[Bug 1499392] Re: OpenSSH Security and SHA1
Hello Colin, Hello Seth, Seth that sounds great :-). I totally agree you. Colin and that´s the same Problem we had on Scaleway, but I am sure that we are finding a solution :-). I would love to participate @ the discussion. Have a nice day, Eldin Hadzic -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1499392] Re: OpenSSH Security and SHA1
Backporting algorithm tightening may make sense, but I don't want to end up in a situation where users are trying to deal with interoperability issues but none of the upstream docs make sense. If we're advocating specific changes that upstream aren't currently already considering, we should take that up with upstream. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1499392] Re: OpenSSH Security and SHA1
Thank you Colin, that's great news. I think we should have a discussion about which algorithms to deprecate, when, for the whole distribution. I'd like a consistent approach to when we stop supporting md5/sha-1/rc4 etc. Of course different protocols may have different threat models so it may not be appropriate to apply a single blanket rule for any algorithm, but supporting 16.04 LTS in 2021 makes me think that we ought to be willing to cut the algorithms known to be weak today. OpenSSH's choices for e.g. 7.1 will probably make a lot of sense for today but may make less sense in five years, when we're still supporting 7.1 but they've moved on. Other upstreams may not be as reliable as OpenSSH, either, and second guessing their choices may make more sense. Thanks -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1499392] Re: OpenSSH Security and SHA1
Just a note: "I and @stribika have the same point of view (https://stribika.github.io/2015/01/04/secure-secure-shell.html) [...]" "I tend to agree with @aimxhaisse. Don't you think it would be preferable to open a bug report on Ubuntu side (https://bugs.launchpad.net/ubuntu/), see what they answer and follow their advices?" Have a nice Weekend, Eldin Hadzic -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1499392] Re: OpenSSH Security and SHA1
Hello Colin, Hello Seth, thank you for your response. I completely understand the situation with launchpad and Cisco Equipment :-). I already know the page https://stribika.github.io/2015/01/04/secure- secure-shell.html, but still thank you. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1499392] Re: OpenSSH Security and SHA1
Not yet. I'm actively working on the relevant bits of Launchpad infrastructure, and will upgrade to OpenSSH 7.1p1 after that. I *don't* intend to vary algorithm choices from upstream configuration, but 7.1 is already a fair bit better. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1499392] Re: OpenSSH Security and SHA1
Hello Eldin, you're right that it is time to begin migrating away from SHA-1 in default OpenSSH configurations. However there is some historical baggage in parts of the launchpad infrastructure that prevented upgrading algorithms earlier. (Strictly speaking, the defaults aren't tied to launchpad but a configuration that doesn't allow developers to work out of the box is less than ideal.) Some related bugs that might help explain the situation: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1445620 https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1445624 https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1445625 A site with many general guidelines that may influence more than just default keysize and hash selections: https://stribika.github.io/2015/01/04/secure-secure-shell.html And, of course, whatever we select should be tested against Cisco gear, since there's always a bug or two with every openssh configuration change that prevents people from logging into or using Cisco equipment. Colin, is it feasible to start making algorithm changes yet? Thanks ** Changed in: openssh (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1499392] Re: OpenSSH Security and SHA1
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
