[Tails-dev] Supported sshd MACs

Delete this message

Reply to this message
Autor: yawnbox
Data:  
Dla: tails-dev
Temat: [Tails-dev] Supported sshd MACs
Hi there Tails Dev team,



I've been a little vocal about this on Twitter and I've been a little
lazy about emailing you about this problem with Tails. I recently
switched to Subgraph, but I was running Tails as my daily driver for
nearly a year.

Server side (yawnbox.com) I harden my sshd config by defining which
ciphers, MACs, and Kex Algorithms I will permit clients to use. This is
good for transport security and also for defending against SSH brute
force attackers (that must be using outdated software) because client
negotiation is rejected when they don't have strong MAC algorithm preauth.



Here is my current sshd config (I disable the DSA and ECDSA keys per
BetterCrypto.org):

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

Ciphers
chacha20-poly1305@???,aes256-gcm@???,aes128-gcm@???,aes256-ctr

MACs
hmac-sha2-512-etm@???,hmac-sha2-256-etm@???,umac-128-etm@???,hmac-sha2-512,hmac-sha2-256

KexAlgorithms
curve25519-sha256@???,diffie-hellman-group-exchange-sha256



When I attempt to SSH to yawnbox.com from Tails 2.2.1, this is my error:

no matching mac found: client hmac-sha1,hmac-md5,hmac-ripemd160 server
hmac-sha2-512-etm@???,hmac-sha2-256-etm@???,umac-128-etm@???,hmac-sha2-512,hmac-sha2-256

My "fix" is to simply sudo+delete Tails' defined Ciphers and MACs lines
in /etc/ssh/ssh_config.



Current Tails 2.2.1 limitations:

Ciphers
aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc,3des-cbc

MACs
hmac-sha1,hmac-md5,hmac-ripemd160

I am flabbergasted that 3DES is an acceptable cipher here, and I am
flabbergasted that SHA1 and MD5 are the priority/usable MACs.



OpenSSH-client 6.7 needs a minor update in Tails 2.2.1, but as of
OpenSSH 6.6, Tails can handle BetterCrypto.org's (server) recommendations:

Ciphers
chacha20-poly1305@???,aes256-gcm@???,aes128-gcm@???,aes256-ctr,aes128-ctr

MACs
hmac-sha2-512-etm@???,hmac-sha2-256-etm@???,umac-128-etm@???,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

KexAlgorithms
curve25519-sha256@???,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1


An important note from BetterCrypto.org:

"For systems where – during the lifetime of the keys – it is expected
that low-entropy situations occur, RSA keys should be preferred over DSA
keys: For DSA, if there is ever insufficient entropy at the time keys
are used for signing this may lead to repeated ephemeral keys. An
attacker who can guess an ephemeral private key used in such a signature
can compromise the DSA secret key."

It seems prudent to explicitly configure Tails by disabling the use of
DSA keys in ssh_config since people often use low-end systems.



I hope you all are well, and good luck with the 2.3 release tomorrow. Cheers

Christopher
@yawnbox