Categories
Pages
-

IT Center Changes

Change in SSH Configuration: Depreciation of Insecure Methods, Addition of New Methods

August 4th, 2023 | by

As the result of a recent security evaluation, we have decided to disable several methods in key exchange, message authentication codes and encryption ciphers classified insecure/weak which obsoletes the following methods and method groups as listed below. In general, we have disabled SHA-1-based methods since SHA-1 is broken since early 2017 (cf. Stevens et al.: “The first collision for Full SHA-1”).

We kindly ask you to update your client configuration accordingly since these methods cannot be used anymore to access the RWTH Aachen HPC Cluster until further notice:

Depreciated Key Exchange Algorithms (KexAlgorithms):

  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group-exchange-sha1

Depreciated Message Authentication Codes (MACs):

  • hmac-sha1
  • hmac-sha1-etm@openssh.com
  • umac-64-etm@openssh.com
  • umac-64@openssh.com

Depreciated Encryption Ciphers (Ciphers):

  • aes128-cbc
  • aes192-cbc
  • aes256-cbc

Depreciated GSSAPI Key Exchange Algorithms (GSSAPIKexAlgorithms):

  • gss-gex-sha1-
  • gss-group1-sha1-
  • gss-group14-sha1

However, we have also added the support for new methods which we strongly encourage you to use:

NEW Key Exchange Algorithms (KexAlgorithms):

  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • diffie-hellman-group18-sha512
  • diffie-hellman-group16-sha512

NEW GSSAPI Key Exchange Algorithms (GSSAPIKexAlgorithms):

  • gss-curve25519-sha256-
  • gss-group16-sha512-
  • gss-group14-sha256-
  • gss-nistp256-sha256-

We always highly recommend you to use the most secure supported methods only:

Recommended Methods (CLAIX18):

  • KexAlgorithms  curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512
  • MACs  hmac-sha2-512-etm@openssh.com,hmac-sha2-512
  • Ciphers  aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
  • GSSApiKexAlgorithms  gss-curve25519-sha256-,gss-group16-sha512-

Best regards
Your HPC-Team@RWTH


You can track any disruptions or security advisories that may occur due to the aforementioned change in the Email category on our status reporting portal.

Comments are closed.