Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-10175

update Bitbucket SSH algorithms

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Obsolete
    • None
    • None
    • None
    • 31
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Would like to see an update to ssh algorithms available to Bitbucket. Here is a list of CIPHER, KEY_EXCHANGE, and MAC that are not currently supported and should be added:

      ecdh-sha2-nistp256, and ecdh-sha2-nistp384.
chacha20-poly1305@openssh.com, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, and aes256-gcm@openssh.com
umac-128@openssh.com, umac-64@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com, and umac-64-etm@openssh.com.

      server_host_key_algorithms currently only support ssh-rsa. Bitbucket should add rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, and ssh-ed25519.

      For PCI compliance, it is occasionally necessary to disable some SSH Algorithms, like anything that depends on md5 and soon to be sha1. Increasing the available SSH CIPHER to the newer and stronger Ciphers is important to meet compliance.

      This is the current list of SSH supported algorithms from a default install of Ubuntu:

      $ nmap --script ssh2-enum-algos -sV -p 22 192.168.1.10

Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-19 14:16 CDT
Nmap scan report for 192.168.59.130
Host is up (0.00044s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (6)
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (5)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
$

        1. various-keys.png
          various-keys.png
          68 kB

              Unassigned Unassigned
              d33c2e2dcad1 Ravi GH
              Votes:
              41 Vote for this issue
              Watchers:
              31 Start watching this issue

                Created:
                Updated:
                Resolved: