Feature #7315: Remove custom SSH ciphers, MACs and HostKeyAlgorithms settings

Feature #7315

Remove custom SSH ciphers, MACs and HostKeyAlgorithms settings

Added by sajolida 2014-05-27 05:26:52 . Updated 2016-06-08 01:23:20 .

Status:

Resolved

Priority:

Elevated

Assignee:

Category:

Target version:

Tails_2.4

Start date:

2014-05-27

Due date:

% Done:

100%

Feature Branch:

feature/7315-drop-custom-ssh-crypto-settings

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

Tails cannot connect with SSH to recent OpenBSD systems because the restricted set of MACs that is set in Tails doesn’t match any MAC accepted in OpenBSD by default.

Tails sets:

hmac-sha1,hmac-md5,hmac-ripemd160

OpenBSD accepts by default:

umac-64-etmopenssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512@

See: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config

I would find it very surprising if none of the MAC accepted by OpenBSD were good enough to our standards. So maybe our lists have to be review to the light of this finding.

Subtasks

Related issues

Related to Tails - ~~Bug #8677~~: Can't ssh to git.tails.boum.org from Tails	Resolved	2015-01-11
Related to Tails - ~~Feature #8027~~: Ship OpenSSH from wheezy-backports	Rejected	2014-10-07
Blocked by Tails - ~~Feature #6015~~: Tails based on Wheezy	Resolved	2013-07-28

History

#1 Updated by sajolida 2014-05-27 05:31:38

Topic raised on tails-dev: https://mailman.boum.org/pipermail/tails-dev/2014-May/005895.html.

#2 Updated by intrigeri 2014-05-28 08:07:29

That’s because OpenBSD only allows MACs that are not supported on
Squeeze, apparently. Not checked the ciphers. Once we’re based on
Wheezy, we can fix this.

#3 Updated by intrigeri 2014-05-28 08:07:48

blocked by ~~Feature #6015~~: Tails based on Wheezy added

#4 Updated by intrigeri 2014-05-31 02:37:10

(Going on the discussion on tails-dev@ for the time being.)

#5 Updated by BitingBird 2015-01-03 04:52:42

I didn’t find any answer on the list. We should test if that’s still the case, maybe Tails-Wheezy changed something ?

#6 Updated by BitingBird 2015-01-11 00:41:21

https://stribika.github.io/2015/01/04/secure-secure-shell.html seems to be an interesting and up-to-date reference

According to it, we should not allow hmac-sha1 and hmac-md5.

Recommended /etc/ssh/sshd_config snippet: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

#7 Updated by BitingBird 2015-01-11 19:44:51

related to ~~Bug #8677~~: Can't ssh to git.tails.boum.org from Tails added

#8 Updated by intrigeri 2015-02-15 18:31:39

Subject changed from Review our list of SSH ciphers and MACs to Review our list of SSH ciphers, MACs and HostKeyAlgorithms

#9 Updated by intrigeri 2015-02-15 18:35:56

related to ~~Feature #8027~~: Ship OpenSSH from wheezy-backports added

#10 Updated by BitingBird 2015-04-10 20:38:02

Priority changed from Normal to Elevated

Raising priority, as this seems like a security and usability issue.

#11 Updated by intrigeri 2015-12-28 05:10:00

https://mailman.boum.org/pipermail/tails-testers/2015-December/000229.html suggests:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
MACs hmac-sha1,hmac-ripemd160

#12 Updated by intrigeri 2015-12-28 05:21:31

Raised the discussion on tails-dev@ again (https://mailman.boum.org/pipermail/tails-dev/2015-December/009956.html).

#13 Updated by intrigeri 2016-03-13 12:38:24

https://sources.debian.net/src/openssh/1:7.2p2-1/debian/NEWS/#L1

#14 Updated by intrigeri 2016-03-13 12:53:35

Type of work changed from Research to Discuss

Proposed to drop these custom settings altogether: https://mailman.boum.org/pipermail/tails-dev/2016-March/010446.html

#15 Updated by emmapeel 2016-04-03 20:18:48

Assignee set to intrigeri
Target version set to Tails_2.3
QA Check set to Dev Needed
Type of work changed from Discuss to Code

Talked about in the monthly meeting, everybody agrees.

We will reduce the delta with upstream once more!

#16 Updated by intrigeri 2016-04-16 15:40:56

Target version changed from Tails_2.3 to Tails_2.4

#17 Updated by intrigeri 2016-04-29 13:22:02

Subject changed from Review our list of SSH ciphers, MACs and HostKeyAlgorithms to Remove custom SSH ciphers, MACs and HostKeyAlgorithms settings

#18 Updated by intrigeri 2016-04-29 13:26:22

Status changed from Confirmed to In Progress
Assignee changed from intrigeri to anonym
% Done changed from 0 to 40
QA Check changed from Dev Needed to Ready for QA
Feature Branch set to feature/7315-drop-custom-ssh-crypto-settings

Done. anonym, this change is so trivial that it would seem to be a waste of our time that both of us build and ISO and test it, so I have been bold and didn’t test it myself. If you want me to do it, just say so.

#19 Updated by anonym 2016-05-09 03:22:28

Status changed from In Progress to Fix committed
Assignee deleted (~~anonym~~)
% Done changed from 40 to 100
QA Check changed from Ready for QA to Pass

#20 Updated by intrigeri 2016-05-26 18:49:10

Status changed from Fix committed to In Progress
Assignee set to anonym
% Done changed from 100 to 90
QA Check changed from Pass to Ready for QA

Actually this was not fully merged! (Noticed since Jenkins still builds the branch.)

#21 Updated by anonym 2016-05-27 02:02:15

Status changed from In Progress to Fix committed
% Done changed from 90 to 100

Applied in changeset commit:102217c36408f3ab301e8e37337f323f63eb8efd.

#22 Updated by anonym 2016-05-30 07:35:56

Assignee deleted (~~anonym~~)
QA Check changed from Ready for QA to Pass

#23 Updated by anonym 2016-06-08 01:23:20

Status changed from Fix committed to Resolved