Ubuntu
dropbear package

  1. Bug #1409798
  2. Comment #9

Comment 9 for bug 1409798

Revision history for this message
Matt Johnston (matt-ucc) wrote : Re: [Bug 1409798] Re: enable hmac-sha2-256, hmac-sha2-512 MAC algorithms

They're enabled by default in 2015.67

Cheers,
Matt

On 7 February 2015 7:03:43 pm AWST, Richard Hansen <email address hidden> wrote:
>** Description changed:
>
>+ [Impact]
>+
> Since version 2013.56, dropbear has supported the hmac-sha2-256 and
> hmac-sha2-512 MAC algorithms, but they are disabled by default.
> According to the dropbear changelog, enabling them is a matter of
> uncommenting the following two lines in options.h:
>
>- /*#define DROPBEAR_SHA2_256_HMAC*/
>- /*#define DROPBEAR_SHA2_512_HMAC*/
>+     /*#define DROPBEAR_SHA2_256_HMAC*/
>+     /*#define DROPBEAR_SHA2_512_HMAC*/
>
> Due to recent NSA revelations, some people are recommending users
> disable certain algorithms. If the recommendations at
> <https://stribika.github.io/2015/01/04/secure-secure-shell.html> are
>followed, there are no MAC algorithms left that dropbear supports
>unless
> hmac-sha2-256 and hmac-sha2-512 are enabled.
>+
>+ [Test Case]
>+
>+ Setup steps:
>+ 1. install dropbear and openssh-client:
>+ sudo apt-get install dropbear openssh-client
>+ 2. if you have openssh-server installed, stop it:
>+ sudo service ssh stop
>+ 3. make sure that the dropbear service is enabled by editing
>+ /etc/default/dropbear and setting the NO_START variable to 0
>like
>+ this:
>+ NO_START=0
>+ 4. start the dropbear service:
>+ sudo service dropbear start
>+
>+ Test steps:
>+ 5. try the hmac-sha2-256 MAC:
>+ ssh -o UserKnownHostsFile=/dev/null \
>+ -o MACs=hmac-sha2-256 localhost
>+ 6. try the hmac-sha2-512 MAC:
>+ ssh -o UserKnownHostsFile=/dev/null \
>+ -o MACs=hmac-sha2-512 localhost
>+
>+ Cleanup steps:
>+ 7. stop the dropbear service:
>+ sudo service dropbear stop
>+ 8. if you edited /etc/default/dropbear to enable the dropbear
>+ service, disable it again by editing /etc/default/dropbear and
>+ setting the NO_START variable to 1 like this:
>+ NO_START=1
>+ 9. if you stopped the OpenSSH server, restart it:
>+ sudo service ssh start
>+
>+ [Regression Potential]
>+
>+ * Due to being disabled by default upstream, the implementations of
>+ the new MAC algorithms are probably not as well tested as the old
>+ MAC algorithms. This may increase the likelihood of
>compatibility
>+ or security bugs.
>+ * SSH clients are likely to prefer the new MAC algorithms over the
>+ old MAC algorithms. If either the client or server has an
>+ implementation bug, the ability to connect may be impaired unless
>+ the user configures the client to disallow the new algorithms or
>+ prefer the old algorithms (e.g., via the ssh_config "MACs"
>+ directive in OpenSSH).
>+ * The new MAC algorithms may negatively impact performance.
>
>--
>You received this bug notification because you are subscribed to
>dropbear in Ubuntu.
>https://bugs.launchpad.net/bugs/1409798
>
>Title:
> enable hmac-sha2-256, hmac-sha2-512 MAC algorithms
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/ubuntu/+source/dropbear/+bug/1409798/+subscriptions