 years ago

That's because OpenBSD only allows MACs that are not supported on
Squeeze, apparently. Not checked the ciphers. Once we're based on
Wheezy, we can fix this.

#3 Updated by intrigeri almost 5 years ago

#4 Updated by intrigeri almost 5 years ago

(Going on the discussion on tails-dev@ for the time being.)

#5 Updated by BitingBird over 4 years ago

I didn't find any answer on the list. We should test if that's still the case, maybe Tails-Wheezy changed something ?

#6 Updated by BitingBird over 4 years ago

https://stribika.github.io/2015/01/04/secure-secure-shell.html seems to be an interesting and up-to-date reference

According to it, we should not allow hmac-sha1 and hmac-md5.

Recommended /etc/ssh/sshd_config snippet: MACs ,,,,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,

#7 Updated by BitingBird over 4 years ago

  • Related to Bug #8677: Can't ssh to git.tails.boum.org from Tails added

#8 Updated by intrigeri about 4 years ago

  • Subject changed from Review our list of SSH ciphers and MACs to Review our list of SSH ciphers, MACs and HostKeyAlgorithms

#9 Updated by intrigeri about 4 years ago

  • Related to Feature #8027: Ship OpenSSH from wheezy-backports added

#10 Updated by BitingBird about 4 years ago

  • Priority changed from Normal to Elevated

Raising priority, as this seems like a security and usability issue.

#11 Updated by intrigeri over 3 years ago

https://mailman.boum.org/pipermail/tails-testers/2015-December/000229.html suggests:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
MACs hmac-sha1,hmac-ripemd160

#12 Updated by intrigeri over 3 years ago

#14 Updated by intrigeri about 3 years ago

  • Type of work changed from Research to Discuss

Proposed to drop these custom settings altogether: https://mailman.boum.org/pipermail/tails-dev/2016-March/010446.html

#15 Updated by emmapeel about 3 years ago

  • Assignee set to intrigeri
  • Target version set to Tails_2.3
  • QA Check set to Dev Needed
  • Type of work changed from Discuss to Code

Talked about in the monthly meeting, everybody agrees.

We will reduce the delta with upstream once more!

#16 Updated by intrigeri about 3 years ago

  • Target version changed from Tails_2.3 to Tails_2.4

#17 Updated by intrigeri almost 3 years ago

  • Subject changed from Review our list of SSH ciphers, MACs and HostKeyAlgorithms to Remove custom SSH ciphers, MACs and HostKeyAlgorithms settings

#18 Updated by intrigeri almost 3 years ago

  • Status changed from Confirmed to In Progress
  • Assignee changed from intrigeri to anonym
  • % Done changed from 0 to 40
  • QA Check changed from Dev Needed to Ready for QA
  • Feature Branch set to feature/7315-drop-custom-ssh-crypto-settings

Done. anonym, this change is so trivial that it would seem to be a waste of our time that both of us build and ISO and test it, so I have been bold and didn't test it myself. If you want me to do it, just say so.

#19 Updated by anonym almost 3 years ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (anonym)
  • % Done changed from 40 to 100
  • QA Check changed from Ready for QA to Pass

#20 Updated by intrigeri almost 3 years ago

  • Status changed from Fix committed to In Progress
  • Assignee set to anonym
  • % Done changed from 100 to 90
  • QA Check changed from Pass to Ready for QA

Actually this was not fully merged! (Noticed since Jenkins still builds the branch.)

#21 Updated by anonym almost 3 years ago

  • Status changed from In Progress to Fix committed
  • % Done changed from 90 to 100

#22 Updated by anonym almost 3 years ago

  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

#23 Updated by anonym almost 3 years ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF