Bug#774711: tables of debian openssh crypto features

Wed, 12 Jun 2024 09:54:20 -0700 

So it's been a while this bug was discussed, and even more since when it
was opened.

Things have changed, since. SHA-1 has been retired in OpenSSH 7, for
example...

Is this still relevant?

taggart, how did you generate those nice tables, can you make them
again? :)

On 2015-09-10 16:19:21, Matt Taggart wrote:
> I was interested in what crypto features the ssh in each Debian release 
> supported, to see what disabling some would mean, so I gathered the info. 
> Let me know if you see any errors.
>
> Current versions of openssh as of Sept 10, 2015:
>
> | squeeze-lts | 1:5.5p1-6+squeeze6 |
> |    wheezy   |  1:6.0p1-4+deb7u2  |
> |    jessie   |      1:6.7p1-5     |
> |   stretch   |      1:6.9p1-1     |
> |     sid     |      1:6.9p1-2     |
>
> Tables of crypto features that the openssh in each release of Debian 
> supports. Gathered with ssh -Q(jessie and newer), ssh_config(5) and 
> source(wheezy and squeeze). (These will look better with a fixed width font)
>
> Key types
> | sq | wh | je | st | si | type                                     |
> =====================================================================
> | X  | X  | X  | X  | X  | ssh-rsa                                  |
> | X  | X  | X  | X  | X  | ssh-dss                                  |
> | X  | X  | X  | X  | X  | ssh-rsa-cert-...@openssh.com             |
> | X  | X  | X  | X  | X  | ssh-dss-cert-...@openssh.com             |
> | X  | X  | X  | X  | X  | ssh-rsa-cert-...@openssh.com             |
> | X  | X  | X  | X  | X  | ssh-dss-cert-...@openssh.com             |
> |    | X  | X  | X  | X  | ecdsa-sha2-nistp256                      |
> |    | X  | X  | X  | X  | ecdsa-sha2-nistp384                      |
> |    | X  | X  | X  | X  | ecdsa-sha2-nistp521                      |
> |    | X  | X  | X  | X  | ecdsa-sha2-nistp256-cert-...@openssh.com |
> |    | X  | X  | X  | X  | ecdsa-sha2-nistp384-cert-...@openssh.com |
> |    | X  | X  | X  | X  | ecdsa-sha2-nistp521-cert-...@openssh.com |
> |    |    | X  | X  | X  | ssh-ed25519                              |
> |    |    | X  | X  | X  | ssh-ed25519-cert-...@openssh.com         |
>
>
> KexAlgorithms
> | sq | wh | je | st | si | type                                 |
> =================================================================
> | X  | X  | X  |    | X  | diffie-hellman-group-exchange-sha256 |
> | X  | X  | X  |    | X  | diffie-hellman-group-exchange-sha1   |
> | X  | X  | X  |    | X  | diffie-hellman-group14-sha1          |
> | X  | X  | X  |    | X  | diffie-hellman-group1-sha1           |
> |    | X  | X  |    | X  | ecdh-sha2-nistp256                   |
> |    | X  | X  |    | X  | ecdh-sha2-nistp384                   |
> |    | X  | X  |    | X  | ecdh-sha2-nistp521                   |
> |    |    | X  |    | X  | curve25519-sha...@libssh.org         |
>
> Ciphers
> | sq | wh | je | st | si | type                          |
> ==========================================================
> | X  | X  | X  | X  | X  | aes128-ctr                    |
> | X  | X  | X  | X  | X  | aes192-ctr                    |
> | X  | X  | X  | X  | X  | aes256-ctr                    |
> | X  | X  | X  | X  | X  | arcfour                       |
> | X  | X  | X  | X  | X  | arcfour256                    |
> | X  | X  | X  | X  | X  | arcfour128                    |
> | X  | X  | X  | X  | X  | aes128-cbc                    |
> | X  | X  | X  | X  | X  | 3des-cbc                      |
> | X  | X  | X  | X  | X  | blowfish-cbc                  |
> | X  | X  | X  | X  | X  | cast128-cbc                   |
> | X  | X  | X  | X  | X  | aes192-cbc                    |
> | X  | X  | X  | X  | X  | aes256-cbc                    |
> |    |    | X  | X  | X  | aes128-...@openssh.com        |
> |    |    | X  | X  | X  | aes256-...@openssh.com        |
> |    |    | X  | X  | X  | chacha20-poly1...@openssh.com |
> |    |    | X  | X  | X  | rijndael-...@lysator.liu.se   |
>
> MACs
> | sq | wh | je | st | si   | type                           |
> =============================================================
> | X  | X  | X  | X  | X    | hmac-md5                       |
> | X  | X  | X  | X  | X    | hmac-sha1                      |
> | X  | X  | X  | X  | X    | umac...@openssh.com            |
> | X  | X  | X  | X  | X    | hmac-ripemd160                 |
> | ?  | X  | X  | X  | X    | hmac-ripemd...@openssh.com     |
> | X  | X  | X  | X  | X    | hmac-sha1-96                   |
> | X  | X  | X  | X  | X    | hmac-md5-96                    |
> | X  | X  | X  | X  | X    | hmac-sha2-256                  |
> | X  | X  |    |    |      | hmac-sha2-256-96               | *
> | X  | X  | X  | X  | X    | hmac-sha2-512                  |
> | X  | X  |    |    |      | hmac-sha2-512-96               | *
> |    |    | X  | X  | X    | umac-64-...@openssh.com        |
> |    |    | X  | X  | X    | umac-128-...@openssh.com       |
> |    |    | X  | X  | X    | hmac-sha2-256-...@openssh.com  |
> |    |    | X  | X  | X    | hmac-sha2-512-...@openssh.com  |
> |    |    | X  | X  | X    | umac-...@openssh.com           |
> |    |    | X  | X  | X    | hmac-md5-...@openssh.com       |
> |    |    | X  | X  | X    | hmac-sha1-...@openssh.com      |
> |    |    | X  | X  | X    | hmac-ripemd160-...@openssh.com |
> |    |    | X  | X  | X    | hmac-sha1-96-...@openssh.com   |
> |    |    | X  | X  | X    | hmac-md5-96-...@openssh.com    |
>
> * https://bugzilla.mindrot.org/show_bug.cgi?id=2023
>
> After I have a chance to look at these and think about the implications, I 
> will send another message with thoughts about what disabling weaker things 
> would mean.
>
> HTH,
>
> -- 
> Matt Taggart
> tagg...@debian.org

-- 
Blind respect for authority is the greatest enemy of truth.
                       - Albert Einstein

Reply via email to