ssh config allows weak ciphers and MACs

Question

ssh config allows weak ciphers and MACs

Closed this issue 6 years ago · 3 comments

The ssh configuration in cflinuxfs2 allows the use of Arcfour (RC4) encryption algorithms and 96-bit MAC algorithms, which are considered weak.
Ideally ssh config should at least be consistent with that of BOSH stemcells.
The attached file show the difference between the ssh running in the HAproxy VM and the ssh running on port 2222 in the container. I used the nmap script ssh2-enum-algos against BOSH CF HAproxy VM.
nmap-ssh.log

Answer 1 · 2017-09-26T23:30:53.000Z

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/151464314

The labels on this github issue will be updated when the story is started.

Answer 2 · 2017-09-27T20:05:33.000Z

Hi @jostockley, nice catch.

I worry that changing this has the potential to break running apps during an upgrade. We'll investigate. We can almost certainly make the change for cflinuxfs3.

Answer 3 · 2019-01-22T01:59:24.000Z

Closing as cflinuxfs2 will hit EOL in a few months, and cflinuxfs3 has an updated cipher set.