nixos/ssh: use upstream's default cryptographic algorithms #316934
Conversation
tomfitzhenry
force-pushed
the
drop-openssh-algorithms-overrides
branch
from
e5a9f80
to
928ad76
Compare
|
Seeking wide review on this. A note in the manual will need to be added too. |
|
I agree that we shouldn't deviate too much from upstream, but we could alternatively move those defaults to something like |
There was a problem hiding this comment.
We should document in the options that null means upstreams defaults. Also we should add a release note entry.
Did you do a comparison which algorithms are now enabled again? Is there maybe some upstream guidance we could use instead like those algorithms are soon to be disabled by default and if you can, you should already disable them?
tomfitzhenry
force-pushed
the
drop-openssh-algorithms-overrides
branch
from
928ad76
to
a0e2211
Compare
| "[email protected]" | ||
| "curve25519-sha256" | ||
| "[email protected]" | ||
| "diffie-hellman-group-exchange-sha256" |
There was a problem hiding this comment.
The new ones are
[email protected],
curve25519-sha256,[email protected],
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
diffie-hellman-group14-sha256
https://github.com/openssh/openssh-portable/blob/V_9_7_P1/sshd_config.5#L1053C1-L1058C30
There was a problem hiding this comment.
| "[email protected]" | ||
| "[email protected]" | ||
| "[email protected]" | ||
| "aes256-ctr" | ||
| "aes192-ctr" | ||
| "aes128-ctr" |
There was a problem hiding this comment.
https://github.com/openssh/openssh-portable/blob/V_9_7_P1/sshd_config.5#L578-L580
[email protected],
aes128-ctr,aes192-ctr,aes256-ctr,
[email protected],[email protected]
1c18bbe
to
c13c3b0
Compare
In this PR I've moved NixOS's current defaults to the hardened profile, but I'm not 100% on whether it's the best place, on the basis that:
Alternatives are to have an option |
|
I fixed evaluation with SuperSandro2000@02c08fc but I didn't test it yet e2e |
Great find, that's worrying! |
We could fix that by using lib.mkDefault I don#t think we need an extra option for that @aszlig opinions? |
That would be similar to eg.
With the |
Done.
I see you've commented with the new selections, thanks for that!
https://www.openssh.com/releasenotes.html includes "Future deprecation notices". The only current such notice is the future removal of DSA support, which we recently expedited: #300716 👍 |
tomfitzhenry
force-pushed
the
drop-openssh-algorithms-overrides
branch
from
c13c3b0
to
76531de
Compare
I've updated the PR to introduce this option. |
| enableMozillaRecommendations = mkEnableOption "" // { | ||
| descrption = '' | ||
| Whether to enable Mozilla's recommended cryptographic algorithms, per | ||
| https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67. |
There was a problem hiding this comment.
Note that enableMozillaRecommendations uses the exact algorithms as listed on its page, which is slightly different to the set of algorithms that we previously had.
https://github.com/mozilla/infosec.mozilla.org/blob/master/docs/guidelines/openssh.md is the right place to engage/query with Mozilla's recommendations.
