[
https://issues.apache.org/jira/browse/SSHD-1004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17168503#comment-17168503
]
Lyor Goldstein edited comment on SSHD-1004 at 7/31/20, 2:48 PM:
----------------------------------------------------------------
{code:java|title=OpenSSH 8.x server negotiation options - client=Apache SSHD}
kex algorithms[client]:
ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
kex algorithms[server]:
curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
server host key algorithms[client]:
ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
server host key algorithms[server]:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
encryption algorithms (client to server)[client]:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
encryption algorithms (client to server)[server]:
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com
encryption algorithms (client to server)[negotiated]: aes128-ctr
encryption algorithms (server to client)[client]:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
encryption algorithms (server to client)[server]:
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com
encryption algorithms (server to client)[negotiated]: aes128-ctr
mac algorithms (client to server)[client]:
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
mac algorithms (client to server)[server]:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
mac algorithms (client to server)[negotiated]: hmac-sha2-256-...@openssh.com
mac algorithms (server to client)[client]:
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
mac algorithms (server to client)[server]:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
mac algorithms (server to client)[negotiated]: hmac-sha2-256-...@openssh.com
compression algorithms (client to server)[client]: none
compression algorithms (client to server)[server]: none,z...@openssh.com
compression algorithms (server to client)[client]: none
compression algorithms (server to client)[server]: none,z...@openssh.com
languages (client to server)[client]:
languages (client to server)[server]:
languages (server to client)[client]:
languages (server to client)[server]:
{code}
was (Author: lgoldstein):
{code:title=OpenSSH 8.x server negotiation options - client=Apache SSHD}
kex algorithms[client]:
ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
kex algorithms[server]:
curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
kex algorithms[negotiated]: ecdh-sha2-nistp521
server host key algorithms[client]:
ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
server host key algorithms[server]:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
server host key algorithms[negotiated]: ecdsa-sha2-nistp256
encryption algorithms (client to server)[client]:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
encryption algorithms (client to server)[server]:
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com
encryption algorithms (client to server)[negotiated]: aes128-ctr
encryption algorithms (server to client)[client]:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
encryption algorithms (server to client)[server]:
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com
encryption algorithms (server to client)[negotiated]: aes128-ctr
mac algorithms (client to server)[client]:
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
mac algorithms (client to server)[server]:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
mac algorithms (client to server)[negotiated]: hmac-sha2-256-...@openssh.com
mac algorithms (server to client)[client]:
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
mac algorithms (server to client)[server]:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
mac algorithms (server to client)[negotiated]: hmac-sha2-256-...@openssh.com
compression algorithms (client to server)[client]: none
compression algorithms (client to server)[server]: none,z...@openssh.com
compression algorithms (server to client)[client]: none
compression algorithms (server to client)[server]: none,z...@openssh.com
languages (client to server)[client]:
languages (client to server)[server]:
languages (server to client)[client]:
languages (server to client)[server]:
{code}
> Disable weak security settings
> ------------------------------
>
> Key: SSHD-1004
> URL: https://issues.apache.org/jira/browse/SSHD-1004
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 2.4.0
> Reporter: Lyor Goldstein
> Assignee: Lyor Goldstein
> Priority: Major
> Labels: ssh
>
> [OpenSSH to deprecate SHA-1 logins due to security
> risk|https://www.zdnet.com/article/openssh-to-deprecate-sha-1-logins-due-to-security-risk/]
> Including {{hmac-md5, hmac-ripemd160}} and also {{ssh-rsa}} and {{ssh-dss}}
> key exchanges. For the time being we will not include them by default but
> leave the code in place in case users still need them
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
