Skip to content
This repository was archived by the owner on Dec 26, 2020. It is now read-only.

CBC Ciphers should be disabled by default. #308

Closed
salderma opened this issue Jul 14, 2020 · 5 comments
Closed

CBC Ciphers should be disabled by default. #308

salderma opened this issue Jul 14, 2020 · 5 comments
Assignees
@schurzi
Labels
bug

Comments

@salderma
Copy link

Describe the bug
After applying this role and executing a Nessus Scan of the system, SSH is still allowing CBC Ciphers.
https://www.tenable.com/plugins/nessus/70658

Expected behavior
SSL Labs, for example, will render an 'F' grade on a site with CBC ciphers enabled for SSL. (https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities)
I would expect that CBC ciphers should by default be unavailable, and force the user to OPT in with the ssl_ciphers variable to enable CBC ciphers.

In addition, DISA STIG and NIST National Checklist Program (openscap, scap security guide) require disabling of CBC ciphers for compliance.
@schurzi
Copy link
Contributor

schurzi commented Jul 14, 2020

Hi @salderma, thanks for discovering this.
I have run a quick test on CentOS7 and I think the ciphers are set correct. Also in our defaults we already do not include the CBC ciphers, see:

ansible-ssh-hardening/defaults/main.yml

Lines 213 to 224 in 6626617

ssh_ciphers_53_default:
- aes256-ctr
- aes192-ctr
- aes128-ctr
ssh_ciphers_66_default:
- chacha20-poly1305@openssh.com
- aes256-gcm@openssh.com
- aes128-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-ctr

On my test machine, this evaluates to:

# CBC: is true if you want to connect with OpenSSL-base libraries
# eg ruby Net::SSH::Transport::CipherFactory requires cbc-versions of the given openssh ciphers to work
# -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
#

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

Maybe there is a problem with the playbook on you test server.
Can you describe which operating system (including version) you are running?
Can you also include the output from an ansible run with this role on the server?

@schurzi schurzi self-assigned this Jul 14, 2020
@salderma
Copy link
Author

It must be a CentOS 8 thing...

Apparently this would resolve - https://access.redhat.com/solutions/4410591

Sorry, I'll close the issue.

@schurzi schurzi reopened this Jul 15, 2020
@schurzi
Copy link
Contributor

schurzi commented Jul 15, 2020

oh, don't be sorry! I think you fund something, that we missed.
This is a change worth including in our role, since it affects the security of sshd on CentOS8 and RHEL8.

@schurzi schurzi mentioned this issue Jul 15, 2020
Merged
@schurzi
Copy link
Contributor

schurzi commented Jul 15, 2020

relevant for this: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#excluding-an-application-from-following-the-system-wide-crypto-policies_using-the-system-wide-cryptographic-policies

@rndmh3ro
Copy link
Member

Fixed by #309

@rndmh3ro rndmh3ro added the bug label Jul 18, 2020
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees

@schurzi schurzi

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@schurzi @salderma @rndmh3ro