HPE Community
Operating System - HP-UX
1847345 Members
2389 Online
110264 Solutions
New Discussion

Re: Openssl

 
luca Soverini
Occasional Contributor

‎06-30-2008 07:08 AM

‎06-30-2008 07:08 AM

Openssl

Hi, i have a questions on OPenssl, born from a Vulnerability assessment on my server HP UX
1) is possible to do not show ssh fingerprint at the exchange of RSA key?
2) how to disallow chipers low encription?

thanks and excude me for my bad english, like maccaroni.

Luca
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎06-30-2008 09:35 AM

‎06-30-2008 09:35 AM

Re: Openssl

Shalom,

1) Probably not though if you use a script you can send the output to /dev/null
2) Probably not. This would compromise security.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎06-30-2008 10:40 AM

‎06-30-2008 10:40 AM

Re: Openssl

1)
By "ssh fingerprint", do you mean the client/server version numbers? That's a part of the SSH protocol, and allows each endpoint to work around known bugs in the other endpoint.

Or do you mean the fingerprint of the RSA public key? Omitting that would require a major re-work of the SSH key authentication protocol. Not easy.

2) In what context?
For SSH, use the "Ciphers" keyword in the SSH configuration files (both client and server).
For any other software that uses the OpenSSL library, check the documentation of that particular software.
MK
0 Kudos
Reply
luca Soverini
Occasional Contributor

‎07-01-2008 12:23 AM

‎07-01-2008 12:23 AM

Re: Openssl


1) i think fingerprint are the banner presented with the key to exchange. I think that the security would like to do not show when exchange key the follow messagge:

"The server' s host key is not cached in your register...
the server rsa2 kyes fingerprint is:
ssh-rsa 1024........." adn ask only to yes to exchange keys or not.

2)i would like di disable ionly low cipher, and use only large uncrpted cipher, but i think to have a trouble with old client ssh, if i disable low cipher (48 bit, 64 bit ....)

thanks
Luca
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎07-01-2008 02:43 AM

‎07-01-2008 02:43 AM

Re: Openssl

1) Your security person obviously does not understand public key cryptography.

The fingerprint in that situation is the fingerprint of the SSH server's hostkey's _public_ part. The SSH client receives the public hostkey and stores it into the .ssh/known_hosts file. So there is no point in keeping the fingerprint secret. Knowing the public key (or its fingerprint) does not help the intruder in creating a fake server: the intruder would require the server's _private_ hostkey for that.

The fingerprint is displayed on the first time the client connects to a particular server, to allow the user to make sure he's connecting to the correct server. Of course, if the user does not know the correct fingerprint or does not compare the displayed fingerprint to the correct one, this verification is useless. So hiding the fingerprint either has no effect (with the average user) or it would slightly _weaken_ the overall security (if the user is exceptionally security-smart).

The fingerprint display is done by the SSH client, so if you install a modified client that does not display the fingerprint, the attacker can use his own client that does.

If you want to avoid the "host key is not cached..." messages, you can use the "ssh-keyscan" command to collect all the public hostkeys of your servers into one file and make them available to your clients in advance.

For HP-UX OpenSSH client, the easiest way is to place the file of public hostkeys to /etc/opt/ssh/ssh_known_hosts:

ssh-keyscan -t rsa server1 server2 server3... >>/etc/opt/ssh/ssh_known_hosts

For SSH clients on the users' Windows workstations, the procedure depends on which client is installed. There is no standard location or format for the file similar to ssh_known_hosts on the Windows platform.

If you're certain that your ssh_known_hosts file covers all the legitimate destinations for your users, you could configure your SSH client to disallow connections if the public hostkey is not listed in the ssh_known_hosts file. For the HP-UX OpenSSH client, this setting is "StrictHostKeyChecking yes" in /etc/opt/ssh/ssh_config. For Windows SSH clients, see your SSH client's documentation.

2)
You should read "man sshd_config". The default "Ciphers" setting for OpenSSH allows the following encryption methods only:

aes128-cbc,
3des-cbc,
blowfish-cbc,
cast128-cbc,
arcfour,
aes192-cbc,
aes256-cbc,
aes128-ctr,
aes192-ctr,
aes256-ctr

At the moment, I think only the "arcfour" cipher might be considered low-quality. All the 64-bit or lower ciphers are disabled by default, and you'll need to explicitly enable them to use them. If this is not true for your SSH version, you're using a very old version of OpenSSH and you should upgrade it.

MK
MK
0 Kudos
Reply
luca Soverini
Occasional Contributor

‎07-01-2008 02:58 AM

‎07-01-2008 02:58 AM

Re: Openssl

thank you very much.

Luca
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.