Bug 38609 - univention-ssh: Make ciphers/MACs configurable through UCR
univention-ssh: Make ciphers/MACs configurable through UCR
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Philipp Hahn
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-05-27 08:59 CEST by Philipp Hahn
Modified: 2015-09-01 11:54 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2015-05-27 08:59:47 CEST
Weak algorithms should be disabled by default.

base/univention-base-files/conffiles/etc/ssh/sshd_config
 MACs
 Ciphers
Comment 1 Michael Grandjean univentionstaff 2015-06-15 12:45:38 CEST
Configurable KexAlgorithms would also be nice.
Comment 2 Philipp Hahn univentionstaff 2015-08-27 11:35:40 CEST
r63280 | Bug #38609 ssh: Make ssh algorithms configurable
r63285 | Bug #38609 ssh: Make ssh algorithms configurable
 Algorithms are not disabled for now, as this breaks backwards compatibility.

 sshd/MACs
 sshd/Ciphers
 sshd/KexAlgorithms

Package: univention-base-files
Version: 4.0.8-7.194.201508271117
Branch: ucs_4.0-0
Scope: errata4.0-3

Package: univention-base-files
Version: 5.0.0-1.193.201508271117
Branch: ucs_4.1-0

r63291 | Bug #38609,Bug #38709,Bug #38710,Bug #38711: ssh
 2015-08-27-univention-base-files.yaml
Comment 3 Philipp Hahn univentionstaff 2015-08-28 15:57:35 CEST
r63321 | Bug #38609 ssh: Make ssh algorithms configurable
r63320 | Bug #38609 ssh: Make ssh algorithms configurable
 Fixed Ciphers and Kex copy-paste-error
 Also added sshd/config/ UCRVs to add arbitrary options like
  sshd/config/PermitUserEnvironment: yes
 or even
  sshd/config/0001: # line1
  sshd/config/0002: # line2

Package: univention-base-files
Version: 4.0.8-8.196.201508281549
Branch: ucs_4.0-0
Scope: errata4.0-3

r63322 | Bug #38609 ssh: Make ssh algorithms configurable YAML
 2015-08-27-univention-base-files.yaml
Comment 4 Philipp Hahn univentionstaff 2015-08-28 15:59:41 CEST
(In reply to Philipp Hahn from comment #3)
Package: univention-base-files
Version: 5.0.0-3.197.201508281558
Branch: ucs_4.1-0
Comment 5 Philipp Hahn univentionstaff 2015-08-28 16:33:13 CEST
r63324 | Bug #38609 ssh: Fix UCR variable names
r63323 | Bug #38609 ssh: Fix UCR variable names
 sshd/Protocol
 sshd/ServerKeyBits

Package: univention-base-files
Version: 4.0.8-9.198.201508281628
Branch: ucs_4.0-0
Scope: errata4.0-3

Package: univention-base-files
Version: 5.0.0-4.199.201508281629
Branch: ucs_4.1-0

r63325 | Bug #38609 ssh: Fix UCR variable names YAML
 2015-08-27-univention-base-files.yaml
Comment 6 Daniel Tröder univentionstaff 2015-08-28 17:26:17 CEST
OK: code
OK: 4.1 merge
OK: YAML
OK manual test of UCRVs sshd/{MACs, Ciphers, KexAlgorithms, config/.*}
Comment 7 Janek Walkenhorst univentionstaff 2015-09-01 11:54:22 CEST
<http://errata.univention.de/ucs/4.0/293.html>