From: ratten Date: Sat, 11 Nov 2023 20:47:21 +0000 (+0100) Subject: first version of slides X-Git-Url: http://git.tuxteam.de/gitweb/?a=commitdiff_plain;h=9a4635ca1026b688e5518c38d878038d2a1e6c91;p=susannes-git%2FCrypto-Policy-Vortrag.git first version of slides --- 9a4635ca1026b688e5518c38d878038d2a1e6c91 diff --git a/Cryptopolicies-Handout.pdf b/Cryptopolicies-Handout.pdf new file mode 100644 index 0000000..b415b71 Binary files /dev/null and b/Cryptopolicies-Handout.pdf differ diff --git a/Cryptopolicies-presi.pdf b/Cryptopolicies-presi.pdf new file mode 100644 index 0000000..8d69395 Binary files /dev/null and b/Cryptopolicies-presi.pdf differ diff --git a/Cryptopolicies.tex b/Cryptopolicies.tex new file mode 100644 index 0000000..6fddf85 --- /dev/null +++ b/Cryptopolicies.tex @@ -0,0 +1,1044 @@ +\documentclass[xcolor={dvipsnames,table},graphicx,parskip]{beamer} + +\usepackage[ngerman]{babel} +\usepackage[utf8]{inputenc} +\usepackage{bytefield} + +\usepackage{textpos} +\usepackage{pgfpages} %für notizen in Slides +\usepackage{tcolorbox}%runde colorboxen \usepackage{textpos} +\usepackage{stmaryrd} % \shortrightarrow +\usepackage[final]{qrcode}%für qrcodes + +\usepackage{hyperref} + +%\usepackage{showkeys} + +\uselanguage{German} +\languagepath{German} + + +\mode{% + \setbeameroption{show notes} + %\setbeamerfont{note page}{size=\large} + %\setbeameroption{show notes on second screen=bottom} + \setbeamertemplate{note page}{% + \vspace{1cm} + weitere Informationen:\\ + \vskip.25em + \nointerlineskip + {\Large \insertframetitle} + \vskip.25em + {\Large\insertframesubtitle} + \vskip.25em + %\vspace{1cm}\\ + \insertnote} +} + +\mode{% +\setbeamerfont{note page}{size=\huge} +\setbeameroption{show notes on second screen=bottom} +} + +\usetheme[hideothersubsections,left]{Goettingen} + +%\definecolor{hellblau}{RGB}{61, 165, 217} +\definecolor{kuerzung}{RGB}{254, 198, 1} +\definecolor{orange}{RGB}{234, 155, 23} +\definecolor{dunkelblau}{RGB}{11, 12, 93} +\definecolor{gruen}{RGB}{137, 252, 0} +\definecolor{gruendunkel}{RGB}{172, 210, 237} +\definecolor{titelblau}{RGB}{21, 59, 80} +\definecolor{blau}{rgb}{0.7, 0.99, 0.99} +\definecolor{coolblack}{rgb}{0.0, 0.18, 0.39} +\definecolor{DarkGreen}{rgb}{0.0, 0.6, 0.0} +\definecolor{ao}{rgb}{0.12, 0.3, 0.17} +\definecolor{realRFC}{rgb}{0.1, 0.1, 0.44} +\definecolor{witzRFC}{rgb}{0.01, 0.75, 0.24} +\definecolor{prefix}{rgb}{0.5, 0.5, 0.0} +\definecolor{IID}{rgb}{0.56, 0.0, 1.0} +\definecolor{CIDR}{rgb}{0.0, 0.29, 0.29} + +\graphicspath{{Bilder/}} + +% minted Optionen +\usepackage{lineno} +\usepackage[newfloat]{minted} +\usemintedstyle{friendly} +\usemintedstyle[sourcelist,linux-config]{autumn} +\usemintedstyle[console]{staroffice} +\usemintedstyle[bash]{pastie} + +\setminted[bash]{ + breaklines=true, + tabsize=2, + linenos, + numbersep=2pt, + autogobble, + framesep=0pt +} + +\setminted[linux-config]{ + breaklines=true, + linenos, + numbersep=2pt, + autogobble, + framesep=0pt +} + +\setminted[console]{ + breaklines=true, + linenos, + numbersep=2pt, + autogobble, + framesep=0pt +} + + +\setbeamercovered{transparent} +\useoutertheme{sidebar} +\useinnertheme{rounded} + +%um descripten links auszurichten +\defbeamertemplate{description item}{align left}{\insertdescriptionitem\hfill} +\setbeamertemplate{description item}[align left] + +\begin{document} + +%Beispiel Farb Definition +\setbeamercolor{block title example}{use=example text,fg=example text.fg,bg=example text.fg!20!bg} +\setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!50!bg} +%DefintionsBlock Farbspezification +\setbeamercolor{block title}{use=structure text,fg=blue,bg=example text.fg!20!bg} +\setbeamercolor{block body}{parent=normal text,use=block title example,bg=block title example.bg!50!bg} + + +\setbeamertemplate{frametitle}[default][center] + +\setbeamertemplate{navigation symbols}{} +\setbeamertemplate{page number in head/foot}[totalframenumber] + +% fußzeilen Definition +\setbeamertemplate{footline}{\vspace*{-20pt} \leavevmode% + \hbox{% + \hspace{2cm} \colorbox{white}{\color{black} + \textcolor{black}{\insertdate} \hspace{1.5cm} \insertshortauthor \hspace{4cm} \insertframenumber \quad von \inserttotalframenumber \hspace{1cm} }}} + +\setbeamertemplate{itemize items}[triangle] +\setbeamertemplate{page number in foot}[totalframenumber] + +% % sidebarsetting + +\setbeamertemplate{sidebar canvas left}[vertical shading][top=ao,middle=titelblau,bottom=DarkGreen] +\setbeamercolor{section in sidebar shaded}{fg=yellow} +\setbeamercolor{author in sidebar}{fg=ao} +\setbeamercolor{title in sidebar}{fg=white} + +% Sidebar Farben normal +\setbeamercolor{section in sidebar shaded}{fg=blau} +\setbeamercolor{subsection in sidebar shaded}{fg=Yellow} +\setbeamercolor{subsubsection in sidebar shaded}{fg=SpringGreen} + +%Sidebar Farben aktiviert +\setbeamercolor*{palette sidebar primary}{fg=YellowOrange} +\setbeamercolor*{palette sidebar secondary}{fg=YellowOrange} + +\setbeamercolor{titlelike}{fg=white, bg=titelblau} + +% %itemsetting +\setbeamercolor{item}{fg=blue}%color of bullet +\setbeamercolor{subitem}{fg=orange}%color of bullet + +%inhaltsverzeichniss + +\setbeamercolor{section in toc}{fg=blue}%, bg=black} +\setbeamercolor{subsection in toc}{fg=DarkGreen} +\setbeamercolor{subsubsection in toc}{fg=teal} +\setbeamertemplate{sections/subsections in toc}[triangle] + +%\setbeamertemplate{blocks}[rounded] +\setbeamertemplate{title page}[default][colsep=-4bp,rounded=true] + +%Background +\setbeamercolor{background canvas}{bg=white} + +\setbeamertemplate{background}{% + \includegraphics[height=\paperheight]{hacker2.jpg}} + +%Titel definition +\title[Crypto-Policies]{Crypto-Policies} +\subtitle{one Tool to rule all Crypto in Linux} +\author[Bücherratten]{\textbf{Bücherratten}\\\texttt{ratten@buecherratten.in-berlin.de}} +\institute{\textbf{37C3}} + +\date{Dezember 2023} + +% Titlepage Farben setzen +\setbeamercolor{date}{fg=orange} +\setbeamercolor{author}{fg=orange} +\setbeamercolor{institute}{fg=orange} + +%\titlegraphic{\includegraphics[scale=0.3]{hacker.jpg}} + +%sitebar leer setzten +\setbeamertemplate{sidebar left}{} + +%titlepage ohne sidebar +\makeatletter +\begin{frame}[plain] + \hspace*{-\beamer@sidebarwidth}% + \advance\textwidth by \beamer@sidebarwidth\relax + \beamer@sidebarwidth=\z@ + \begin{minipage}{\textwidth} + \vspace{1cm} + \maketitle + \end{minipage} + \footnote{\textcolor{orange}{Bild von \href{https://pixabay.com/de/users/thedigitalartist-202249/?utm_source=link-attribution&utm_medium=referral&utm_campaign=image&utm_content=2300772}{Pete Linforth} auf \href{https://pixabay.com/de//?utm_source=link-attribution&utm_medium=referral&utm_campaign=image&utm_content=2300772}{Pixabay}}} + +\end{frame} +\makeatother +\setbeamertemplate{background} + +\begin{frame} + \frametitle{Inhalt} + \textbf{\tableofcontents}%[hideothersubsections]} + \vspace{0.4cm} + \note{Abfrage: Wer von euch musste letztens die Probleme von den Kollegen lösen?} +\end{frame} + +%sidebar wiederherstellen +\setbeamertemplate{sidebar left}[sidebar theme] + +\section{Problemstellung} + +%\setbeamertemplate{blocks}[rounded][shadow=true] +\setbeamercolor{Kollege}{bg=DarkGreen} +\setbeamercolor{Azubi}{bg=teal} +\setbeamercolor{eingabe}{bg=gray} +\subsection{Der SSH Fehler} +\begin{frame}[t] + \frametitle{Die Fehler Beschreibung} + \only<1-4>{\begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege} + Ich kann mich nicht mehr mit meinem SSH-key mit den RHEL8-Servern verbinden, kannst du mal rauskriegen woran das liegt? Du magst doch SSH. + \end{beamercolorbox}} + \only<2-5>{\quad\quad\begin{beamercolorbox}[wd=0.9\textwidth,right,rounded=true]{Azubi} + Klar\\ + Was hast du für nen SSH-key?\\ + Wie lautet die Fehlermeldung? + \end{beamercolorbox}} + \only<3-6>{\begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege} + Ich hab nen normalen RSA-SSH-key und ich hab keine Fehlermeldung, es kommt nur die Passwort-Abfrage von dem Server + \end{beamercolorbox}} + \only<4-7>{\quad\quad\begin{beamercolorbox}[wd=0.9\textwidth,right,rounded=true]{Azubi} + Wie viele bits hat den dein RSA?