[hopefully on topic] is SSH secure in default configuration?
E.S. Rosenberg
esr+linux-il at g.jct.ac.il
Sun Sep 8 16:53:55 IDT 2013
2013/9/8 Aviram Jenik <aviram at jenik.com>:
> I'm only taking a wild guess here. To be clear, I have no inside knowledge
> and my guess is probably as good as anyone else's. But if I had to bet this
> is where I would put my money.
>
> Either:
>
> 1. They have a 0-day against SSH (e.g. if you have ssh running they can
> login to your box)
> 2. They are aware of a weakness in the openssh implementation, unrelated to
> the encryption itself
>
> Pressed against the wall, I would go for option 1. But I wouldn't rule out
> option 2. I *would* bet against them being able to break the encryption
> itself.
>
> Why? Because obviously, it's much easier to break the implementation than
> the encryption. I find it hard to believe the NSA can easily break AES or
> 3DES, and I find it easy to believe they found a flaw or weakness in the
> implementation. It's that simple.
> The question "is encryption ABC safe" is nowadays a purely academic question
> and only academics care about them (no offense Oleg).
>
> A quick note on Elyahu's list:
>
> 1. I don't think allowing root login is a huge issue
> 2. Likewise with password authentication
> 3. We rarely see SSHv1 being allowed in modern systems - I don't believe
> that's been the default for a while now
I was talking about *clients* almost all clients are still default "2
try 1" even on modern linux systems.
A quick look on my laptop shows that the default on Ubuntu 13.04
thankfully is 2 only, but I know that when I looked at it more then a
year ago it was not the default.
Putty and winscp last time I used them still defaulted to 2+1 unless
you consciously set them to 2 only....
I don't have "old" systems to check on anymore, but on CentOS 5 which
is still a very widely used production system iirc the default for the
client was 2+1, the server was 2 only.
Regards,
Eliyahu - אליהו
> 4. Likewise, I think having SSHv2 only is the default for years (but I could
> be wrong, of course)
>
>
>
> On Sun, Sep 8, 2013 at 9:19 PM, Oleg Goldshmidt <pub at goldshmidt.org> wrote:
>>
>>
>> Hi,
>>
>> I am not hopeful to secure much of anything against the likes of NSA or
>> GCHQ. However, my curiousity woke up when the latest
>> NYT/Guardian/ProPublica pieces about NSA/GCHQ/friends compromising much
>> of Internet encryption were accompanied by graphics like
>>
>>
>> http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html
>>
>> Now, NYT is hardly a technical authority, but I assume they have
>> technically competent sources and advisers. The above page lists Cisco,
>> Microsoft (I wonder if they were the ones who "outed" Skype - chuckle),
>> and EFF as sources.
>>
>> I shrug at HTTPS/SSl/TLS/VPN/Skype,IM - nothing surprises there. The
>> only part that is somewhat surprising (and particularly relevant to
>> Linux-IL) is SSH. Why is SSH (on Linux) included and is the inclusion
>> justified?
>>
>> A glance at "man 5 ssh_config" (or "man 5 sshd_config") reveals the
>> Ciphers section and the default preference list for v2 ciphers, with
>> AES-128 in the leading position. Can any security/cryptography guru here
>> (Or? Aviram? Noam? anyone?) confirm or deny that AES-128 may be suspect?
>> AES-256 still seems to be regarded as NSA-safe (but not RC4?
>>
>> http://www.theregister.co.uk/2013/09/06/nsa_cryptobreaking_bullrun_analysis/).
>> Is
>> it prudent to reconfigure ssh/sshd to prefer AES-256? Can anyone comment
>> on performance impact of using AES-256 vs. AES-128 for the usual
>> scenarios?
>>
>> I am not sure I quite understand the implications of AES-128 and AES-256
>> both being NSA-approved as Type-1/Suite-B algos. I'd hope that NSA
>> assume that anything they can break others can break, too, so Type 1
>> product being defined as "endorsed by the NSA for securing classified
>> and sensitive U.S. Government information, when appropriately keyed"
>> hopefully means NSA cannot break it. However, there is also
>> Type-1/Suite-A... Suite A being seemingly regarded as even more secure
>> than Suite B (is it?) goes against the common cryptographic wisdom that
>> says "disclosed algos deserve more trust". Is it an indication that (at
>> least) AES-128 may be somewhat vulnerable? Or is is only because AES was
>> not historically NSA-sourced that it is in Suite B and not in Suite A?
>>
>> http://en.wikipedia.org/wiki/Type_1_product
>> http://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography
>> http://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography
>>
>> Back to NYT graphics: Another, more mundane possibility is that NSA's
>> "partial success" against SSH (and/or OpenSSH implementation) means that
>> SSHv1 and DES (and maybe the default triple-DES???) are vulnerable. That
>> would not be a big surprise (at least the DES part).
>>
>> I am not changing the default SSHv2 Ciphers configuration unless someone
>> I trust says AES-128 is suspect. And maybe not even then... But
>> curiousity is killing this cat...
>>
>> --
>> Oleg Goldshmidt | pub at goldshmidt.org
>>
>> _______________________________________________
>> Linux-il mailing list
>> Linux-il at cs.huji.ac.il
>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
>
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
More information about the Linux-il
mailing list