Thank you Colin, that's great news. I think we should have a discussion about which algorithms to deprecate, when, for the whole distribution. I'd like a consistent approach to when we stop supporting md5/sha-1/rc4 etc. Of course different protocols may have different threat models so it may not be appropriate to apply a single blanket rule for any algorithm, but supporting 16.04 LTS in 2021 makes me think that we ought to be willing to cut the algorithms known to be weak today.
OpenSSH's choices for e.g. 7.1 will probably make a lot of sense for today but may make less sense in five years, when we're still supporting 7.1 but they've moved on. Other upstreams may not be as reliable as OpenSSH, either, and second guessing their choices may make more sense. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1499392 Title: OpenSSH Security and SHA1 Status in openssh package in Ubuntu: Confirmed Bug description: We should enhance Security by disabling SHA1 or, if not possible (older Clients) by changing the KexAlgorithms, Ciphers and MACs order. For e.g. by : 1. If we add Support for older Clients we should change this: #### OpenSSH Security #### KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 Ciphers chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-ripemd160-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-...@openssh.com 2. If we just Support new Clients we should change this : [...] HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key [...] #### OpenSSH Security #### KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-ripemd160-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-...@openssh.com For more Information about my report go here: https://github.com/scaleway/image-ubuntu/pull/35 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1499392/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
