{"id":402,"date":"2023-08-04T11:17:34","date_gmt":"2023-08-04T09:17:34","guid":{"rendered":"https:\/\/blog.rwth-aachen.de\/itc-changes\/?p=402"},"modified":"2023-10-12T10:26:13","modified_gmt":"2023-10-12T08:26:13","slug":"english-change-in-ssh-configuration-depreciation-of-insecure-methods-addition-of-new-methods","status":"publish","type":"post","link":"https:\/\/blog.rwth-aachen.de\/itc-changes\/en\/2023\/08\/04\/english-change-in-ssh-configuration-depreciation-of-insecure-methods-addition-of-new-methods\/","title":{"rendered":"Change in SSH Configuration: Depreciation of Insecure Methods, Addition of New Methods"},"content":{"rendered":"<p>As the result of a recent security evaluation, we have decided to disable several methods in key exchange, message authentication codes and encryption ciphers classified insecure\/weak which obsoletes the following methods and method groups as listed below. <strong>In general, we have disabled SHA-1-based methods<\/strong> since SHA-1 is broken since early 2017 (cf. <a href=\"https:\/\/shattered.io\/\"><em>Stevens et al.: &#8220;The first collision for Full SHA-1&#8221;<\/em><\/a>).<\/p>\n<p>We kindly ask you to update your client configuration accordingly since these methods cannot be used anymore to access the RWTH Aachen HPC Cluster until further notice:<!--more--><\/p>\n<h4>Depreciated Key Exchange Algorithms (KexAlgorithms):<\/h4>\n<ul>\n<li>diffie-hellman-group1-sha1<\/li>\n<li>diffie-hellman-group14-sha1<\/li>\n<li>diffie-hellman-group-exchange-sha1<\/li>\n<\/ul>\n<h4>Depreciated Message Authentication Codes (MACs):<\/h4>\n<ul>\n<li>\n<pre>hmac-sha1<\/pre>\n<\/li>\n<li>\n<pre>hmac-sha1-etm@openssh.com<\/pre>\n<\/li>\n<li>\n<pre>umac-64-etm@openssh.com<\/pre>\n<\/li>\n<li>\n<pre>umac-64@openssh.com<\/pre>\n<\/li>\n<\/ul>\n<h4>Depreciated Encryption Ciphers (Ciphers):<\/h4>\n<ul>\n<li>\n<pre>aes128-cbc<\/pre>\n<\/li>\n<li>\n<pre>aes192-cbc<\/pre>\n<\/li>\n<li>\n<pre>aes256-cbc<\/pre>\n<\/li>\n<\/ul>\n<h4>Depreciated GSSAPI Key Exchange Algorithms (GSSAPIKexAlgorithms):<\/h4>\n<ul>\n<li>\n<pre>gss-gex-sha1-<\/pre>\n<\/li>\n<li>\n<pre>gss-group1-sha1-<\/pre>\n<\/li>\n<li>\n<pre>gss-group14-sha1<\/pre>\n<\/li>\n<\/ul>\n<p>However, we have also added the support for new methods which we strongly encourage you to use:<\/p>\n<h4><span style=\"color: #ff0000;\">NEW<\/span> Key Exchange Algorithms (KexAlgorithms):<\/h4>\n<ul>\n<li>\n<pre>curve25519-sha256<\/pre>\n<\/li>\n<li>\n<pre>curve25519-sha256@libssh.org<\/pre>\n<\/li>\n<li>\n<pre>diffie-hellman-group18-sha512<\/pre>\n<\/li>\n<li>\n<pre>diffie-hellman-group16-sha512<\/pre>\n<\/li>\n<\/ul>\n<h4><span style=\"color: #ff0000;\">NEW<\/span> GSSAPI Key Exchange Algorithms (GSSAPIKexAlgorithms):<\/h4>\n<ul>\n<li>\n<pre>gss-curve25519-sha256-<\/pre>\n<\/li>\n<li>\n<pre>gss-group16-sha512-<\/pre>\n<\/li>\n<li>\n<pre>gss-group14-sha256-<\/pre>\n<\/li>\n<li>\n<pre>gss-nistp256-sha256-<\/pre>\n<\/li>\n<\/ul>\n<p>We always highly recommend you to use the most secure supported methods only:<\/p>\n<h4>Recommended Methods (CLAIX18):<\/h4>\n<ul>\n<li>\n<pre>KexAlgorithms  curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512<\/pre>\n<\/li>\n<li>\n<pre>MACs  hmac-sha2-512-etm@openssh.com,hmac-sha2-512<\/pre>\n<\/li>\n<li>\n<pre>Ciphers  aes256-gcm@openssh.com,chacha20-poly1305@openssh.com<\/pre>\n<\/li>\n<li>\n<pre>GSSApiKexAlgorithms  gss-curve25519-sha256-,gss-group16-sha512-<\/pre>\n<\/li>\n<\/ul>\n<p>Best regards<br \/>\nYour HPC-Team@RWTH<\/p>\n<hr \/>\n<p>You can track any disruptions or security advisories that may occur due to the aforementioned change in the Email category on our <a href=\"https:\/\/maintenance.rz.rwth-aachen.de\/ticket\/status\/messages\/14-rechner-cluster\">status reporting<\/a> portal.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As the result of a recent security evaluation, we have decided to disable several methods in key exchange, message authentication codes and encryption ciphers classified insecure\/weak which obsoletes the following [&hellip;]<\/p>\n","protected":false},"author":5173,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"c2c_always_allow_admin_comments":false,"footnotes":""},"categories":[12,1],"tags":[],"class_list":["post-402","post","type-post","status-publish","format-standard","hentry","category-allgemein","category-hpc"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/en\/wp-json\/wp\/v2\/posts\/402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/en\/wp-json\/wp\/v2\/users\/5173"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/en\/wp-json\/wp\/v2\/comments?post=402"}],"version-history":[{"count":19,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/en\/wp-json\/wp\/v2\/posts\/402\/revisions"}],"predecessor-version":[{"id":448,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/en\/wp-json\/wp\/v2\/posts\/402\/revisions\/448"}],"wp:attachment":[{"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/en\/wp-json\/wp\/v2\/media?parent=402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/en\/wp-json\/wp\/v2\/categories?post=402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc-changes\/en\/wp-json\/wp\/v2\/tags?post=402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}