Fabre

#1000198 openssh-server: insecure algorithms reported by ssh-audit #1000198

Package:: openssh-server

Source:: openssh

Description:: secure shell (SSH) server, for secure access from remote machines

Submitter:: Martin-Ãric Racine

Date:: 2026-01-10 11:39:02 UTC

Severity:: important

Tags:

#1000198#5

Date:: 2021-11-19 13:26:13 UTC

From:

To:

Running 'ssh-audit' reported that several algorithms considered vulnerable are enabled in the defaults that ship with openssh-server on Debian.

Some of the recommended removals may be intentionally enabled for backward-compatibility, while others may be good candidates for disabling. I'll leave it up to the maintainers to decide what is the best course of action for each case.

Martin-Éric

$ ssh-audit 172.16.1.1
# general
(gen) banner: SSH-2.0-OpenSSH_8.7p1 Debian-2
(gen) software: OpenSSH 8.7p1
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@openssh.com)

# key exchange algorithms
(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256                    -- [fail] using weak elliptic curves
                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384                    -- [fail] using weak elliptic curves
                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521                    -- [fail] using weak elliptic curves
                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group16-sha512         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512         -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group14-sha256         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73

# host-key algorithms
(key) rsa-sha2-512 (2048-bit)               -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (2048-bit)               -- [info] available since OpenSSH 7.2
(key) ssh-rsa (2048-bit)                    -- [fail] using weak hashing algorithm
                                            `- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
(key) ecdsa-sha2-nistp256                   -- [fail] using weak elliptic curves
                                            `- [warn] using weak random number generator could reveal the key
                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ssh-ed25519                           -- [info] available since OpenSSH 6.5

# encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com         -- [info] available since OpenSSH 6.5
                                            `- [info] default cipher since OpenSSH 6.9.
(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7
(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-gcm@openssh.com                -- [info] available since OpenSSH 6.2
(enc) aes256-gcm@openssh.com                -- [info] available since OpenSSH 6.2

# message authentication code algorithms
(mac) umac-64-etm@openssh.com               -- [warn] using small 64-bit tag size
                                            `- [info] available since OpenSSH 6.2
(mac) umac-128-etm@openssh.com              -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256-etm@openssh.com         -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@openssh.com         -- [info] available since OpenSSH 6.2
(mac) hmac-sha1-etm@openssh.com             -- [warn] using weak hashing algorithm
                                            `- [info] available since OpenSSH 6.2
(mac) umac-64@openssh.com                   -- [warn] using encrypt-and-MAC mode
                                            `- [warn] using small 64-bit tag size
                                            `- [info] available since OpenSSH 4.7
(mac) umac-128@openssh.com                  -- [warn] using encrypt-and-MAC mode
                                            `- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256                         -- [warn] using encrypt-and-MAC mode
                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512                         -- [warn] using encrypt-and-MAC mode
                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1                             -- [warn] using encrypt-and-MAC mode
                                            `- [warn] using weak hashing algorithm
                                            `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28

# fingerprints
(fin) ssh-ed25519: SHA256: (***removed from bug report***)
(fin) ssh-rsa: SHA256: (***removed from bug report***)

# algorithm recommendations (for OpenSSH 8.7)
(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256                  -- key algorithm to remove
(rec) -ssh-rsa                              -- key algorithm to remove
(rec) +sk-ssh-ed25519@openssh.com           -- key algorithm to append
(rec) -hmac-sha1                            -- mac algorithm to remove
(rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove
(rec) -hmac-sha2-256                        -- mac algorithm to remove
(rec) -hmac-sha2-512                        -- mac algorithm to remove
(rec) -umac-128@openssh.com                 -- mac algorithm to remove
(rec) -umac-64-etm@openssh.com              -- mac algorithm to remove
(rec) -umac-64@openssh.com                  -- mac algorithm to remove

# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>


- -- System Information:
Debian Release: bookworm/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'stable-security'), (500, 'testing')
Architecture: i386 (i586)

Kernel: Linux 5.14.0-2-686 (SMP w/1 CPU thread)
Kernel taint flags: TAINT_CPU_OUT_OF_SPEC
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=fi:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.79
ii  dpkg                   1.20.9
ii  libaudit1              1:3.0.6-1+b1
ii  libc6                  2.32-4
ii  libcom-err2            1.46.4-1
ii  libcrypt1              1:4.4.26-1
ii  libgssapi-krb5-2       1.18.3-7
ii  libkrb5-3              1.18.3-7
ii  libpam-modules         1.4.0-10
ii  libpam-runtime         1.4.0-10
ii  libpam0g               1.4.0-10
ii  libselinux1            3.3-1+b1
ii  libssl1.1              1.1.1l-1
ii  libsystemd0            249.5-2
ii  libwrap0               7.6.q-31
ii  lsb-base               11.1.0
ii  openssh-client         1:8.7p1-2
ii  openssh-sftp-server    1:8.7p1-2
ii  procps                 2:3.3.17-5
ii  runit-helper           2.10.3
ii  ucf                    3.0043
ii  zlib1g                 1:1.2.11.dfsg-2

