Hello Folks,
just had a look on the SSH service default configuration and was wondering why it supports so may outdated key, kex and mac algorithms.
Why not hardening it?
$ ssh-audit opnsense
[...]
# algorithm recommendations (for OpenSSH 8.0)
(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove
(rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) -umac-64@openssh.com -- mac algorithm to remove
(rec) -umac-128@openssh.com -- mac algorithm to remove
(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove
(rec) -umac-64-etm@openssh.com -- mac algorithm to remove
The argument is probably backwards compatibility, but I thought OPNsens is the firewall for the paranoid ones ;)
Maybe not like here (https://stribika.github.io/2015/01/04/secure-secure-shell.html), but in general
Best Regards,
Hover
Per default SSH is disabled
If it is enabled it is not avaialabe until you add rules to access in the firewall.
You should not open it for the world and if you use an up to date client it should use the more secure ciphers and MACs by default.
But you are right, it should be secure by default.
Maybe a good issue to report...
Quote from: Hover on October 03, 2019, 10:51:06 PM
Maybe a good issue to report...
Go for it! https://github.com/opnsense/core/issues
Bart...
+1