First Last Prev Next    This bug is not in your last search results.
Bug 38709 - univention-ssh: Disable SSHv1 and DSA Keys
univention-ssh: Disable SSHv1 and DSA Keys
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Philipp Hahn
Daniel Tröder
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-15 12:44 CEST by Michael Grandjean
Modified: 2015-09-01 11:54 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:

Attachments
svn diff of my changes that disable SSHv1, the DSA and RSA1 Keys and removes obsolete "ServerKeyBits" and "KeepAlive" (618 bytes, patch)
2015-06-15 12:44 CEST, Michael Grandjean 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2015-06-15 12:44:47 CEST 
Created attachment 6963 [details]
svn diff of my changes that disable SSHv1, the DSA and RSA1 Keys and removes obsolete "ServerKeyBits" and "KeepAlive"

Since we see a lot of downgrade attacks recently (mainly TLS), I think we should also clean up some sshd_config relicts that might expose vulnerabilities:

Security:
1. Disable SSHv1 due to security concerns
2. Remove RSA1 and DSA Keys due to security concerns

Cleanup:
3. Remove "KeepAlive yes"
   This was renamed to "TCPKeepAlive" and defaults to "yes". 
   Specifying this is only needed if we want to disable keep-alive.
4. Remove "ServerKeyBits" since this is specific to SSHv1

The attached svn diff shows the relevant changes.

We should also make the used Ciphers, MACs and KexAlgorithms configurable. See Bug#38609 for this.
Comment 1 Philipp Hahn univentionstaff 2015-08-27 11:35:19 CEST 
r63286 | Bug #38709 ssh: Make ssh keys configurable
r63281 | Bug #38709 ssh: Make ssh keys configurable
 RSA1 and DSA disabled by default, ecdsa enabled
 Only existing keys are included.
 KeepAlive -> TCPKeepAlive
 ServerKeyBits only issued when Protocols=1 is still used.

 sshd/Protocol=2
 sshd/HostKey
 sshd/ServerKeyBits
 sshd/TCPKeepAlive

Package: univention-base-files
Version: 4.0.8-7.194.201508271117
Branch: ucs_4.0-0
Scope: errata4.0-3

Package: univention-base-files
Version: 5.0.0-1.193.201508271117
Branch: ucs_4.1-0

r63291 | Bug #38609,Bug #38709,Bug #38710,Bug #38711: ssh
 2015-08-27-univention-base-files.yaml
Comment 2 Daniel Tröder univentionstaff 2015-08-28 17:26:29 CEST 
OK: code
OK: 4.1 merge
OK: YAML
OK: manual test of UCRVs sshd/{Protocol, HostKey, ServerKeyBits, TCPKeepAlive}
Comment 3 Janek Walkenhorst univentionstaff 2015-09-01 11:54:34 CEST 
<http://errata.univention.de/ucs/4.0/293.html>
First Last Prev Next    This bug is not in your last search results.