Bookmark and Share
RSS

Recent Posts

OpenSSH-6.8p1 With LibreSSL (LibreSSH) Is Now!

July 06, 2015

OpenSSH with LibreSSL is now available. I have tested LibreSSH on AIX 5.3 TL7, AIX 6.1 TL7 and AIX 7.1 TL3 and it works on all of them. The starting point in each case is that openssl.base and openssh.base were also installed. The special behavior is that aixtools.libressl.openssh copies the config files and keys from /etc/ssh to /var/openssh/etc and "downgrades" the ciphers and Key Exchange Algorithms (KexAlgorithms) so that they are equivalent (more on that later). This is to be sure you have connectivity with your current clients after installation. Note: the SRC subsystem for sshd is also modified to start "LibreSSH".

root@x065:[/]lslpp -L | grep ssh
  aixtools.libressl.openssh.man.en_US
  aixtools.libressl.openssh.rte
  openssh.base.client     4.5.0.5301    C     F    Open Secure Shell Commands
  openssh.base.server     4.5.0.5301    C     F    Open Secure Shell Server
root@x065:[/]lslpp -L aixtools.libressl.openssh.rte
  Fileset                      Level  State  Type  Description (Uninstaller)
  ----------------------------------------------------------------------------
  aixtools.libressl.openssh.rte
                          6.8.1.1601    C     F    1525 0623 1416

Note the release (vrmf) number. The original openssh-6.8p1 was linked to an unofficial version of LibreSSL (v2.1.6) as aixtools.libressl.openssh 6.8.0.1601. I left the 1601 part "as is" - with the 16 representing the letter 'p' as the 16th letter of the alphabet and the 01 as the '1'. In short, 'p1' becomes '1601'. So the number I felt most at ease with updating was the remaining '0' (zero) to signify that it needs the newest LibreSSL.

Back to ciphers: For years, the default ciphers have included the so-called 'cbc' ciphers. CBC is Cipher Block Chaining and has been in the news recently as part of the problem with POODLE. The short message is CBC ciphers and SSL3/TLS1.0/TLS1.1 need to go.

Starting with the release of OpenSSH-6.7p1 the OpenSSH developers at openbsd.org did the following:

"Changes since OpenSSH 6.6
=========================

Potentially incompatible changes

 * sshd(8): The default set of ciphers and MACs has been altered to
   remove unsafe algorithms. In particular, CBC ciphers and arcfour*
   are disabled by default.

   The full set of algorithms remains available if configured
   explicitly via the Ciphers and MACs sshd_config options.
"

I have a very old client - and so I experienced the "potential" right away. Specifically, I added the following to "sshd_config" to support my old client while I look for a new client that works as nicely as my old one from ssh.com when they still provided software to the general public (now only, sadly, B2B):

"
######### Add old ciphers to support AIX at version 6.0 and lower #############
# Ciphers
# The dafaults starting with OpenSSH 6.7 are:
# aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com
# older clients may need an older cipher, e.g.
# ciphers aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,arcfour

ciphers aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,arcfour

# KEX Key Exchange algorithms
# default from openssh 6.7 are:
# curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,#  diffie-he
llman-group14-sha1
# an older kex are: none,KexAlgorithms diffie-hellman-group1-sha1

KexAlgorithms diffie-hellman-group1-sha1
"

I hope you will give these new versions a test drive - maybe even removing the additional lines that restore the old default behavior.

And if you leave the AIX version installed, and uninstall what I am calling "LibreSSH," it will restore the old SRC sshd settings!

Where? Thought you would never ask!
LibreSSL is at: http://www.aixtools.net/index.php/libreSSL
LibreSSH is at: http://www.aixtools.net/index.php/libreSSH



Posted July 06, 2015 | Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus