-
-
Notifications
You must be signed in to change notification settings - Fork 183
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added warnings to all key exchanges that do not provide protection ag…
…ainst quantum attacks.
- Loading branch information
Showing
26 changed files
with
475 additions
and
162 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -116,6 +116,9 @@ | |
"info": [ | ||
"default key exchange from OpenSSH 7.4 to 8.9", | ||
"available since OpenSSH 7.4, Dropbear SSH 2018.76" | ||
], | ||
"warn": [ | ||
"does not provide protection against post-quantum attacks" | ||
] | ||
} | ||
}, | ||
|
@@ -125,6 +128,9 @@ | |
"info": [ | ||
"default key exchange from OpenSSH 6.5 to 7.3", | ||
"available since OpenSSH 6.4, Dropbear SSH 2013.62" | ||
], | ||
"warn": [ | ||
"does not provide protection against post-quantum attacks" | ||
] | ||
} | ||
}, | ||
|
@@ -136,6 +142,9 @@ | |
], | ||
"info": [ | ||
"available since OpenSSH 5.7, Dropbear SSH 2013.62" | ||
], | ||
"warn": [ | ||
"does not provide protection against post-quantum attacks" | ||
] | ||
} | ||
}, | ||
|
@@ -147,6 +156,9 @@ | |
], | ||
"info": [ | ||
"available since OpenSSH 5.7, Dropbear SSH 2013.62" | ||
], | ||
"warn": [ | ||
"does not provide protection against post-quantum attacks" | ||
] | ||
} | ||
}, | ||
|
@@ -158,6 +170,9 @@ | |
], | ||
"info": [ | ||
"available since OpenSSH 5.7, Dropbear SSH 2013.62" | ||
], | ||
"warn": [ | ||
"does not provide protection against post-quantum attacks" | ||
] | ||
} | ||
}, | ||
|
@@ -168,7 +183,8 @@ | |
"available since OpenSSH 7.3, Dropbear SSH 2016.73" | ||
], | ||
"warn": [ | ||
"2048-bit modulus only provides 112-bits of symmetric strength" | ||
"2048-bit modulus only provides 112-bits of symmetric strength", | ||
"does not provide protection against post-quantum attacks" | ||
] | ||
} | ||
}, | ||
|
@@ -182,7 +198,8 @@ | |
"available since OpenSSH 3.9, Dropbear SSH 0.53" | ||
], | ||
"warn": [ | ||
"2048-bit modulus only provides 112-bits of symmetric strength" | ||
"2048-bit modulus only provides 112-bits of symmetric strength", | ||
"does not provide protection against post-quantum attacks" | ||
] | ||
} | ||
}, | ||
|
@@ -191,6 +208,9 @@ | |
"notes": { | ||
"info": [ | ||
"available since Dropbear SSH 2013.57" | ||
], | ||
"warn": [ | ||
"does not provide protection against post-quantum attacks" | ||
] | ||
} | ||
} | ||
|
@@ -349,12 +369,6 @@ | |
"name": "twofish256-ctr", | ||
"notes": "" | ||
} | ||
], | ||
"kex": [ | ||
{ | ||
"name": "diffie-hellman-group16-sha512", | ||
"notes": "" | ||
} | ||
] | ||
} | ||
}, | ||
|
@@ -371,9 +385,21 @@ | |
} | ||
], | ||
"kex": [ | ||
{ | ||
"name": "curve25519-sha256", | ||
"notes": "" | ||
}, | ||
{ | ||
"name": "[email protected]", | ||
"notes": "" | ||
}, | ||
{ | ||
"name": "diffie-hellman-group14-sha256", | ||
"notes": "" | ||
}, | ||
{ | ||
"name": "[email protected]", | ||
"notes": "" | ||
} | ||
], | ||
"mac": [ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,22 +5,30 @@ | |
[0;32m(gen) compression: enabled ([email protected])[0m | ||
|
||
[0;36m# key exchange algorithms[0m | ||
[0;32m(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76[0m | ||
[0;32m `- [info] default key exchange from OpenSSH 7.4 to 8.9[0m | ||
[0;32m(kex) [email protected] -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62[0m | ||
[0;32m `- [info] default key exchange from OpenSSH 6.5 to 7.3[0m | ||
[0;33m(kex) curve25519-sha256 -- [warn] does not provide protection against post-quantum attacks[0m | ||
`- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 | ||
`- [info] default key exchange from OpenSSH 7.4 to 8.9 | ||
[0;33m(kex) [email protected] -- [warn] does not provide protection against post-quantum attacks[0m | ||
`- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 | ||
`- [info] default key exchange from OpenSSH 6.5 to 7.3 | ||
[0;31m(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m | ||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m | ||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 | ||
