Skip to content

Conservative Enterprise Linux Distributions might hurt us

The argument is clear, by conservatively patching packages (backporting fixes) systems with a Enterprise Linux contract can be held stable and secure for a long time. But to what cost (besides the support contract) this comes?

I noticed that even with the latest SUSE Linux Enterprise 15 SP5 you get a OpenSSH version which does not support hybrid post-quantum key exchanges, and even worse it has SHA1 and the old rsa-ssh key type enabled, as well as the weak DH Group14 or UMAC-64 and non-etm MACs. This openssh 8.4 clone is just not secure by default anymore.

It would be hard for a company on a Enterprise Linux trip to recompiler their own openssh (in order to get the PQC) or to harden the crypto settings. In this regard RHEL with its system wide crypto policy is a bit better, but its dubious if you can set it system wide to "FUTURE" crypto protection level just to get rid of the worst offenders.

Of course it could be argued that nobody really is endangered by those weak algorithms, especially not if the SSH connections are not used on the trusted Internet. But then again - why take the risk. We can only conclude - if you need the additional security, you will need to harden even your expensice supported enterprise systems.