[Touch-packages] [Bug 933480] Re: Picks hmac-md5 over hmac-sha1

Wed, 04 Jan 2017 04:35:11 -0800 

hmac-md5 was disabled by default in OpenSSH 7.2 (see
http://www.openssh.com/txt/release-7.2).

** Changed in: openssh (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/933480

Title:
  Picks hmac-md5 over hmac-sha1

Status in openssh package in Ubuntu:
  Fix Released

Bug description:
  The OpenSSH client defaults to picking hmac-md5, which is based on the
  demonstrably insecure MD5 algorithm:

  faux@wilf:~% ssh -v localhost true 2>&1 | grep hmac
  debug1: kex: server->client aes128-ctr hmac-md5 none
  debug1: kex: client->server aes128-ctr hmac-md5 none

  MD5 has had practical vulnerabilities for around eight years, and its
  use is highly discouraged.  SHA1 is a supported alternative, and is
  supported by the packaged openssh-server, and many other ssh
  implementations.

  MD5 is selected as man ssh_config suggests the default algorithms are, in 
order of preference (most preferred first):
      
hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

  Please append:
      MACs 
hmac-sha1,hmac-md5,umac...@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

  ...to /etc/ssh/ssh_config, such that the client will prefer SHA-1:

  faux@wilf:~% ssh -v localhost true 2>&1 | grep hmac
  debug1: kex: server->client aes128-ctr hmac-sha1 none
  debug1: kex: client->server aes128-ctr hmac-sha1 none

  This should have no compatibility concerns as MD5 is still a supported
  algorithm.

  Note that non-privileged users can override this setting either way on
  a per-connection basis by specifying MACs in ~/.ssh/config.

  ProblemType: Bug
  DistroRelease: Ubuntu 11.10
  Package: openssh-client 1:5.8p1-7ubuntu1
  ProcVersionSignature: Ubuntu 3.0.0-16.28-generic 3.0.17
  Uname: Linux 3.0.0-16-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 1.23-0ubuntu4
  Architecture: amd64
  CheckboxSubmission: b0d31efda01870980e2e5a89390b685c
  CheckboxSystem: 6ce041aeed0a2c17b3343b66d157175d
  Date: Thu Feb 16 13:59:43 2012
  EcryptfsInUse: Yes
  InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
  ProcEnviron:
   PATH=(custom, user)
   LANG=en_GB.UTF-8
   SHELL=/bin/zsh
  RelatedPackageVersions:
   ssh-askpass       N/A
   libpam-ssh        N/A
   keychain          N/A
   ssh-askpass-gnome 1:5.8p1-7ubuntu1
  SSHClientVersion: OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
  SourcePackage: openssh
  UpgradeStatus: Upgraded to oneiric on 2011-05-03 (289 days ago)
  modified.conffile..etc.ssh.ssh.config: [modified]
  mtime.conffile..etc.ssh.ssh.config: 2012-02-16T13:59:11.376423

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/933480/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to