Hi guys
The security issue
To check security of the router, I ran an OpenVas security scanner against OpenWrt Chaos Calmer 15.05.1 / LuCI 15.05-188-g87e9837
OpenVas detects WEAK CIPHERS in Https (like Sha1 autogenerated certificate) and SSH.
Actions:
- Removed buggy dropbear, replace by openssh
- Apparently the only way to adjust the ciphers is through /etc/sshd_config (config below). After each edit, restarted sshd. Some changes, but still presents weak ciphers and sha1 certificate.
Big Question
- How to block negotiating weak ciphers.
- How to strengthen the certificates.
Am I missing something, or does ssh needs a patch ?
Additional info
Installed packages related to ssh/ssl are
libopenssl 1.0.2g-1
libpolarssl 1.3.14-1
libustream-polarssl 2015-07-09-c2d73c2261..2d3
luci-ssl git-16.043.44305-e2f9172-1
openssh-keygen 7.1p2-1
openssh-server 7.1p2-1
openssh-sftp-server 7.1p2-1
Changes and additions /etc/sshd_config :
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 2048
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
HostKeyAlgorithms ssh-rsa,ssh-dss
Hostbasedacceptedkeytypes ssh-rsa,ssh-ed25519
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521