Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • T tails
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 939
    • Issues 939
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 30
    • Merge requests 30
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • tails
  • tails
  • Issues
  • #7315

Remove custom SSH ciphers, MACs and HostKeyAlgorithms settings

Originally created by @sajolida on #7315 (Redmine)

Tails cannot connect with SSH to recent OpenBSD systems because the restricted set of MACs that is set in Tails doesn’t match any MAC accepted in OpenBSD by default.

Tails sets:

hmac-sha1,hmac-md5,hmac-ripemd160

OpenBSD accepts by default:

umac-64-etmopenssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512@

See: http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config

I would find it very surprising if none of the MAC accepted by OpenBSD were good enough to our standards. So maybe our lists have to be review to the light of this finding.

Feature Branch: feature/7315-drop-custom-ssh-crypto-settings

Related issues

  • Related to sysadmin#8677 (closed)
  • Related to #8027 (closed)
  • Blocked by #6015 (closed)
Edited May 15, 2020 by sajolida
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking