As the result of a recent security evaluation, we have decided to disable several methods in key exchange, message authentication codes and encryption ciphers classified insecure/weak which obsoletes the following methods and method groups as listed below. In general, we have disabled SHA-1-based methods since SHA-1 is broken since early 2017 (cf. Stevens et al.: „The first collision for Full SHA-1“).
We kindly ask you to update your client configuration accordingly since these methods cannot be used anymore to access the RWTH Aachen HPC Cluster until further notice:
Depreciated Key Exchange Algorithms (KexAlgorithms):
- diffie-hellman-group1-sha1
- diffie-hellman-group14-sha1
- diffie-hellman-group-exchange-sha1
Depreciated Message Authentication Codes (MACs):
-
hmac-sha1
-
hmac-sha1-etm@openssh.com
-
umac-64-etm@openssh.com
-
umac-64@openssh.com
Depreciated Encryption Ciphers (Ciphers):
-
aes128-cbc
-
aes192-cbc
-
aes256-cbc
Depreciated GSSAPI Key Exchange Algorithms (GSSAPIKexAlgorithms):
-
gss-gex-sha1-
-
gss-group1-sha1-
-
gss-group14-sha1
However, we have also added the support for new methods which we strongly encourage you to use:
NEW Key Exchange Algorithms (KexAlgorithms):
-
curve25519-sha256
-
curve25519-sha256@libssh.org
-
diffie-hellman-group18-sha512
-
diffie-hellman-group16-sha512
NEW GSSAPI Key Exchange Algorithms (GSSAPIKexAlgorithms):
-
gss-curve25519-sha256-
-
gss-group16-sha512-
-
gss-group14-sha256-
-
gss-nistp256-sha256-
We always highly recommend you to use the most secure supported methods only:
Recommended Methods (CLAIX18):
-
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512
-
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
-
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
-
GSSApiKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
Best regards
Your HPC-Team@RWTH
You can track any disruptions or security advisories that may occur due to the aforementioned change in the Email category on our status reporting portal.
