[RndTbl] OpenSSH advisory...
sean at tinfoilhat.ca
Sat Nov 9 12:25:36 CST 2013
TL;DR… aes-gcm implementation has issues… turn it off or patch… here’s how (openbsd centric but similar methods apply for other OS’).
To mititgate add:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc (note should be all decent ciphers minus aes-gcm) to /etc/ssh/sshd_config.
Then run SSHD to test the configuration:
sudo /usr/sbin/sshd -T
In the output notice the ciphers line matches what you configured and no other configuration warnings are present. And then finally (to avoid outages) send the HUP signal to the root sshd process (ie. the one owned by root).
sudo pkill -HUP -lxf /usr/sbin/sshd
When successful you will see similar additions to /var/log/authlog:
Nov 8 12:02:13 fnord sshd: Received SIGHUP; restarting.
Nov 8 12:02:13 fnord sshd: Server listening on 0.0.0.0 port 22.
Nov 8 12:02:13 fnord sshd: Server listening on :: port 22.
Enjoy your weekend,
More information about the Roundtable