Re: [PLUG] Removing ciphers from an old Open-SSH server

Charlie Li on 12 Sep 2017 07:14:56 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Removing ciphers from an old Open-SSH server

From: Charlie Li <ml+PLUG@vishwin.info>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Removing ciphers from an old Open-SSH server
Date: Tue, 12 Sep 2017 10:14:31 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed; d=vishwin.info; h=subject :to:references:from:message-id:date:mime-version:in-reply-to :content-type; s=fuccboi12; bh=kNllbxagMGaT5obx3gCXlsi1omwCGyQR4 NIseKp6Xk4=; b=OC2PqKKMuXDSXDX/BNBBPxDwzfp3KdDTaK/eCE2Y/SepdFofE Aeh1noC3B6Emot/2iRFZbBew7OBOJ7Pv5K4jn6r+IsXnzMF/j5aXB+bSHuZC6P3i Gs9iWD2DbSGBNasmKRq4UAxgBHbiTyAwBEzCe/cCB+X/Ej6TcZR6Ee6gUx2s/+I2 Pkz8j8vU+JKx0SMnT0f2U3r53Ia1mzbhnasIQKnl5BgLPindUOoeJqLK7W5pAVXT sLtjoKIEQ0cPO9R6tNyxZG8TJJ/lDyVjgnUjrve/F18krIa6rcLPNMPw4J09ydXc fbAzxLmvE4Wwc2pz1N/JNy0GaIPRR0avBcdqA==
Organization: PLUG
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

On 09/12/17 08:47, Michael Leone wrote:
> I've got an old Red Hat 5.11 server (yes, I know, it should be
> upgraded), that's running OpenSSH 4.3 (based on open-ssl 0.9.8). A
> consultant penetration test came up with a number of issues; the ones
> related to this server deal mostly with the SSH service. Specifically,
> allowing "Arcfour algorithms" and "Cipher Block Chaining mode ciphers". 
> 
> However, all my searches seem to presume a much newer version of
> OpenSSH. I see a lot of pages on how to add any ciphers you want
> disallowed (such as:
> 
> https://developer.ibm.com/answers/questions/187318/faq-how-do-i-disable-cipher-block-chaining-cbc-mod.html
> 
> But my sshd-config doesn't have any such ciphers listed (even as
> comments). And as such, I don't know if that will work. And before I go
> messing around with a production server, I figured I would ask first.
> 
Refer to the sshd_config man page from OpenBSD 3.9, which contained
OpenSSH 4.3, where it details the Ciphers keyword-argument pair,
specifically the last part:
> The default is:
> 
>                 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
>                 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
>                 aes192-ctr,aes256-ctr

These are OpenBSD's defaults, obviously. I'm not sure if Red Hat changed
them for their portable version they compile and distribute (because,
Red Hat). But the first sentence of the man page's description of
Ciphers does say
> Specifies the ciphers allowed for protocol version 2.
meaning, opt-in.

-- 
Charlie Li
Can't think of a witty .sigline today…

(This email address is for mailing list use only;
replace local-part with vishwin for off-list communication)

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Removing ciphers from an old Open-SSH server
  - From: Michael Leone <turgon@mike-leone.com>

References:
- [PLUG] Removing ciphers from an old Open-SSH server
  - From: Michael Leone <turgon@mike-leone.com>

Prev by Date: Re: [PLUG] Removing ciphers from an old Open-SSH server
Next by Date: Re: [PLUG] Removing ciphers from an old Open-SSH server
Previous by thread: Re: [PLUG] Removing ciphers from an old Open-SSH server
Next by thread: Re: [PLUG] Removing ciphers from an old Open-SSH server
Index(es):
- Date
- Thread