Notes On Openssh Configuration

Home » CentOS » Notes On Openssh Configuration

January 27, 2017 Leonard den CentOS 6 Comments

Hello list,

To my astonishment the openssh versions on both C6 and C7 will by default negotiate an MD5 HMAC.

C6 client, C7 server:

debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none

C7 client & server:

debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none

I reported this issue upstream:
https://bugzilla.redhat.com/show_bug.cgi?id17263
https://bugzilla.redhat.com/show_bug.cgi?id17264

You might want to add

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1-etm@openssh.com,hmac-sha1,hmac-ripemd160-etm@openssh.com,hmac-ripemd160@openssh.com,hmac-ripemd160,umac-128@openssh.com,umac-128-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha1-96,umac-64-etm@openssh.com,umac-64@openssh.com

to your C7 ssh_config and sshd_config, or

MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,hmac-sha1-96

to your C6 ssh_config and sshd_config.

You might also want to prune your cipher list to exclude RC4 = arcfour ciphers with the option “Ciphers”. Compare http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/

Regards, Leonard.

6 thoughts on - Notes On Openssh Configuration

Gordon Messmer says:

January 27, 2017 at 12:26 pm

Cryptographers still consider MD5 secure for HMAC use. Wikipedia’s references (currently 6, 7, and 8) in this article are useful:

https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
Leonard den says:

January 27, 2017 at 12:59 pm

Hello Gordon,

https://en.wikipedia.org/wiki/MD5 seems to disagree:

“The security of the MD5 has been severely compromised, with its weaknesses having been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially “cryptographically broken and unsuitable for further use”.”

SHA-1 is not as severely broken as MD5, so the argument that Schneier made in 2009 that SHA-1 is still suitable as a HMAC cannot necessarily be extended to MD5.

Regards, Leonard.
Gordon Messmer says:

January 27, 2017 at 3:56 pm

No, it doesn’t. That page links to RFC 6151, which notes:

“It is not urgent to stop using MD5 in other ways, such as HMAC-MD5”

There’s nothing wrong with disabling hmac-md5 in your own configurations. I do it. But having it enabled is not considered by experts to be a flaw, and it should not be alarming.
Leonard den says:

January 27, 2017 at 6:18 pm

Six years have gone since md5 is considered broken. I find the fact that MD5 is still configured as the default HMAC alarming in itself as it indicates a lack of proactiveness that we so bitterly need in this day and age of heartbleeds and the like. I consider it a faulty default. This is a broken primitive. It needs to be phased out so it should not be the default configuration. That’s just common sense. No RFC can beat that ;-) .

Regards, Leonard.
Leon Fauster says:

January 29, 2017 at 4:35 pm

The next EL6 release (6.9) will have them marked as deprecated algorithms (disabled by default).
Gordon Messmer says:

January 29, 2017 at 5:57 pm

The client will no longer attempt to use hmac-md5. The server will continue to accept them.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/6.9_Technical_Notes/chap-Red_Hat_Enterprise_Linux-6.9_Technical_Notes-Deprecated_Functionality.html

Notes On Openssh Configuration

6 thoughts on - Notes On Openssh Configuration

Recommended

Recent Posts

Recent Comments

Archives

Categories

Meta