Skip to content

Conservative Enterprise Linux Distributions might hurt us

The argument is clear, by conservatively patching packages (backporting fixes) systems with a Enterprise Linux contract can be held stable and secure for a long time. But to what cost (besides the support contract) this comes?

I noticed that even with the latest SUSE Linux Enterprise 15 SP5 you get a OpenSSH version which does not support hybrid post-quantum key exchanges, and even worse it has SHA1 and the old rsa-ssh key type enabled, as well as the weak DH Group14 or UMAC-64 and non-etm MACs. This openssh 8.4 clone is just not secure by default anymore.

It would be hard for a company on a Enterprise Linux trip to recompiler their own openssh (in order to get the PQC) or to harden the crypto settings. In this regard RHEL with its system wide crypto policy is a bit better, but its dubious if you can set it system wide to "FUTURE" crypto protection level just to get rid of the worst offenders.

Of course it could be argued that nobody really is endangered by those weak algorithms, especially not if the SSH connections are not used on the trusted Internet. But then again - why take the risk. We can only conclude - if you need the additional security, you will need to harden even your expensice supported enterprise systems.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

Bernd on :

For completeness the RHEL 8 defaults (even with the DEFAULT crypto policy) look much more sane.

Add Comment

BBCode format allowed
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA