Remove custom SSH ciphers, MACs and HostKeyAlgorithms settings (#7315) · Issues · tails / tails

Remove custom SSH ciphers, MACs and HostKeyAlgorithms settings

Originally created by @sajolida on #7315 (Redmine)

Tails cannot connect with SSH to recent OpenBSD systems because the restricted set of MACs that is set in Tails doesn’t match any MAC accepted in OpenBSD by default.

Tails sets:

hmac-sha1,hmac-md5,hmac-ripemd160

OpenBSD accepts by default:

umac-64-etmopenssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512@

See: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config

I would find it very surprising if none of the MAC accepted by OpenBSD were good enough to our standards. So maybe our lists have to be review to the light of this finding.

Feature Branch: feature/7315-drop-custom-ssh-crypto-settings

Related issues

Related to sysadmin#8677 (closed)
Related to #8027 (closed)
Blocked by #6015 (closed)

Edited May 15, 2020 by sajolida

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information