You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
It would be great, if the soft-serve SSH server could be configurable.
Background:
When auditing SSH servers using https://github.com/jtesta/ssh-audit, it appears that the soft-serve SSH server has several security vulnerabilities.
These vulnerabilities are likely related to the default configuration of the included dropbear SSH server.
Describe the solution you'd like
To improve security, additional configuration parameters for SSH configuration such as KExAlgorithms, Ciphers, and MACs could be added to the soft-serve config.yaml.
Alternatively, soft-serve could read the sshd configuration files from the same path as the 'key_path' config option, for example, 'server_config_path: ssh/sshd_config'.
Additional context
The following is the output of ssh-audit v3.1.0 agains soft-serve v0.7.4 (d483565).
The command used was: docker run --rm positronsecurity/ssh-audit 1.2.3.4 -p 23231
Please note the CVE's at the beginning and the '[fail]' and '[warn]' remarks.
The original is using colors, which makes things easier to read.
# general
(gen) banner: SSH-2.0-OpenSSH_7.6p1
(gen) software: OpenSSH 7.6p1
(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2018.76+
(gen) compression: disabled
# security
(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
(cve) CVE-2018-15919 -- (CVSSv2: 5.3) username enumeration via GS2
(cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies
(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
`- [info] default key exchange since OpenSSH 6.4
(kex) [email protected] -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
`- [info] default key exchange since OpenSSH 6.4
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group14-sha1 -- [fail] using broken SHA-1 hash algorithm
`- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
`- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
# host-key algorithms
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) [email protected] -- [info] available since OpenSSH 6.2
(enc) [email protected] -- [info] available since OpenSSH 6.2
(enc) [email protected] -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.5
`- [info] default cipher since OpenSSH 6.9
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) [email protected] -- [info] available since OpenSSH 6.2
(mac) [email protected] -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
`- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha1-96 -- [fail] using broken SHA-1 hash algorithm
`- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.47
# algorithm recommendations (for OpenSSH 7.6)
(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) -hmac-sha1-96 -- mac algorithm to remove
(rec) +diffie-hellman-group-exchange-sha256-- kex algorithm to append
(rec) +diffie-hellman-group16-sha512 -- kex algorithm to append
(rec) +diffie-hellman-group18-sha512 -- kex algorithm to append
(rec) +rsa-sha2-256 -- key algorithm to append
(rec) +rsa-sha2-512 -- key algorithm to append
(rec) [email protected] -- enc algorithm to remove
(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
The text was updated successfully, but these errors were encountered:
Hi @QuantumLibet, thanks for writing this report. Looking more into this, I'm suspecting that the report is a bit inaccurate since Soft Serve uses Golang SSH and not Dropbear. The version reported is also misleading because that's the default version Wish uses.
Let me know if this helps :)
Thank you for your feedback. However, I was in no way concerned with the exact identification of the SSH engine.
The post is a feature request to enable configurability of the SSH server.
Is your feature request related to a problem? Please describe.
It would be great, if the soft-serve SSH server could be configurable.
Background:
When auditing SSH servers using
https://github.com/jtesta/ssh-audit
, it appears that the soft-serve SSH server has several security vulnerabilities.These vulnerabilities are likely related to the default configuration of the included dropbear SSH server.
Describe the solution you'd like
To improve security, additional configuration parameters for SSH configuration such as KExAlgorithms, Ciphers, and MACs could be added to the soft-serve config.yaml.
Alternatively, soft-serve could read the sshd configuration files from the same path as the 'key_path' config option, for example, 'server_config_path: ssh/sshd_config'.
Additional context
The following is the output of ssh-audit v3.1.0 agains soft-serve v0.7.4 (d483565).
The command used was:
docker run --rm positronsecurity/ssh-audit 1.2.3.4 -p 23231
Please note the CVE's at the beginning and the '[fail]' and '[warn]' remarks.
The original is using colors, which makes things easier to read.
The text was updated successfully, but these errors were encountered: