[hopefully on topic] is SSH secure in default configuration?

[hopefully on topic] is SSH secure in default configuration?

E.S. Rosenberg esr+linux-il at g.jct.ac.il
Sun Sep 8 16:03:09 IDT 2013


2013/9/8 Oleg Goldshmidt <pub at goldshmidt.org>:
>
> Hi,
>
> I am not hopeful to secure much of anything against the likes of NSA or
> GCHQ. However, my curiousity woke up when the latest
> NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much
> of Internet encryption were accompanied by graphics like
>
> http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html
>
> Now, NYT is hardly a technical authority, but I assume they have
> technically competent sources and advisers. The above page lists Cisco,
> Microsoft (I wonder if they were the ones who "outed" Skype - chuckle),
> and EFF as sources.
>
> I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The
> only part that is somewhat surprising (and particularly relevant to
> Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion
> justified?
>
> A glance at "man 5 ssh_config" (or "man 5 sshd_config") reveals the
> Ciphers section and the default preference list for v2 ciphers, with
> AES-128 in the leading position. Can any security/cryptography guru here
> (Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect?
> AES-256 still seems to be regarded as NSA-safe (but not RC4?
> http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/). Is
> it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment
> on performance impact of using AES-256 vs. AES-128 for the usual
> scenarios?
>
> I am not sure I quite understand the implications of AES-128 and AES-256
> both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA
> assume that anything they can break others can break, too, so Type 1
> product being defined as "endorsed by the NSA for securing classified
> and sensitive U.S. Government information, when appropriately keyed"
> hopefully means NSA cannot break it. However, there is also
> Type-1/Suite-A... Suite A being seemingly regarded as even more secure
> than Suite B (is it?) goes against the common cryptographic wisdom that
> says "disclosed algos deserve more trust". Is it an indication that (at
> least) AES-128 may be somewhat vulnerable? Or is is only because AES was
> not historically NSA-sourced that it is in Suite B and not in Suite A?
>
> http://en.wikipedia.org/wiki/Type_1_product
> http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography
> http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography
>
> Back to NYT graphics: Another, more mundane possibility is that NSA's
> "partial success" against SSH (and/or OpenSSH implementation) means that
> SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That
> would not be a big surprise (at least the DES part).
>
> I am not changing the default SSHv2 Ciphers configuration unless someone
> I trust says AES-128 is suspect. And maybe not even then... But
> curiousity is killing this cat...
Without going into the cryptography side of things I can say that SSH
in it's default configuration (client/server) has various weaknesses.
1. Root is generally default on
2. Default auth mechanism is passwords
3. Most importantly SSH clients by default are set to allow fail-over
to SSHv1 so even if the server is set to only accept SSHv2 it is
possible to MITM with a machine that forces the client to SSHv1 while
talking to the server in SSHv2.
4. Servers aren't always set to accept SSHv2 only either....

Other then that if you don't take steps to prevent brute-force attacks
you will obviously be brute-forced eventually...

Regards,
Eliyahu - אליהו
>
> --
> Oleg Goldshmidt | pub at goldshmidt.org
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il



More information about the Linux-il mailing list