Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Figure out sshd algorithms for noble #7281

Open
legoktm opened this issue Oct 28, 2024 · 0 comments
Open

Figure out sshd algorithms for noble #7281

legoktm opened this issue Oct 28, 2024 · 0 comments
Labels
noble Ubuntu Noble related work

Comments

@legoktm
Copy link
Member

legoktm commented Oct 28, 2024

Description

Our sshd_config ships with:

# Cipher selection

Ciphers [email protected],[email protected],aes256-ctr,aes128-ctr
# Don't use SHA1 for kex
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
# Don't use SHA1 for hashing, don't use encrypt-and-MAC mode
MACs [email protected],[email protected],[email protected]

We should update this for noble.

I was reading through https://blog.stribik.technology/2015/01/04/secure-secure-shell.html because I was trying to understand the whole /etc/ssh/moduli and it seems like we could drop diffie-hellman-group-exchange-sha256 for diffie-hellman-group14-sha256/diffie-hellman-group16-sha512/diffie-hellman-group18-sha512 and not have to deal with the moduli file. But I guess the group exchange one is preferred?

Also instead of setting a fixed list, we could just subtract the ones we don't want, so we get the advantage of newer algos without needing to manually update our lists each time. It also supports wildcards so theoretically do something like KexAlgorithms -*sha1.

Per https://www.man7.org/linux/man-pages/man5/sshd_config.5.html the upstream default currently is:

Ciphers

[email protected],
aes128-ctr,aes192-ctr,aes256-ctr,
[email protected],[email protected]

KexAlgorithms

[email protected],
curve25519-sha256,[email protected],
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
diffie-hellman-group14-sha256

MACs

[email protected],[email protected],
[email protected],[email protected],
[email protected],
[email protected],[email protected],
hmac-sha2-256,hmac-sha2-512,hmac-sha1

@legoktm legoktm added the noble Ubuntu Noble related work label Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
noble Ubuntu Noble related work
Projects
None yet
Development

No branches or pull requests

1 participant