Does SSH compression make the protocol more insecure?

Rockcat

3/9/24, 12:02 PM

I'm auditing one ubuntu server using a tool named lynis, which performs several tests to configuration files and give suggestions to harden the servers. For example, it suggest to reduce the value of MaxAuthTries from 6 to 3, which makes sense for me... but there is one suggestion that I don't understand:

  * Consider hardening SSH configuration [SSH-7408] 
    - Details  : Compression (set YES to NO)
      https://cisofy.com/lynis/controls/SSH-7408/

I have read the given link SSH-7408, and done some web research but I don't get how enabling Compression in SSH server does the protocol more insecure that disabling it.

402

1 + 2

ssh

hardening

Håkan Lindqvist

3/9/24, 12:09 PM

Probably relevant: https://security.stackexchange.com/a/224796/22571

Greg Askew

3/9/24, 1:11 PM

There is nothing in the linked article [SSH-7408] about compression. It isn't uncommon for security tools to have unfounded and misleading findings and recommendations with no basis due to lack of knowledge/experience. You need to recognize these and prepare for them, otherwise you will spend time/resources spinning your wheels on nothing. This finding from Lynis was trash in 2016, and it is trash in 2023. If you have to decipher a sentence of a tool with ServerFault it is trash. https://github.com/CISOfy/lynis/issues/217

Score:3

Server

HBruijn

3/9/24, 3:05 PM

In historical context (OpenSSH sshd prior to 7.4) a recommendation to not set Compression yes does make sense:

OpenSSH 4.2 from 2005 introduced Compression delayed and explains why they made that the default in their release notes. There they also explain when/why Compression yes might be required and what risks it exposes:

- Added a new compression method that delays the start of zlib
compression until the user has been authenticated successfully. 
The new method ("Compression delayed") is on by default in the 
server. This eliminates the risk of any zlib vulnerability 
leading to a compromise of the server from unauthenticated users.

NB. Older OpenSSH (<3.5) versions have a bug that will cause them
to refuse to connect to any server that does not offer compression
when the client has compression requested. Since the new "delayed"
server mode isn't supported by these older clients, they will
refuse to connect to a new server unless compression is disabled
(on the client end) or the original compression method is enabled
on the server ("Compression yes" in sshd_config)

Based on those remarks you can easily see why a security scanner that detects Compression yes might generate a warning.

It is a potentially risky setting only needed for legacy (already legacy in 2005) clients.

But IMHO the recommendation should then be to set Compression delayed, which is also the OpenSSH default.

But OpenSSH server 7.4 releases in 2016 and:

sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client.

AFAIK that release also made Compression yes behave the same as the (from then on legacy) directive Compression delayed.

So for OpenSSH sshd 7.4 and newer Compression yes should not trigger any warnings.

It is a really bad thing when a security scanner generates findings and makes specific recommendations without providing any supporting reason and/or won't associate them with a particular version.

When asked about the source and rationale on Github in 2016 for the Lynis recommendation to set Compression no it seemed a combination of

"most people won't need SSH compression"

Because apparently the ssh manual page states:

... Compression is desirable on modem lines and other slow connections, but will only slow down things on fast networks. ...

"generally: do not enable settings you do not need"

Reducing features automatically reduces the attack surface which is valid and hard to debate but which also holds true for almost any other setting and is not indicative of any specific risk in using Compression delayed|yes
Compression and encryption is dangerous

in the context of CRIME and BREACH and similar compression oracle related attacks exposing secrets and/or credentials.

The first two reasons aren't very convincing and the last one is no longer applicable, if it ever really was, since for years already when compression is requested, by default any current OpenSSH server will only support that after a user has successfully authenticated.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does SSH compression make the protocol more insecure?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.