search

net-ssh / net-ssh

Pure Ruby implementation of an SSH (protocol 2) client
http://net-ssh.github.io/net-ssh
MIT License
986 stars 447 forks source link

Security issues #705

Open fwininger opened 5 years ago

fwininger commented 5 years ago

Description

After a complet code audit, I found lot of critical security configurations.

I suggest to be OpenSSH 3.9/3.9p1 compatible, release on 2004-08-18, and remove all insecure and weak algorithms.

Expected behavior

Be weak but not completly unsafe and backward compatible with OpenSSH 3.9/3.9p1.

Implement new algorithms.

Actual behavior

Realy unsafe, allow communication without encryption !

Key exchange algorithms

To remove

diffie-hellman-group1-sha1 :

diffie-hellman-group-exchange-sha1 :

Should be remove

ecdh-sha2-nistp521 / ecdh-sha2-nistp384 / ecdh-sha2-nistp256 :

NIST curves is unsecure see : https://safecurves.cr.yp.to/

Remove when curve25519-sha256@libssh is implement (see #690)

To conserve

diffie-hellman-group14-sha1 :

diffie-hellman-group-exchange-sha256 :

To implement

curve25519-sha256@libssh.org :

Host-key algorithms

To remove

ssh-dss :

Should be remove

ecdsa-sha2-nistp521 / ecdsa-sha2-nistp384 /ecdsa-sha2-nistp256

NIST curves is unsecure see : https://safecurves.cr.yp.to/

To conserve

ssh-rsa :

ssh-ed25519:

encryption algorithms (ciphers)

To remove

aes256-cbc aes192-cbc aes128-cbc :

rijndael-cbc@lysator.liu.se :

blowfish-ctr / blowfish-cbc :

cast128-ctr / cast128-cbc :

3des-ctr / 3des-cbc :

idea-cbc :

none :

To conserve

aes256-ctr aes192-ctr aes128-ctr :

To implement

aes128-gcm@openssh.com / aes256-gcm@openssh.com :

chacha20-poly1305@openssh.com :

message authentication code algorithms

To remove

hmac-sha1-96:

hmac-sha2-512-96 / hmac-sha2-256-96:

hmac-ripemd160 / hmac-ripemd160@openssh.com:

hmac-md5 :

hmac-md5-96: none :

To conserve

hmac-sha1:

hmac-sha2-512 / hmac-sha2-256 :

To implement

umac-128-etm@openssh.com :

hmac-sha2-256-etm@openssh.com:

hmac-sha2-512-etm@openssh.com:

fwininger commented 5 years ago

@mfazekas : if you are ok with the analysis, I push some PR to secure the code. I keep the less weak algorithm to be backword compatible with OpenSSH release in 2004. I think it's good enough.

I prefer Bernstein's algorithms rather than this from the NSA (NIST P-521), however at the moment I agree to leave them in the code.

mfazekas commented 5 years ago

@fwininger sorry i don't have much time this weekend or over next week.

I'm all for removing unsecure algs with default config. Not sure about removing all unsecure algs from the code. I think it would be great to be compatible, with tweaked config (something likesecure: :insecure) with very old versions of openssh.

For example vagrant uses net-ssh it would desirable for vagrant (again with some flag like secure: :insecure) to be able to connect to a very old vm image.

fwininger commented 5 years ago

Ok, we can definitively manage that.

This code have already some options (key:, hmac:...) to specified a list of methods. So I suggest to remove by default unsecure algos and pass the list of algo with the parameter.

Example for hmac: 

Net::SSH::Transport::HMAC::INSECURE = %w[all_algs]
Net::SSH::Transport::HMAC::DEFAULT= %w[only_secure_algs]

# specify all algs
Net::SSH.start('localhost', 'root', password: '', hmac: Net::SSH::Transport::HMAC::INSECURE)

# by default hmac = Net::SSH::Transport::HMAC::DEFAULT
mfazekas commented 5 years ago

Thanks, sure that works, if there is any way to use deprecated algs that's fine it doesn't have to be convient. We can also add a warning that that alg is going to be removed in next vers and if no complaint we can remove in next major version.

fwininger commented 5 years ago

According to #709, to be backward compatible just add the existing option : append_all_supported_algorithms: true

fwininger commented 5 years ago

Update of the current progress

Key exchange algorithms

Should be remove

ecdh-sha2-nistp521 / ecdh-sha2-nistp384 / ecdh-sha2-nistp256 :

NIST curves is unsecure see : https://safecurves.cr.yp.to/

To implement

Nothing more

Host-key algorithms

Should be remove

ecdsa-sha2-nistp521 / ecdsa-sha2-nistp384 /ecdsa-sha2-nistp256

NIST curves is unsecure see : https://safecurves.cr.yp.to/

To implement

rsa-sha2-256, rsa-sha2-512 (see issue #712)

encryption algorithms (ciphers)

To implement

aes128-gcm@openssh.com / aes256-gcm@openssh.com :

chacha20-poly1305@openssh.com :

message authentication code algorithms

To implement

nothing more

fwininger commented 4 years ago

https://www.blackhatethicalhacking.com/news/openssh-to-deprecate-sha-1-logins-due-to-security-risk/

mfazekas commented 4 years ago

See also #773

fwininger commented 1 year ago

Update of the current progress

Key exchange algorithms

Should be remove

ecdh-sha2-nistp521 / ecdh-sha2-nistp384 / ecdh-sha2-nistp256 :

NIST curves is unsecure see : https://safecurves.cr.yp.to/

To implement

Host-key algorithms

Should be remove

ecdsa-sha2-nistp521 / ecdsa-sha2-nistp384 /ecdsa-sha2-nistp256

NIST curves is unsecure see : https://safecurves.cr.yp.to/

encryption algorithms (ciphers)

To implement

aes128-gcm@openssh.com / aes256-gcm@openssh.com :

message authentication code algorithms

To implement

nothing more

tisba commented 1 year ago

I was wondering why you want to preserve key exchange with diffie-hellman-group14-sha1. AFAIK SHA-1 has exploitable weaknesses. We had Github announced removal 6 years ago), also we had Logjam, …