ssh-audit flagged some weak hashing algorithm which should be disabled

[graysky2]

Using ssh-audit on dropbear 2020.81 gave some recommendations for hardening:

key exchange algorithms to remove

• (kex) diffie-hellman-group14-sha1

host-key algorithms

• (key) ssh-rsa (2048-bit)

message authentication code algorithms

• (mac) hmac-sha1
• (mac) hmac-sha2-256

With openssh, these can be toggled in the config, but I understand they need to be removed in the source for dropbear. What do you think about the report below?

# general
(gen) banner: SSH-2.0-dropbear
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: disabled

# key exchange algorithms
(kex) curve25519-sha256              -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256@libssh.org   -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) diffie-hellman-group14-sha256  -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1    -- [warn] using weak hashing algorithm
                                     `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
(kex) kexguess2@matt.ucc.asn.au      -- [info] available since Dropbear SSH 2013.57

# host-key algorithms
(key) ssh-ed25519                    -- [info] available since OpenSSH 6.5
(key) rsa-sha2-256 (2048-bit)        -- [info] available since OpenSSH 7.2
(key) ssh-rsa (2048-bit)             -- [fail] using weak hashing algorithm
                                     `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
                                     `- [info] a future deprecation notice has been issued in OpenSSH 8.2: https://www.openssh.com/txt/release-8.2

# encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com  -- [info] available since OpenSSH 6.5
                                     `- [info] default cipher since OpenSSH 6.9.
(enc) aes128-ctr                     -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes256-ctr                     -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

# message authentication code algorithms
(mac) hmac-sha1                      -- [warn] using encrypt-and-MAC mode
                                     `- [warn] using weak hashing algorithm
                                     `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha2-256                  -- [warn] using encrypt-and-MAC mode
                                     `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56

# fingerprints
(fin) ssh-ed25519: SHA256:YyovHVKyDg7iB9XhdHvKIIFxCbExKgI97M3sFcdtVcA
(fin) ssh-rsa: SHA256:n6d1G3um65lzJUvWp2pLkHwjAdyndx9Wksxd+pDkPgA

# algorithm recommendations 
(rec) -ssh-rsa                       -- key algorithm to remove 
(rec) -diffie-hellman-group14-sha1   -- kex algorithm to remove 
(rec) -hmac-sha1                     -- mac algorithm to remove 
(rec) -hmac-sha2-256                 -- mac algorithm to remove 

# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>

[mkj]

diffie-hellman-group14-sha1 and hmac-sha1 could probably be disabled imminently. Direct replacements diffie-hellman-group14-sha256 and hmac-sha2-256 were added in Dropbear 2018.76 and 2013.56 respectively, and ECDH methods were earlier too.

The bigger question would be when to disable ssh-rsa - Dropbear only added support for rsa-sha2 a year ago so it might be a bit premature to remove since people are still using older software. They are not long lived signatures, only during KEX.

To avoid a common confusion - once rsa-sha algorithm is removed, existing ssh-rsa hostkeys and authentication keys (authorized_keys) will still work. The client and server just use a different signature format ssh-sha2- internally. (ssh-agents might need upgrading too).

I don't think hmac-sha2-256 should be removed, Dropbear doesn't implement hmac-sha2-256-etm@openssh.com which would be the higher preference. Since 2020.79 Dropbear's first preference cipher is chacha20-poly1305@openssh.com so the mac algorithm doesn't matter in that case.

[graysky2]

This fell of my RADAR... is it something you need do or are these command line switches I can try to disable?

[mkj]

The others were dropped,ssh-rsa will be retired in a future release.

[mkj]

I'll probably disable it by default in a release next year.

In the interim it can be disabled at build time by putting

define DROPBEAR_RSA_SHA1 0

in localoptions.h

On 2022-11-07 6:09 pm, cirdecH wrote:

Hello @mkj [1], to summarize this issue. To have the ssh-rsa warning from ssh-audit removed, we don't have a config to edit. We should wait for a future release ?

-- Reply to this email directly, view it on GitHub [2], or unsubscribe [3]. You are receiving this because you were mentioned.Message ID: @.***>

[graysky2]

@mkj - what are your thoughts on the other algorithms called out in the ssh-audit report?

# key exchange algorithms
(kex) diffie-hellman-group14-sha1    -- [warn] using weak hashing algorithm

# message authentication code algorithms
(mac) hmac-sha1                      -- [warn] using encrypt-and-MAC mode
                                     `- [warn] using weak hashing algorithm
                                     `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha2-256                  -- [warn] using encrypt-and-MAC mode
                                     `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
# algorithm recommendations 
(rec) -diffie-hellman-group14-sha1   -- kex algorithm to remove 
(rec) -hmac-sha1                     -- mac algorithm to remove 
(rec) -hmac-sha2-256                 -- mac algorithm to remove 

[mkj]

diffie-hellman-group14-sha1 and hmac-sha1 should eventually be disabled by default, probably at the same time as ssh-rsa with sha1.

I'm not intending to remove hmac-sha2-256. From what I can tell ssh-audit flags it because it has problems with CBC ciphers, but Dropbear disables those. chacha20-poly1305@openssh.com is a higher priority too.

[graysky2]

I used the same trick to disable those successfully. Thanks!

#define DROPBEAR_RSA_SHA1 0
#define DROPBEAR_DH_GROUP14_SHA1 0
#define DROPBEAR_SHA1_HMAC 0