|
Mozilla has fired their security team who was in charge of config recommendations back in 2020. |
That's sad to hear. :/ I'm happy with upstream's recommendations, but it sounds like some would prefer the recommendations of others (which is fine/great, and a strength of FOSS; different people have different views). To those people, is there any published guide that you prefer? Unless we can point to one, I'd be inclined to leave that option out for now, and it can be added if/when a suitable alternative is found. If it's not published/maintained, then it might be better placed in one's own config. For those seeking an sshd with reduced attack surface, and who have the luxury of only supporting modern clients (as I do, in some environments), consider |
tomfitzhenry
force-pushed
the
drop-openssh-algorithms-overrides
branch
from
76531de
to
2907a5f
Compare
I've now removed the |
Hardening SSH algorithms, which typically means dropping all-but-the-strongest is of questionable value, given SSH's downgrade protection[0]. We pay in compatibility, and maintenance. Further, as noted in https://github.com/NixOS/nixpkgs/pull/172393/files#r871727289 , both the guidelines that we follow have not been updated in years. The costs of having/maintaining these defaults: * The burden of having a larger module that deviates from upstream. We've slowly been reducing the upstream diff, to reduce maintenance burden. * Difficult for users to opt-out of these defaults. For example, when using a "no OpenSSL" build of OpenSSH, having these defaults means having to manually overriding NixOS's defaults. Upstream's defaults, meanwhile, gracefully only use available algorithms, if OpenSSL is not linked. * For users seeking to reduce attack surfaces that are fortunate enough to only have modern clients, they could choose to use `pkgs.opensshPackages.openssh.override { linkOpenssl = false; }`, which only supports chacha20-poly1305 and curve25519-sha256. * NixOS#231165 unexpectedly broke some clients. * The time in discussing/reviewing these defaults. * Anecdotally, a friend trying NixOS for the first time with a ssh_config supporting only ecdh-* key exchanges was unable to SSH in after install. There's a certain level of enjoyment that comes from researching and selecting a favourite suite of ciphers, but as a distro, it's not our core competancy, and best left for upstream who are active in advances/attacks/compatibility. 0. https://eprint.iacr.org/2016/072.pdf
tomfitzhenry
force-pushed
the
drop-openssh-algorithms-overrides
branch
from
2907a5f
to
d091822
Compare
I reproduced the issue with @ofborg test initrd-network-ssh |
|
@ofborg test openssh |
|
I'm proposing this PR as it stands (and happy to hear more comments). If/when people interested in other advice can find a published guide that they want to follow, that can be added as an option (named according to who is giving the advice). |
|
Hello, The given arguments seem fair to me however I'm a bit worried of re-introducing weak cryptography primitives by default. This seems like a regression and I would not be surprised if we end up getting issues from people getting suddenly a worse reports from <INSERT_YOUR_FAVORITE_COMMERCIAL_AUTOMATIC_PENTEST_TOOL> (or things like I'm mostly worried about 2 things:
both are arguably not something that is future proof. We might have a middle ground solution that makes things easier for users wanting to harden their systems while not making it worse for users relying on the default values: This approach would allow us to exclude the crypto primitives with the lowest security margins and pick up the new ones proposed by |
I agree there's a risk here, and we should enable users who have compliance/personal-driven reasons to easily manage that. In some cases I think it's reasonable to expect the user to take on ownership of this config, but it'd be nice if we could offer some abstractions to help manage that.
I like this idea. It's a bit risky as-is, since "-" doesn't compose well with nix's lists. To explain what I mean, first let's look at sshd_config: This means if we have then these will accumulate to:
... and now your favourite MAC is unexpectedly disabled (since a "-" at the beginning will exclude all algorithms listed)! But as you say, maybe there's a way to more nicely expose that? Maybe expose a union-like option, with four alternatives:
We'd have an assertion that only one alternative can be used at a time. Do we have any precedent for that sort of thing? Does it work? Is it too complex/overengineering? RFC42 and #51630 discuss this in a wider sense. I'll put this PR into draft while we try to answer that. |
I had a think through this some more. I think introducing a union-like option ( I get the impression that most are happy with the status quo of overriding upstream's defaults, and many prefer it. Thus it's not worth complicating things. For those that want more control (or to use upstream's defaults), they can set to null, or use Next steps:
Please comment and/or re-open if you think otherwise! :) For posterity/fun, some resources I found re the difference of opinions re algorithm selection (which I don't hold strong opinions on): |
Prior to this commit, if services.openssh.settings.Macs is null, then initrd-ssh.nix would fail to build. Same for KexAlgorithms and Ciphers. Noticed by @SuperSandro2000: NixOS#316934 (comment)
Motivation
Hardening SSH algorithms, which typically means dropping all-but-the-strongest is of questionable value, given SSH's downgrade protection[0]. We pay in compatibility, and maintenance.
Further, as noted in
https://github.com/NixOS/nixpkgs/pull/172393/files#r871727289 , both the guidelines that we follow have not been updated in years.
The costs of having/maintaining these defaults:
pkgs.opensshPackages.openssh.override { linkOpenssl = false; }, which only supports chacha20-poly1305 and curve25519-sha256. This has the added benefit of removing openssl from the memory of sshd.There's a certain level of enjoyment that comes from researching and selecting a favourite suite of ciphers, but as a distro, it's not our core competancy, and best left for upstream who are active in advances/attacks/compatibility.
Description of changes
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.