Request: disable weak and suspect crypto

Question

Request: disable weak and suspect crypto

Opened this issue 4 months ago · 3 comments

wolfgangrupprecht commented 4 months ago

Crypto flaws and suspect crypto are hard for the normal user to understand or even easily research. It would be nice if the out of the box defaults were to disable any suspect or weak crypto. The attached file is the log of "ssh-audit" run against dropbear_2024.85.

ssh-audit.log

Answer 1 · 2024-05-21T08:50:12.000Z

Not a developer on this project, but I try to help issues along in projects I use when I spot things!

So tossing this over the wall without even stripping out the ANSI escape codes which make the file gibberish here on github is not the most approachable to getting this worked efficiently, and this could likely have been better handled as a pull request instead.

This 'audit' is very subjective and pushes for as many restrictions as possible even when there's not a large corpus of evidence for some of the suggestions or when the items in question are still mandatory to the protocol.

NIST ECDSA curves have no alternative and are widely deployed and used by a lot of systems; their status has been an ongoing debate for decades now with no conclusive evidence they're vulnerable in roughly 20 years.
diffie-hellman-group14-sha1 has been disabled in OpenSSH since 8.2 (released in early 2020) by default, and they'll be removing it entirely soon, so 100% agreed that should get tossed from the default configuration and likely the whole codebase.
diffie-hellman-group14-sha256 is mandatory to the SSH protocol on the latest RFCs that deprecate diffie-hellman-group14-sha1.
ssh-rsa should indeed be disabled by default, OpenSSH has since 8.8 released in 2021 because it is indeed broke as a joke.
hmac-sha1 is mandatory to the SSH protocol, and while sha1 is considered compromised as a hash itself, it's use in an HMAC construct is still considered valid and safe because HMAC does not rely on the collision-resistance of the hash used.
diffie-hellman-group16-sha512 should be added if/when possible, yes.
There's no explanation for why adding the 'twofish' ciphers are suggested? Reinforcing that this 'audit' tool is subjective not objective in nature.
Adding the "GCM" variants of AES is not mentioned, which again more 'why twofish and not this?' subjective vs objective implication.

The above should hopefully help whatever dev picks this up at least know what's in the attached audit log.

Answer 2 · 2024-05-24T00:33:50.000Z

This discussion is pretty tedious. Here isn't a newspaper comments page. [this was response to some now deleted rubbish comments] I'll be disabling the sha1 algos by default. I don't think any other changes are required.

Answer 3 · 2024-07-21T20:37:48.000Z

I have a PR opened for OpenWrt Dropbear package. I added almost all config options available, including all crypto options.
May I ask those of you who understand crypto better than me, to review the defaults and comments in the Config.in ? (Crypto options are at the end.)

PR

Config.in

Thank you!