Re: Patch for SSH vulnerability CVE-2023-48795 Terrapin attacks
Posted: 2024/01/03 20:36:18
The Community ENTerprise Operating System
https://forums.centos.org/
Thanks jlehtone!jlehtone wrote: ↑2023/12/22 08:28:23IMHO, an install of EL8 or EL9 based distro is the "least effort" way to get supported ssh (and distro).
Yes, it has its own hurt, but that hurt is inevitable (Soon™).
Red Hat introduced central crypto policies in EL8. One tool offers (crypto bits of) config for multiple programs/services/systems:
• GnuTLS library (GnuTLS, SSL, TLS)
• OpenSSL library (OpenSSL, SSL, TLS)
• NSS library (NSS, SSL, TLS)
• OpenJDK (java-tls, SSL, TLS)
• Libkrb5 (krb5, kerberos)
• BIND (BIND, DNSSec)
• OpenSSH (OpenSSH, SSH)
• Libreswan (libreswan, IKE, IPSec)
• libssh (libssh, SSH)
For example, the sshd config in EL9 does contain:As you found, EL7 does not yet have such tool; one has to modify configs "manually".Code: Select all
# This system is following system-wide crypto policy. The changes to # crypto properties (Ciphers, MACs, ...) will not have any effect in # this or following included files. To override some configuration option, # write it before this block or include it before this file. # Please, see manual pages for update-crypto-policies(8) and sshd_config(5). Include /etc/crypto-policies/back-ends/opensshserver.config
(The sshd in EL7 does not have the 'Include' keyword either.)
Note: sshd -- at least on EL9 -- does use first occurrence for most options.
Code: Select all
ciphers a,b,c
ciphers b,x
Code: Select all
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Code: Select all
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
macs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Code: Select all
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
macs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Replacing a server is not always an option. It would have been nice if CE7 was upgradeable like Debian is. All the more reason to go with Debian moving forward.jlehtone wrote: ↑2023/12/21 14:01:01In other words the impact of the issue is too low for Red Hat to allocate resources for fix for el7.
The maintenance support for RHEL 7 ends June 30, 2024 and therefore CentOS has EoL June 30, 2024.
Since there are only six months left, it would be smarter to shift to some other distro now than to hack CentOS 7.