Feature #7315
Remove custom SSH ciphers, MACs and HostKeyAlgorithms settings
100%
Description
Tails cannot connect with SSH to recent OpenBSD systems because the restricted set of MACs that is set in Tails doesn’t match any MAC accepted in OpenBSD by default.
Tails sets:
hmac-sha1,hmac-md5,hmac-ripemd160
OpenBSD accepts by default:
umac-64-etm
openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512@
See: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
I would find it very surprising if none of the MAC accepted by OpenBSD were good enough to our standards. So maybe our lists have to be review to the light of this finding.
Subtasks
Related issues
Related to Tails - |
Resolved | 2015-01-11 | |
Related to Tails - |
Rejected | 2014-10-07 | |
Blocked by Tails - |
Resolved | 2013-07-28 |
History
#1 Updated by sajolida 2014-05-27 05:31:38
Topic raised on tails-dev: https://mailman.boum.org/pipermail/tails-dev/2014-May/005895.html.
#2 Updated by intrigeri 2014-05-28 08:07:29
That’s because OpenBSD only allows MACs that are not supported on
Squeeze, apparently. Not checked the ciphers. Once we’re based on
Wheezy, we can fix this.
#3 Updated by intrigeri 2014-05-28 08:07:48
- blocked by
Feature #6015: Tails based on Wheezy added
#4 Updated by intrigeri 2014-05-31 02:37:10
(Going on the discussion on tails-dev@ for the time being.)
#5 Updated by BitingBird 2015-01-03 04:52:42
I didn’t find any answer on the list. We should test if that’s still the case, maybe Tails-Wheezy changed something ?
#6 Updated by BitingBird 2015-01-11 00:41:21
https://stribika.github.io/2015/01/04/secure-secure-shell.html seems to be an interesting and up-to-date reference
According to it, we should not allow hmac-sha1 and hmac-md5.
Recommended /etc/ssh/sshd_config snippet: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
#7 Updated by BitingBird 2015-01-11 19:44:51
- related to
Bug #8677: Can't ssh to git.tails.boum.org from Tails added
#8 Updated by intrigeri 2015-02-15 18:31:39
- Subject changed from Review our list of SSH ciphers and MACs to Review our list of SSH ciphers, MACs and HostKeyAlgorithms
#9 Updated by intrigeri 2015-02-15 18:35:56
- related to
Feature #8027: Ship OpenSSH from wheezy-backports added
#10 Updated by BitingBird 2015-04-10 20:38:02
- Priority changed from Normal to Elevated
Raising priority, as this seems like a security and usability issue.
#11 Updated by intrigeri 2015-12-28 05:10:00
https://mailman.boum.org/pipermail/tails-testers/2015-December/000229.html suggests:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
MACs hmac-sha1,hmac-ripemd160
#12 Updated by intrigeri 2015-12-28 05:21:31
Raised the discussion on tails-dev@ again (https://mailman.boum.org/pipermail/tails-dev/2015-December/009956.html).
#13 Updated by intrigeri 2016-03-13 12:38:24
https://sources.debian.net/src/openssh/1:7.2p2-1/debian/NEWS/#L1
#14 Updated by intrigeri 2016-03-13 12:53:35
- Type of work changed from Research to Discuss
Proposed to drop these custom settings altogether: https://mailman.boum.org/pipermail/tails-dev/2016-March/010446.html
#15 Updated by emmapeel 2016-04-03 20:18:48
- Assignee set to intrigeri
- Target version set to Tails_2.3
- QA Check set to Dev Needed
- Type of work changed from Discuss to Code
Talked about in the monthly meeting, everybody agrees.
We will reduce the delta with upstream once more!
#16 Updated by intrigeri 2016-04-16 15:40:56
- Target version changed from Tails_2.3 to Tails_2.4
#17 Updated by intrigeri 2016-04-29 13:22:02
- Subject changed from Review our list of SSH ciphers, MACs and HostKeyAlgorithms to Remove custom SSH ciphers, MACs and HostKeyAlgorithms settings
#18 Updated by intrigeri 2016-04-29 13:26:22
- Status changed from Confirmed to In Progress
- Assignee changed from intrigeri to anonym
- % Done changed from 0 to 40
- QA Check changed from Dev Needed to Ready for QA
- Feature Branch set to feature/7315-drop-custom-ssh-crypto-settings
Done. anonym, this change is so trivial that it would seem to be a waste of our time that both of us build and ISO and test it, so I have been bold and didn’t test it myself. If you want me to do it, just say so.
#19 Updated by anonym 2016-05-09 03:22:28
- Status changed from In Progress to Fix committed
- Assignee deleted (
anonym) - % Done changed from 40 to 100
- QA Check changed from Ready for QA to Pass
#20 Updated by intrigeri 2016-05-26 18:49:10
- Status changed from Fix committed to In Progress
- Assignee set to anonym
- % Done changed from 100 to 90
- QA Check changed from Pass to Ready for QA
Actually this was not fully merged! (Noticed since Jenkins still builds the branch.)
#21 Updated by anonym 2016-05-27 02:02:15
- Status changed from In Progress to Fix committed
- % Done changed from 90 to 100
Applied in changeset commit:102217c36408f3ab301e8e37337f323f63eb8efd.
#22 Updated by anonym 2016-05-30 07:35:56
- Assignee deleted (
anonym) - QA Check changed from Ready for QA to Pass
#23 Updated by anonym 2016-06-08 01:23:20
- Status changed from Fix committed to Resolved