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  249.5-2
ii  ncurses-term             6.2+20201114-4
ii  xauth                    1:1.1-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

- -- debconf information:
  ssh/new_config: true
  openssh-server/password-authentication: true
* openssh-server/permit-root-login: false
  ssh/vulnerable_host_keys:
  ssh/disable_cr_auth: false
  ssh/encrypted_host_key_but_no_keygen:
* ssh/use_old_init_script: true
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmGXpesACgkQrh+Cd8S0
17YOgg/9GLqn5teVVllt9GeqNhoDgSmauRLR+nsdZq0xQPwC5UgZIODKWu5yeFub
Y39Rix4BARtOyfi2A3+YlGS5MReAYsUcem778U2RhdsZC4vBVTYguo5cQnl9884G
U4z7DUMgJ3YGtuWG9k2z2VAdAynJExriHu/PKCdbkjDKlQouZA7AexjLVkoaxTNH
z4B08Z+3DCSd6uTK/eodEWi72dvIm9KP+ci0lhTunFxYGY28sfpnxCZb98OWs6+6
BlwlBtTdzBfVJXfCmaZejqyqIud7LmYKLjmcTsueYKS7X+/Ip0mejvyYqaAYwdcm
1qGa/mbpdMeE7M9K3KhjAHtbrTLvXx3Irq/H2UlIUBO8gPzCjFkUsEdphduGHshS
BGb/4vbTU8ZdH7IfVE5lluRjt6Jky81SGK4MSPfcIwl09kyKBXyehCG/UXxmS+wq
0nZcHkkcYycpO1RHEgr5wyMDmGStzqRakYj48Zzsse81ji0uybFcJedXUzLXSg9c
vLH8VBECXlCRnDbJAnLuacabZvUB2G9EexWmy2tij0zrbNnUd2LDsWfIij2UYQmX
IbBcp+0swFKr5ZVUFz1B/wyQ8/Aq9wGjm/dq/Fit9uQwtpWe1t8e94kaxTBxyNIg
/YwvGMikQ2iCBQ8bo8qejiHsMWDY9vWs5zQLAZBDUEWhrSvGeTg=
=xswv
-----END PGP SIGNATURE-----

#1000198#10

Date:: 2022-10-04 23:59:43 UTC

From:

To:

Thanks for the ssh-audit report output!
There has been a very long discussion of default settings in #774711
(which now includes ssh-audit's recommendations)

Since you generated this report the following has happened:

* 1:8.8p1-1:
   "This release disables RSA signatures using the SHA-1 hash algorithm
    by default.  (Existing RSA keys may still be used and do not need
    to be replaced; see NEWS.Debian if you have problems connecting to
    old SSH servers.)"
* 1:8.9p1-1:
   "ssh(1): stricter UpdateHostkey signature verification logic on the
    client-side. Require RSA/SHA2 signatures for RSA hostkeys except when
    RSA/SHA1 was explicitly negotiated during initial KEX.
    ssh(1), sshd(8): fix signature algorithm selection logic for
    UpdateHostkeys on the server side. The previous code tried to prefer
    RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This
    will use RSA/SHA2 signatures for RSA keys if the client proposed
    these algorithms in initial KEX."
* 1:9.0p1-1:
   "use the hybrid Streamlined NTRU Prime + x25519 key exchange method
    by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm
    is believed to resist attacks enabled by future quantum computers and
    is paired with the X25519 ECDH key exchange (the previous default) as
    a backstop against any weaknesses in NTRU Prime that may be
    discovered in the future. The combination ensures that the hybrid
    exchange offers at least as good security as the status quo."
* sk-ssh-ed25519@openssh.com is the defaults lists now

The rest of ssh-audit's recommendations from your report are still
valid, see #774711 for more info

#1000198#15

Date:: 2026-01-10 10:08:08 UTC

From:

To:

Es gibt eine Familienspende in Höhe von 1.850.000,00 USD von Cheng Charlie
Saephan. Bitte antworten Sie für weitere Informationen. Denken Sie daran,
Ihrer Familie und den Bedürftigen in Ihrer Umgebung Gutes zu tun.

Dies ist bereits der zweite Versuch, Sie zu erreichen. Bitte antworten Sie
für weitere Details.

#1000198 openssh-server: insecure algorithms reported by ssh-audit #1000198

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)