Hi,
Your tag line gave me the Giggles!
Here at shellworld while using the latest Ubuntu, they addressed the
problem security wise by moving our
port, in addition to allowing this key to remain.
Still, indeed when asked dreamhost said no, I am not their only customer
to be sure.
When seeking an alternative I came across a service called Eskimo.
They incorporate more than one Linux distribution, I could say use centos 6
but not centos 7 or Scientific 6 but not say mint.
That gave me hope that if I kept hunting I would find a company who either
allowed for a different ssh port, since that works here at shellworld and
one other test, or that I might find a back door in.
The Dreamhost door being closed means no sftp of files and things either.
Thanks for the great wisdom though. Bell just started screaming at the
word Linux so I did not get far. Add that I got some w3c information
indicating Bell had blocked port 22, and I stayed hopeful.
thanks again,
Karen
On Tue, 2 Oct 2018, Christopher Browne wrote:
On Tue, 2 Oct 2018 at 16:30, Karen Lewellen via talk <[email protected]> wrote:
Hi Mike,
Thanks for that information.
I would feel better though if the same problem was not happening
practically everywhere else.
i can check my list, I believe, but imagine it will take someone skilled
in compiling to update anything.
Meaning I will need to either find that skill, or move our office hosting
services somewhere equal to dreamhost but less paranoid.
Thanks again,
Unfortunately, I suspect that "less paranoid" isn't the right answer.
Older algorithms (and variants) are being deprecated because weaknesses
have been found in them.
In this particular case, the "group 1" Diffie Hellman algorithm was discovered
to have vulnerability to a particular class of attacks called "Logjam".
https://weakdh.org/
That web site points to some of the research work from 2015.
OpenSSH documentation references this:
https://www.openssh.com/legacy.html
They describe the opposite scenario to what you are experiencing; they
indicate the situation where a server is willing to accept
diffie-hellman-group1-sha1, where the client, being on a newer version
of OpenSSH, refuses to offer that. If that was the situation you were
experiencing, you could change the configuration of your SSH client to
accept lower-grade forms of encryption.
Unfortunately, for your purposes, it appears likely that what has
happened is that dreamhost has upgraded to a more recent version of
OpenSSH, and has taken the recommendation by the developers that
deprecated algorithms should not be accepted. In principle, dreamhost
could change their OpenSSH configuration to accept use of
diffie-hellman-group1-sha1, but I expect that they would be reluctant
to do this.
I work in an area where we have a lot of Java-based applications; we
wind up having regular efforts to ensure that applications are ported
to newer versions of Java for much the same reason, because the older
crypto algorithms supported by SSL libraries are being deprecated
because weaknesses have been found. It's not good enough to suppress
paranoia; organizations that ignore the weaknesses wind up getting
bitten by attackers that use these weaknesses to steal data, often
including users' passwords. It's really no fun to need to announce
that all the customers need to change their passwords because they
have gotten stolen.
I appreciate that it may be challenging to keep up with the
cryptographic "arms race"; unfortunately, the world is a sufficiently
hostile place that there seems to be no way around this. You need to
be prepared to update your ssh keys often enough to keep up with
changes in SSH.
Feel sorry for those using SSL for web server applications; Giles Orr
did a talk a few months back that made it clear that keeping up with
crypto changes is a messy and thankless task.
--
When confronted by a difficult problem, solve it by reducing it to the
question, "How would the Lone Ranger handle this?"
---
Talk Mailing List
[email protected]
https://gtalug.org/mailman/listinfo/talk
