I was interested in what crypto features the ssh in each Debian release supported, to see what disabling some would mean, so I gathered the info. Let me know if you see any errors.
Current versions of openssh as of Sept 10, 2015: | squeeze-lts | 1:5.5p1-6+squeeze6 | | wheezy | 1:6.0p1-4+deb7u2 | | jessie | 1:6.7p1-5 | | stretch | 1:6.9p1-1 | | sid | 1:6.9p1-2 | Tables of crypto features that the openssh in each release of Debian supports. Gathered with ssh -Q(jessie and newer), ssh_config(5) and source(wheezy and squeeze). (These will look better with a fixed width font) Key types | sq | wh | je | st | si | type | ===================================================================== | X | X | X | X | X | ssh-rsa | | X | X | X | X | X | ssh-dss | | X | X | X | X | X | ssh-rsa-cert-...@openssh.com | | X | X | X | X | X | ssh-dss-cert-...@openssh.com | | X | X | X | X | X | ssh-rsa-cert-...@openssh.com | | X | X | X | X | X | ssh-dss-cert-...@openssh.com | | | X | X | X | X | ecdsa-sha2-nistp256 | | | X | X | X | X | ecdsa-sha2-nistp384 | | | X | X | X | X | ecdsa-sha2-nistp521 | | | X | X | X | X | ecdsa-sha2-nistp256-cert-...@openssh.com | | | X | X | X | X | ecdsa-sha2-nistp384-cert-...@openssh.com | | | X | X | X | X | ecdsa-sha2-nistp521-cert-...@openssh.com | | | | X | X | X | ssh-ed25519 | | | | X | X | X | ssh-ed25519-cert-...@openssh.com | KexAlgorithms | sq | wh | je | st | si | type | ================================================================= | X | X | X | | X | diffie-hellman-group-exchange-sha256 | | X | X | X | | X | diffie-hellman-group-exchange-sha1 | | X | X | X | | X | diffie-hellman-group14-sha1 | | X | X | X | | X | diffie-hellman-group1-sha1 | | | X | X | | X | ecdh-sha2-nistp256 | | | X | X | | X | ecdh-sha2-nistp384 | | | X | X | | X | ecdh-sha2-nistp521 | | | | X | | X | curve25519-sha...@libssh.org | Ciphers | sq | wh | je | st | si | type | ========================================================== | X | X | X | X | X | aes128-ctr | | X | X | X | X | X | aes192-ctr | | X | X | X | X | X | aes256-ctr | | X | X | X | X | X | arcfour | | X | X | X | X | X | arcfour256 | | X | X | X | X | X | arcfour128 | | X | X | X | X | X | aes128-cbc | | X | X | X | X | X | 3des-cbc | | X | X | X | X | X | blowfish-cbc | | X | X | X | X | X | cast128-cbc | | X | X | X | X | X | aes192-cbc | | X | X | X | X | X | aes256-cbc | | | | X | X | X | aes128-...@openssh.com | | | | X | X | X | aes256-...@openssh.com | | | | X | X | X | chacha20-poly1...@openssh.com | | | | X | X | X | rijndael-...@lysator.liu.se | MACs | sq | wh | je | st | si | type | ============================================================= | X | X | X | X | X | hmac-md5 | | X | X | X | X | X | hmac-sha1 | | X | X | X | X | X | umac...@openssh.com | | X | X | X | X | X | hmac-ripemd160 | | ? | X | X | X | X | hmac-ripemd...@openssh.com | | X | X | X | X | X | hmac-sha1-96 | | X | X | X | X | X | hmac-md5-96 | | X | X | X | X | X | hmac-sha2-256 | | X | X | | | | hmac-sha2-256-96 | * | X | X | X | X | X | hmac-sha2-512 | | X | X | | | | hmac-sha2-512-96 | * | | | X | X | X | umac-64-...@openssh.com | | | | X | X | X | umac-128-...@openssh.com | | | | X | X | X | hmac-sha2-256-...@openssh.com | | | | X | X | X | hmac-sha2-512-...@openssh.com | | | | X | X | X | umac-...@openssh.com | | | | X | X | X | hmac-md5-...@openssh.com | | | | X | X | X | hmac-sha1-...@openssh.com | | | | X | X | X | hmac-ripemd160-...@openssh.com | | | | X | X | X | hmac-sha1-96-...@openssh.com | | | | X | X | X | hmac-md5-96-...@openssh.com | * https://bugzilla.mindrot.org/show_bug.cgi?id=2023 After I have a chance to look at these and think about the implications, I will send another message with thoughts about what disabling weaker things would mean. HTH, -- Matt Taggart tagg...@debian.org
