The ssh-audit tool suggest to remove certain algorithms from the ssh configuration:
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
This commit removes them in our standard jammy stemcell ssh configuration.
However, ecdh and ecdsa algorithms are FIPS compliant. So it's open for discussion if this is a better security posture, and if it is, then it is safe to merge this commit.
The
ssh-audittool suggest to remove certain algorithms from the ssh configuration:This commit removes them in our standard jammy stemcell ssh configuration.
However, ecdh and ecdsa algorithms are FIPS compliant. So it's open for discussion if this is a better security posture, and if it is, then it is safe to merge this commit.