karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ancoron Luciferis (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KARAF-3622) Enhance SSH configuration mechanism
Date Thu, 19 Mar 2015 15:01:38 GMT

    [ https://issues.apache.org/jira/browse/KARAF-3622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14369464#comment-14369464

Ancoron Luciferis commented on KARAF-3622:

According to https://stribika.github.io/2015/01/04/secure-secure-shell.html the following
would be a reasonably secure configuration (taking the options into account we have with MINA/SSHD
keySize = 4096
algorithm = RSA
ciphers = aes256-ctr,aes192-ctr,aes128-ctr
macs = hmac-sha2-512,hmac-sha2-256
kexAlgorithms = diffie-hellman-group-exchange-sha256

So let's test it:
# Specifying an unsupported key exchange algorithm:{noformat}
$ ssh -o KexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384 -p 8101 karaf@
Unable to negotiate a key exchange method
# Specifying an unsupported HMAC:{noformat}
$ ssh -m hmac-sha1 -p 8101 karaf@
no matching mac found: client hmac-sha1 server hmac-sha2-512,hmac-sha2-256
# Specifying an unsupported cipher:{noformat}
$ ssh -c aes256-cbc -p 8101 karaf@
no matching cipher found: client aes256-cbc server aes256-ctr,aes192-ctr,aes128-ctr

Configuration works as expected. :-)

> Enhance SSH configuration mechanism
> -----------------------------------
>                 Key: KARAF-3622
>                 URL: https://issues.apache.org/jira/browse/KARAF-3622
>             Project: Karaf
>          Issue Type: Improvement
>          Components: karaf-shell
>    Affects Versions: 3.0.3
>            Reporter: Ancoron Luciferis
>            Assignee: Jean-Baptiste Onofré
>              Labels: security
>         Attachments: karaf-3.0.x-Improve-SSH-shell-configuration-support.patch
> Currently, the SSH configuration for the remote shell provides only limited access to
the configuration capabilities of the library being used (Apache MINA/SSHD).
> E.g., it is currently not possible to configure a better HMAC than SHA1, although the
SSHD core library version 0.12+ supports at least "hmac-sha2-512" and "hmac-sha2-256".
> Also, the key exchange mechanism is currently not configurable at all, which makes it
impossible to enforce highly secure connection establishment from the server side.

This message was sent by Atlassian JIRA

View raw message