Bug 38709

Summary: univention-ssh: Disable SSHv1 and DSA Keys
Product: UCS Reporter: Michael Grandjean <grandjean>
Component: Security updatesAssignee: Philipp Hahn <hahn>
Status: CLOSED FIXED QA Contact: Daniel Tröder <troeder>
Severity: normal    
Priority: P5 CC: birkefeld, gohmann, requate, walkenhorst
Version: UCS 4.0   
Target Milestone: UCS 4.0-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Attachments: svn diff of my changes that disable SSHv1, the DSA and RSA1 Keys and removes obsolete "ServerKeyBits" and "KeepAlive"

Description Michael Grandjean univentionstaff 2015-06-15 12:44:47 CEST 
Created attachment 6963 [details]
svn diff of my changes that disable SSHv1, the DSA and RSA1 Keys and removes obsolete "ServerKeyBits" and "KeepAlive"

Since we see a lot of downgrade attacks recently (mainly TLS), I think we should also clean up some sshd_config relicts that might expose vulnerabilities:

Security:
1. Disable SSHv1 due to security concerns
2. Remove RSA1 and DSA Keys due to security concerns

Cleanup:
3. Remove "KeepAlive yes"
   This was renamed to "TCPKeepAlive" and defaults to "yes". 
   Specifying this is only needed if we want to disable keep-alive.
4. Remove "ServerKeyBits" since this is specific to SSHv1

The attached svn diff shows the relevant changes.

We should also make the used Ciphers, MACs and KexAlgorithms configurable. See Bug#38609 for this.
Comment 1 Philipp Hahn univentionstaff 2015-08-27 11:35:19 CEST 
r63286 | Bug #38709 ssh: Make ssh keys configurable
r63281 | Bug #38709 ssh: Make ssh keys configurable
 RSA1 and DSA disabled by default, ecdsa enabled
 Only existing keys are included.
 KeepAlive -> TCPKeepAlive
 ServerKeyBits only issued when Protocols=1 is still used.

 sshd/Protocol=2
 sshd/HostKey
 sshd/ServerKeyBits
 sshd/TCPKeepAlive

Package: univention-base-files
Version: 4.0.8-7.194.201508271117
Branch: ucs_4.0-0
Scope: errata4.0-3

Package: univention-base-files
Version: 5.0.0-1.193.201508271117
Branch: ucs_4.1-0

r63291 | Bug #38609,Bug #38709,Bug #38710,Bug #38711: ssh
 2015-08-27-univention-base-files.yaml
Comment 2 Daniel Tröder univentionstaff 2015-08-28 17:26:29 CEST 
OK: code
OK: 4.1 merge
OK: YAML
OK: manual test of UCRVs sshd/{Protocol, HostKey, ServerKeyBits, TCPKeepAlive}
Comment 3 Janek Walkenhorst univentionstaff 2015-09-01 11:54:34 CEST 
<http://errata.univention.de/ucs/4.0/293.html>