nixos/sshd: Remove algorithms that do MAC-then-encrypt #231165
Conversation
Algorithms with the -etm suffix calculate the MAC after encryption, which is generally considered safer.
mweinelt
force-pushed
the
openssh-encryp-then-mac
branch
from
ac3e468
to
0020161
Compare
mweinelt
changed the title
|
does this need a changelog entry ? ie., are there some subtle implications (I can't think of any but still). |
|
ETM MACs were introduced in 6.2. This shouldn't cause any problems. |
ofborg
bot
added
10.rebuild-darwin: 1-10
10.rebuild-darwin: 1
10.rebuild-linux: 1-10
labels
|
This breaks compatibility with all applications based on libssh2 (notably, libvlc). |
|
Upstream fix: libssh2/libssh2#987 Maybe we can backport this somehow? |
|
Even if we backport this, other OS's/applications interacting with a NixOS sshd (which is my usecase) will stil remain broken. Adding a changelog entry as suggested above seems like a good idea at least. |
It breaks the "Run script over SSH" action in the iOS Shortcuts app, which I use quite frequently. I ended up needing to add the removed algorithms back in my config. So I think there should be a changelog entry. |
|
This broke iOS PhotoSync with NixOS as its SFTP target; when uploading, it is stuck at 0% and reports nothing useful in the app; fortunately at least the server says |
|
The changelog entry will look like this:
|
Hardening SSH algorithms, which typically means dropping all-but-the-strongest is of questionable value, given SSH's downgrade protection[0]. We pay in compatibility, and maintenance. Further, as noted in https://github.com/NixOS/nixpkgs/pull/172393/files#r871727289 , both the guidelines that we follow have not been updated in years. The costs of having/maintaining these defaults: * The burden of having a larger module that deviates from upstream. We've slowly been reducing the upstream diff, to reduce maintenance burden. * Difficult for users to opt-out of these defaults. For example, when using a "no OpenSSL" build of OpenSSH, having these defaults means having to manually overriding NixOS's defaults. Upstream's defaults, meanwhile, gracefully only use available algorithms, if OpenSSL is not linked. * For users seeking to reduce attack surfaces that are fortunate enough to only have modern clients, they could choose to use `pkgs.opensshPackages.openssh.override { linkOpenssl = false; }`, which only supports chacha20-poly1305 and curve25519-sha256. * NixOS#231165 unexpectedly broke some clients. * The time in discussing/reviewing these defaults. * Anecdotally, a friend trying NixOS for the first time with a ssh_config supporting only ecdh-* key exchanges was unable to SSH in after install. There's a certain level of enjoyment that comes from researching and selecting a favourite suite of ciphers, but as a distro, it's not our core competancy, and best left for upstream who are active in advances/attacks/compatibility. 0. https://eprint.iacr.org/2016/072.pdf
Algorithms with the -etm suffix calculate the MAC after encryption, which is generally considered safer.
Description of changes
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)