Skip to content
This repository was archived by the owner on May 30, 2023. It is now read-only.

Comments

coreos-base/coreos-init: SSHD: use secure crypto algos only#852

Merged
sayanchowdhury merged 1 commit intomainfrom
t-lo/sshd-safe-crypto-only
Mar 2, 2021
Merged

coreos-base/coreos-init: SSHD: use secure crypto algos only#852
sayanchowdhury merged 1 commit intomainfrom
t-lo/sshd-safe-crypto-only

Conversation

@t-lo
Copy link
Contributor

@t-lo t-lo commented Feb 18, 2021

This change updates coreos-init to a version which includes
a new SSHD config to limit crypto to "known secure" algorithms only.

See flatcar/init#36 for details.

Note that I'll update this PR to point to the merge commit of the source PR when that one gets merged. Bringing up this PR early so it can be reviewed in parallel to the source PR.

Testing done

$ emerge-amd64-usr coreos-init
$ ./build_image --board=amd64-usr
$ ./image_to_vm.sh ...

Started QEmu image, SSH'd into image, then

core@localhost ~ $ sudo cat /etc/ssh/sshd_config 
# Use most defaults for sshd configuration.
Subsystem sftp internal-sftp
ClientAliveInterval 180
UseDNS no
UsePAM yes
PrintLastLog no # handled by PAM
PrintMotd no # handled by PAM
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,umac-128-etm@openssh.com,umac-128@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

Impact

While this change is not expected to have a noticeable impact to the vast majority of users, some ancient clients which only offer (by today's standards) insecure ciphers may be affected. We need to raise this in our release communication.

@t-lo
coreos-base/coreos-init: SSHD: use secure crypto algos only
2a9bcff 
This change updates coreos-init to a version which includes
a new SSHD config to limit crypto to "known secure" algorithms only.

Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
@t-lo t-lo requested a review from a team February 18, 2021 15:30
@t-lo t-lo mentioned this pull request Feb 18, 2021
Merged
dongsupark
dongsupark approved these changes Feb 26, 2021
View reviewed changes
Copy link
Contributor

@dongsupark dongsupark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok if CI passed

@vbatts vbatts mentioned this pull request Feb 26, 2021
Closed
@sayanchowdhury sayanchowdhury merged commit 3d3d477 into main Mar 2, 2021
@sayanchowdhury sayanchowdhury deleted the t-lo/sshd-safe-crypto-only branch March 2, 2021 14:12
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@dongsupark dongsupark dongsupark approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@t-lo @dongsupark @sayanchowdhury