Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-10175

update Bitbucket SSH algorithms

    XMLWordPrintable

Details

    • Suggestion
    • Status: Gathering Interest (View Workflow)
    • Resolution: Unresolved
    • None
    • None
    • None
    • 296
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Would like to see an update to ssh algorithms available to Bitbucket. Here is a list of CIPHER, KEY_EXCHANGE, and MAC that are not currently supported and should be added:

      ecdh-sha2-nistp256, and ecdh-sha2-nistp384.
      chacha20-poly1305@openssh.com, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, and aes256-gcm@openssh.com
      umac-128@openssh.com, umac-64@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com, and umac-64-etm@openssh.com.
      

      server_host_key_algorithms currently only support ssh-rsa. Bitbucket should add rsa-sha2-512, rsa-sha2-256, ecdsa-sha2-nistp256, and ssh-ed25519.

      For PCI compliance, it is occasionally necessary to disable some SSH Algorithms, like anything that depends on md5 and soon to be sha1. Increasing the available SSH CIPHER to the newer and stronger Ciphers is important to meet compliance.

      This is the current list of SSH supported algorithms from a default install of Ubuntu:

      $ nmap --script ssh2-enum-algos -sV -p 22 192.168.1.10
      
      Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-19 14:16 CDT
      Nmap scan report for 192.168.59.130
      Host is up (0.00044s latency).
      
      PORT   STATE SERVICE VERSION
      22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
      | ssh2-enum-algos:
      |   kex_algorithms: (6)
      |       curve25519-sha256@libssh.org
      |       ecdh-sha2-nistp256
      |       ecdh-sha2-nistp384
      |       ecdh-sha2-nistp521
      |       diffie-hellman-group-exchange-sha256
      |       diffie-hellman-group14-sha1
      |   server_host_key_algorithms: (5)
      |       ssh-rsa
      |       rsa-sha2-512
      |       rsa-sha2-256
      |       ecdsa-sha2-nistp256
      |       ssh-ed25519
      |   encryption_algorithms: (6)
      |       chacha20-poly1305@openssh.com
      |       aes128-ctr
      |       aes192-ctr
      |       aes256-ctr
      |       aes128-gcm@openssh.com
      |       aes256-gcm@openssh.com
      |   mac_algorithms: (10)
      |       umac-64-etm@openssh.com
      |       umac-128-etm@openssh.com
      |       hmac-sha2-256-etm@openssh.com
      |       hmac-sha2-512-etm@openssh.com
      |       hmac-sha1-etm@openssh.com
      |       umac-64@openssh.com
      |       umac-128@openssh.com
      |       hmac-sha2-256
      |       hmac-sha2-512
      |       hmac-sha1
      |   compression_algorithms: (2)
      |       none
      |_      zlib@openssh.com
      Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
      
      Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
      Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
      $
      

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              d33c2e2dcad1 Ravi GH
              Votes:
              24 Vote for this issue
              Watchers:
              21 Start watching this issue

              Dates

                Created:
                Updated: