stop using ecdsa-sha2-nistp256, ecdh-sha2-nistp{256, 384, 521}

[nikhiljha]

Right now the algorithms mentioned in the title are actively in use in the ssh config.

https://github.com/ocf/puppet/blob/4e37cbedd228d89bc2f32234dbb4fc54114faa9d/modules/ocf/manifests/auth.pp#L175

However, these algorithms have known weaknesses. This is a super low-prio/nitpick issue, but it'd still be nice to fix it.

Ideally the config would be something like...

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

... but because of compatibility that's difficult.

[kkuehlz]

This should be a doc change (encouraging the use of curves created in an open environment), not a change to our server side config. Calling nist-p256 and others weak is kinda a misnomer. The site is based of this talk, and is more about the curves being tricky to implement in practice.

[jameslzhu]

If I recall correctly, most of the concern with the NIST elliptic curve algorithms is not a known weakness with the algorithm itself, but with the suspicious choice of parameters. If you look at the elliptic curve equations selected for NIST’s P algorithms, the coefficients seem ... quite large. And suspiciously arbitrary. Curve25519 has small numbers (255, 19) with open justifications, and appears to lend implementations resistance against side-channel attacks, so it is preferred regardless.

I’d like to make clear that old algorithms aren’t any less secure simply by being old. RSA is decades older than any of these and we still trust it; we actually tend to trust older algorithms that haven’t been broken because nobody’s been able to break them for so long.