Univention Bugzilla – Bug 38709
univention-ssh: Disable SSHv1 and DSA Keys
Last modified: 2015-09-01 11:54:34 CEST
Created attachment 6963 [details] svn diff of my changes that disable SSHv1, the DSA and RSA1 Keys and removes obsolete "ServerKeyBits" and "KeepAlive" Since we see a lot of downgrade attacks recently (mainly TLS), I think we should also clean up some sshd_config relicts that might expose vulnerabilities: Security: 1. Disable SSHv1 due to security concerns 2. Remove RSA1 and DSA Keys due to security concerns Cleanup: 3. Remove "KeepAlive yes" This was renamed to "TCPKeepAlive" and defaults to "yes". Specifying this is only needed if we want to disable keep-alive. 4. Remove "ServerKeyBits" since this is specific to SSHv1 The attached svn diff shows the relevant changes. We should also make the used Ciphers, MACs and KexAlgorithms configurable. See Bug#38609 for this.
r63286 | Bug #38709 ssh: Make ssh keys configurable r63281 | Bug #38709 ssh: Make ssh keys configurable RSA1 and DSA disabled by default, ecdsa enabled Only existing keys are included. KeepAlive -> TCPKeepAlive ServerKeyBits only issued when Protocols=1 is still used. sshd/Protocol=2 sshd/HostKey sshd/ServerKeyBits sshd/TCPKeepAlive Package: univention-base-files Version: 4.0.8-7.194.201508271117 Branch: ucs_4.0-0 Scope: errata4.0-3 Package: univention-base-files Version: 5.0.0-1.193.201508271117 Branch: ucs_4.1-0 r63291 | Bug #38609,Bug #38709,Bug #38710,Bug #38711: ssh 2015-08-27-univention-base-files.yaml
OK: code OK: 4.1 merge OK: YAML OK: manual test of UCRVs sshd/{Protocol, HostKey, ServerKeyBits, TCPKeepAlive}
<http://errata.univention.de/ucs/4.0/293.html>