touch-packages team mailing list archive

[Seth Arnold <1499392@xxxxxxxxxxxxxxxxxx>]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1499392

Title:
  OpenSSH Security and SHA1

Status in openssh package in Ubuntu:
  New

Bug description:
  We should enhance Security by disabling SHA1 or, if not possible
  (older Clients) by changing the KexAlgorithms, Ciphers and MACs order.

  For e.g. by :

  1. If we add Support for older Clients we should change this:

  #### OpenSSH Security ####

  KexAlgorithms curve25519-sha256@xxxxxxxxxx,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
  Ciphers chacha20-poly1305@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx,aes256-ctr,aes192-ctr,aes128-ctr
  MACs hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-ripemd160-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@xxxxxxxxxxx

  2.  If we just Support new Clients we should change this :

  [...]
  HostKey /etc/ssh/ssh_host_rsa_key
  HostKey /etc/ssh/ssh_host_ed25519_key
  [...]

  #### OpenSSH Security ####

  KexAlgorithms curve25519-sha256@xxxxxxxxxx,diffie-hellman-group-exchange-sha256
  Ciphers chacha20-poly1305@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx,aes256-ctr,aes192-ctr,aes128-ctr
  MACs hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-ripemd160-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@xxxxxxxxxxx

  For more Information about my report go here:

  https://github.com/scaleway/image-ubuntu/pull/35

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions