-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/sshd: Remove algorithms that do MAC-then-encrypt #231165
Conversation
Algorithms with the -etm suffix calculate the MAC after encryption, which is generally considered safer.
ac3e468
to
0020161
Compare
does this need a changelog entry ? ie., are there some subtle implications (I can't think of any but still). |
ETM MACs were introduced in 6.2. This shouldn't cause any problems. |
This breaks compatibility with all applications based on libssh2 (notably, libvlc). |
Upstream fix: libssh2/libssh2#987 Maybe we can backport this somehow? |
Even if we backport this, other OS's/applications interacting with a NixOS sshd (which is my usecase) will stil remain broken. Adding a changelog entry as suggested above seems like a good idea at least. |
It breaks the "Run script over SSH" action in the iOS Shortcuts app, which I use quite frequently. I ended up needing to add the removed algorithms back in my config. So I think there should be a changelog entry. |
This broke iOS PhotoSync with NixOS as its SFTP target; when uploading, it is stuck at 0% and reports nothing useful in the app; fortunately at least the server says
|
The changelog entry will look like this:
|
Hardening SSH algorithms, which typically means dropping all-but-the-strongest is of questionable value, given SSH's downgrade protection[0]. We pay in compatibility, and maintenance. Further, as noted in https://github.com/NixOS/nixpkgs/pull/172393/files#r871727289 , both the guidelines that we follow have not been updated in years. The costs of having/maintaining these defaults: * The burden of having a larger module that deviates from upstream. We've slowly been reducing the upstream diff, to reduce maintenance burden. * Difficult for users to opt-out of these defaults. For example, when using a "no OpenSSL" build of OpenSSH, having these defaults means having to manually overriding NixOS's defaults. Upstream's defaults, meanwhile, gracefully only use available algorithms, if OpenSSL is not linked. * For users seeking to reduce attack surfaces that are fortunate enough to only have modern clients, they could choose to use `pkgs.opensshPackages.openssh.override { linkOpenssl = false; }`, which only supports chacha20-poly1305 and curve25519-sha256. * NixOS#231165 unexpectedly broke some clients. * The time in discussing/reviewing these defaults. * Anecdotally, a friend trying NixOS for the first time with a ssh_config supporting only ecdh-* key exchanges was unable to SSH in after install. There's a certain level of enjoyment that comes from researching and selecting a favourite suite of ciphers, but as a distro, it's not our core competancy, and best left for upstream who are active in advances/attacks/compatibility. 0. https://eprint.iacr.org/2016/072.pdf
Algorithms with the -etm suffix calculate the MAC after encryption, which is generally considered safer.
Description of changes
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)