[Bug 1499392] Re: OpenSSH Security and SHA1
Colin Watson
cjwatson at canonical.com
Sat Oct 3 10:43:10 UTC 2015
Not yet. I'm actively working on the relevant bits of Launchpad
infrastructure, and will upgrade to OpenSSH 7.1p1 after that. I *don't*
intend to vary algorithm choices from upstream configuration, but 7.1 is
already a fair bit better.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1499392
Title:
OpenSSH Security and SHA1
Status in openssh package in Ubuntu:
Confirmed
Bug description:
We should enhance Security by disabling SHA1 or, if not possible
(older Clients) by changing the KexAlgorithms, Ciphers and MACs order.
For e.g. by :
1. If we add Support for older Clients we should change this:
#### OpenSSH Security ####
KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-ripemd160-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128 at openssh.com
2. If we just Support new Clients we should change this :
[...]
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
[...]
#### OpenSSH Security ####
KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-ripemd160-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128 at openssh.com
For more Information about my report go here:
https://github.com/scaleway/image-ubuntu/pull/35
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions
More information about the foundations-bugs
mailing list