Remove support for outdated ciphers and algorithms from the node's SSH server.

Description

As a guidance, it might be a good idea to remove support for any ciphers/ algorithms that are not listed in the modern configuration for OpenSSH here: https://infosec.mozilla.org/guidelines/openssh.html

Other audit tools are:

Suggested implementation

sshd-core will be upgraded from current version (1.6.0) to the latest version (2.3.0).

Notation

Status

Description

KEEP

Currently supported in shell and will be kept

ADD

Currently not supported but will be added to shell together with sshd 2.3.0

REMOVE

Currently supported in hell but will be removed

Ciphers

RC4, Blowfish, 3-DES and CBC will be removed. The only supported cipher family will be CTR.
chacha20 and GCM are still not supported by sshd.

Name

Comment

ssh-audit

Suggestion

chacha20-poly1305@openssh.com

not supported in sshd-core

-

aes256-gcm@openssh.com

not supported in sshd-core

-

aes128-gcm@openssh.com

not supported in sshd-core

-

aes256-ctr

AES/CTR/NoPadding

KEEP

aes192-ctr

AES/CTR/NoPadding

KEEP

aes128-ctr

AES/CTR/NoPadding

KEEP

aes256-cbc

AES/CBC/NoPadding

REMOVE

aes192-cbc

AES/CBC/NoPadding

REMOVE

aes128-cbc

AES/CBC/NoPadding

REMOVE

3des-cbc

DESede/CBC/NoPadding

REMOVE

blowfish-cbc

Blowfish/CBC/NoPadding

REMOVE

arcfour256

RC4

REMOVE

arcfour128

RC4

REMOVE

MACs

MD5 and SHA-1 will be removed. The next sshd version will support encrypt-then-mac which should be preferable, however this version is still not released.

Name

Comment

ssh-audit

Suggestion

hmac-sha2-512-etm@openssh.com

Will be added in sshd 2.3.1 (unreleased yet). Secure.

-

hmac-sha2-256-etm@openssh.com

Will be added in sshd 2.3.1 (unreleased yet). Secure.

-

hmac-sha2-512

HmacSHA512, replace with hmac-sha2-512-etm after 2.3.1

KEEP

hmac-sha2-256

HmacSHA256, replace with hmac-sha2-256-etm after 2.3.1

KEEP

hmac-sha1-etm@openssh.com

Will be added in sshd 2.3.1 (unreleased yet). Not secure.

-

-

hmac-sha1-96

HmacSHA1

REMOVE

hmac-sha1

HmacSHA1

REMOVE

hmac-md5-96

HmacMD5

REMOVE

hmac-md5

HmacMD5

REMOVE

KexAlgorithms

Algorithms using SHA-1 will be removed.
diffie-hellman-group14-sha1 will be replaced with diffie-hellman-group14-sha256 introduced in 2.3.0.
Other introduced DH groups (15-18) will be still not supported, although group16 could be potentially added.

NIST curves will be kept according to OpenSSH configuration, however evaluation done in http://safecurves.cr.yp.to/ considers them unsafe. Also, nistp521 is not recommended due to padding issues - https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-10.html

See also:

Name

Comment

tools.ietf.org

ssh-audit

Suggestion

curve25519-sha256@libssh.org

not supported in sshd-core

SHOULD

-

ecdh-sha2-nistp521

521-bit key vs 512-bit hash

MAY

KEEP?

ecdh-sha2-nistp384

 

SHOULD

KEEP?

ecdh-sha2-nistp256

 

SHOULD

KEEP?

diffie-hellman-group1-sha1

SHA-2 alternative is available

SHOULD NOT

REMOVE

diffie-hellman-group14-sha1

 

SHOULD NOT

REMOVE

diffie-hellman-group14-sha256

new in 2.3.0

MUST

ADD

diffie-hellman-group15-sha512

new in 2.3.0

MAY

-

SKIP

diffie-hellman-group16-sha512

new in 2.3.0

SHOULD

ADD

diffie-hellman-group17-sha512

new in 2.3.0

MAY

-

SKIP

diffie-hellman-group18-sha512

new in 2.3.0

MAY

ADD

diffie-hellman-group-exchange-sha256

 

MAY

REMOVE

diffie-hellman-group-exchange-sha1

 

SHOULD NOT

REMOVE

HostKeyAlgorithms

ssh-dss and ssh-rsa will be removed due to usage of SHA-1 in signatures.
ssh-rsa is replaced by rsa-sha2-512 and rsa-sha2-256 in sshd 2.3.0.

Name

Comment

ssh-audit

Suggestion

ssh-ed25519

NONEwithEdDSA

KEEP

rsa-sha2-512

SHA512withRSA, new in 2.3.0

ADD

rsa-sha2-256

SHA256withRSA, new in 2.3.0

ADD

ecdsa-sha2-nistp521

SHA512withECDSA

KEEP?

ecdsa-sha2-nistp384

SHA384withECDSA

KEEP?

ecdsa-sha2-nistp256

SHA256withECDSA

KEEP?

ssh-rsa

SHA1withRSA

KEEP?

ssh-dss

SHA1withDSA

-

REMOVE

Corda shell can only generate RSA host keys at the moment. Also hostkey.pem is always automatically replaced even it exists, so it's not possible to use pre-existing keys. Shell it be changed?

Compression

zlib is clearly unsafe. Delayed zlib is more secure, though it's better to remove it if we can.

Name

Comment

Suggestion

none

 

zlib

 

REMOVE

zlib@openssh.com

delayed zlib

REMOVE

Assignee

Maxim Shadrin

Reporter

Florian Friemel

Sprint

None

Priority

Highest

Severity

Medium

CVSS Score

0

CVSS Vector

None

Engineering Teams

Kernel

Affects versions

Ported to...

Corda 4.4
Corda Enterprise 4.4

Story Points / Dev Days

None

Feature Team

Kernel Group
Configure