[0;31m(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m | ||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m | ||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 | ||
[0;31m(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m | ||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m | ||
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 | ||
[0;33m(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m | ||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m | ||
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 | ||
[0;31m(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm[0m | ||
[0;33m `- [warn] 2048-bit modulus only provides 112-bits of symmetric strength[0m | ||
[0;33m `- [warn] does not provide protection against post-quantum attacks[0m | ||
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 | ||
[0;32m(kex) [email protected] -- [info] available since Dropbear SSH 2013.57[0m | ||
[0;33m(kex) [email protected] -- [warn] does not provide protection against post-quantum attacks[0m | ||
`- [info] available since Dropbear SSH 2013.57 | ||
|
||
[0;36m# host-key algorithms[0m | ||
[0;31m(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency[0m | ||
|
@@ -74,13 +82,15 @@ | |
[0;31m(rec) -hmac-sha1-96 -- mac algorithm to remove [0m | ||
[0;31m(rec) -ssh-dss -- key algorithm to remove [0m | ||
[0;31m(rec) -ssh-rsa -- key algorithm to remove [0m | ||
[0;32m(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append [0m | ||
[0;32m(rec) +twofish128-ctr -- enc algorithm to append [0m | ||
[0;32m(rec) +twofish256-ctr -- enc algorithm to append [0m | ||
[0;33m(rec) -aes128-cbc -- enc algorithm to remove [0m | ||
[0;33m(rec) -aes256-cbc -- enc algorithm to remove [0m | ||
[0;33m(rec) -curve25519-sha256 -- kex algorithm to remove [0m | ||
[0;33m(rec) [email protected] -- kex algorithm to remove [0m | ||
[0;33m(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove [0m | ||
[0;33m(rec) -hmac-sha2-256 -- mac algorithm to remove [0m | ||
[0;33m(rec) [email protected] -- kex algorithm to remove [0m | ||
|
||
[0;36m# additional info[0m | ||
[0;33m(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>[0m | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
28a1e23
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I sympathize with the intent of this change, the resulting recommendations pretty much leave only one valid key exchange algorithm for OpenSSH 9.2p1. What happens once that one is also found to be unreliable?
A minor point: This change also results in the output turning into an illogical color coding between info lines (see screenshot).
28a1e23
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then it, too, will be marked accordingly. The purpose of ssh-audit is to present the facts to the user. If 100% of all SSH key exchange algorithms had problems, then that's exactly what it should report.
The threat of the Harvest Now, Decrypt Later strategy is being taken very seriously by the cryptographic community. And so system admins should be made aware so they can make migration plans. Unfortunately, this does mean that most modern platforms have only one safe key exchange at this time. It won't be until platforms ship OpenSSH 9.9 or later that a second good option becomes available (with
mlkem768x25519-sha256
).28a1e23
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough.
Just as long as it's clearly marked as a suggested migration strategy, rahter than as yet another vague statement that there's something shady about NIST curves so please disable them now.
Right now, a lot of ssh-audit's recommended removals contradict OpenSSH developers' own views over what must or should be deprecated. In many cases, ssh-audit's recommendations and the accompanying hardening guide are considered overzealous. This results in the above case where ssh-audit only considers one of the pre-9.9 algorithms to be safe, again just as for the NIST case, without specifying why, leaving people on very thin ice. This is not a desirable outcome.