Bug 38709 - univention-ssh: Disable SSHv1 and DSA Keys
univention-ssh: Disable SSHv1 and DSA Keys
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Philipp Hahn
Daniel Tröder
Depends on:
  Show dependency treegraph
Reported: 2015-06-15 12:44 CEST by Michael Grandjean
Modified: 2015-09-01 11:54 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:

svn diff of my changes that disable SSHv1, the DSA and RSA1 Keys and removes obsolete "ServerKeyBits" and "KeepAlive" (618 bytes, patch)
2015-06-15 12:44 CEST, Michael Grandjean
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2015-06-15 12:44:47 CEST
Created attachment 6963 [details]
svn diff of my changes that disable SSHv1, the DSA and RSA1 Keys and removes obsolete "ServerKeyBits" and "KeepAlive"

Since we see a lot of downgrade attacks recently (mainly TLS), I think we should also clean up some sshd_config relicts that might expose vulnerabilities:

1. Disable SSHv1 due to security concerns
2. Remove RSA1 and DSA Keys due to security concerns

3. Remove "KeepAlive yes"
   This was renamed to "TCPKeepAlive" and defaults to "yes". 
   Specifying this is only needed if we want to disable keep-alive.
4. Remove "ServerKeyBits" since this is specific to SSHv1

The attached svn diff shows the relevant changes.

We should also make the used Ciphers, MACs and KexAlgorithms configurable. See Bug#38609 for this.
Comment 1 Philipp Hahn univentionstaff 2015-08-27 11:35:19 CEST
r63286 | Bug #38709 ssh: Make ssh keys configurable
r63281 | Bug #38709 ssh: Make ssh keys configurable
 RSA1 and DSA disabled by default, ecdsa enabled
 Only existing keys are included.
 KeepAlive -> TCPKeepAlive
 ServerKeyBits only issued when Protocols=1 is still used.


Package: univention-base-files
Version: 4.0.8-7.194.201508271117
Branch: ucs_4.0-0
Scope: errata4.0-3

Package: univention-base-files
Version: 5.0.0-1.193.201508271117
Branch: ucs_4.1-0

r63291 | Bug #38609,Bug #38709,Bug #38710,Bug #38711: ssh
Comment 2 Daniel Tröder univentionstaff 2015-08-28 17:26:29 CEST
OK: code
OK: 4.1 merge
OK: manual test of UCRVs sshd/{Protocol, HostKey, ServerKeyBits, TCPKeepAlive}
Comment 3 Janek Walkenhorst univentionstaff 2015-09-01 11:54:34 CEST