[x-post from labs-l to make sure all ssh users receive it]
Hi all,
recently we have been making some changes to global sshd config for enhanced security.
Since there have been questions and user reports about this on IRC, let me list them all in detail:
a) optimized symmetric cipher list:
https://gerrit.wikimedia.org/r/#/c/185325/
We prefer the better Chacha20-poly1305,AES-CGM ciphers here now where possible.
This has been merged on 04-27 already and the only problem report we had was from a user of a really outdated putty version and that could be solved by upgrading.
b) set Message Authentication Code ciphers
https://gerrit.wikimedia.org/r/#/c/185329/ (see commit message for more details)
We stop using MD5 or SHA1 because they are insecure and use Encrypt-then-MAC.
This has been merged today and we have had 1 report on IRC so far from a user who got "no matching MAC found" but apparently was able to fix it by adjusting the client config.
c) don't use NIST key exchange protocols
https://gerrit.wikimedia.org/r/#/c/185321/ (see commit message for more details)
This has also been merged today.
We stopped using NIST protocols here because they can't be trusted, see commit message for details why.
We have had 2 users so far report on IRC getting a "no acceptable hex algorithm" error. Both were users of MySQL workbench. There is a related bug at https://bugs.mysql.com/bug.php?id=74658
About the reasoning for these 3 changes in detail, also see:
http://stribika.github.io/2015/01/04/secure-secure-shell.html.
Many quotes on the commit messages are from that source.
d) disable root logins, disable agent forwarding
https://gerrit.wikimedia.org/r/#/c/160628/ https://gerrit.wikimedia.org/r/#/c/199936/
These both exist in code review but are _NOT_ merged and are still being discussed. There is no immediate plan to merge them soon.
Finding the right balance between security and supporting older clients can sometimes be tough, so sorry for any possible inconvience caused and let us know if any other issues that can't be solved by upgrading clients.
Best regards,
Daniel
Daniel Zahn wrote:
[x-post from labs-l to make sure all ssh users receive it]
Thanks for sending this e-mail. I found the changes interesting. :-)
Re: https://gerrit.wikimedia.org/r/199936, do you know if there's any documentation about what has replaced agent forwarding for deployments?
MZMcBride
On Fri, May 22, 2015 at 1:37 PM, MZMcBride z@mzmcbride.com wrote:
Re: https://gerrit.wikimedia.org/r/199936, do you know if there's any documentation about what has replaced agent forwarding for deployments?
It's been replace by having deployers use a shared ssh agent (accessed through a proxy to log usage and limit the capabilities). You can look through modules/keyholder in puppet for more details.
wikitech-l@lists.wikimedia.org