\\ + Hast du mal \mintinline{bash}{ssh -v user@Server} oder \mintinline{bash}{ssh -oisdfhusiduh user@Server} versucht? + \end{beamercolorbox}} + \only<5-7>{\begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege} + Na die default Größe und ich benutze Putty + \end{beamercolorbox}} + \only<6->{\quad\quad\begin{beamercolorbox}[wd=0.9\textwidth,right,rounded=true]{Azubi} + Ich schau es mir an \dots + \end{beamercolorbox}} + \only<7->{\begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege} + Aber deine Lösung muss idempotent sein und mit Ansible umsetzbar + \end{beamercolorbox}} +\begin{beamercolorbox}[wd=\textwidth,left,rounded=true]{eingabe} + \dots +\end{beamercolorbox} +\end{frame} + +\begin{frame} + \frametitle{Die Fehler Beschreibung} + \begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege} + Ich kann mich nicht mehr mit meinem SSH-key mit den RHEL8-Servern verbinden, kannst du mal rauskriegen woran das liegt? Du magst doch SSH. + \end{beamercolorbox} + \quad\quad\begin{beamercolorbox}[wd=0.9\textwidth,right,rounded=true]{Azubi} + Ich schau es mir an \dots + \end{beamercolorbox} + \begin{beamercolorbox}[wd=0.9\textwidth,left,rounded=true]{Kollege} + Aber deine Lösung muss idempotent sein und mit Ansible umsetzbar + \end{beamercolorbox} + \begin{beamercolorbox}[wd=\textwidth,left,rounded=true]{eingabe} + \dots + \end{beamercolorbox} +\end{frame} + +\setbeamercovered{transparent} +%\setbeamertemplate{blocks}[rounded][shadow=false] +\subsection{whoami} + \begin{frame} + \frametitle{whoami} + \begin{itemize} + \item{Bücherratten} + \item{39 Jahre} + \item{Pronomen: sie} + \item{Berufsbezeichnung: Fachinformatikerin für Systemintegration} + \item{Berufliches Themenfeld: Automatisierung mit Ansible} + \item{Linuxerin seit Kernel 2.6.24 (2009)} + \item{Zugehörigkeiten zu: Haecksen, LinuxWorks!, BeLUG, FSFE} + \end{itemize} + URL zu Folien und Handout: + \vspace{0.2cm} + \begin{columns} + \only{\begin{column}{0.2\textwidth} + \qrcode[hyperlink,height=1.5cm]{http://git.tuxteam.de/gitweb/?p=susannes-git/Crypto-Policy-Vortrag.git;a=tree} + \end{column}} + \begin{column}{0.8\textwidth} + \url{http://git.tuxteam.de/gitweb/?p=susannes-git/Crypto-Policy-Vortrag.git;a=tree} + \end{column} + \end{columns} +\end{frame} +\setbeamercovered{invisible} + \section{Einführung Crypto-Policies} + \subsection{bisherige Kryptographie Einstellungen} + +\begin{frame} + \frametitle{Krytpographie im System bisheriger Stand} + \framesubtitle{Abfrage} + Wer von euch: + \begin{itemize} + \item{hat den Überblick über alle Konfigurationsmöglichkeiten?} + \pause + \item{ist der Meinung das die Konfigurations Optionen bezüglich Crypto einheitlich sind?} + \pause + \item{findet es easy mal eben Systemweit zB SHA1 auszuschalten?} + \end{itemize} +\end{frame} + +\setbeamercovered{transparent} + +\begin{frame}[fragile] + \frametitle{Krytpographie im System bisheriger Stand} + \begin{itemize} + \item{jedes Tool hat eigene Crypto-Regeln} + \item{Crypto-Regeln in der Konfigurationsdatei des Tools definieren} + \end{itemize} + \pause + %\vspace{-0.3cm} + \begin{exampleblock}{Beispiel: SSH /etc/ssh/sshd.conf} + \begin{minted}{linux-config} +Ciphers aes128-ctr,aes192-ctr,aes256-ctr +HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 +KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256 +MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1 + \end{minted} + \end{exampleblock} + \note{Wenn zB. ssh auf SHA1-Algorithmen verzichtet, bedeutet das nicht das OpenSSL, davon weiß und auch darauf verzichtet} +\end{frame} + +\subsection{Die Idee hinter Crypto-Policies} + +\begin{frame} + \frametitle{Idee: ein Ort für Systemweite Crypto-Einstellungen} + \small{ + \begin{itemize} + \item{alle Crypto für TLS, IPsec, SSH, DNSSec, Kerberos, etc. wird über ein systemweites Tool eingestellt} + \item{Die Cipher Suite wird an einem Ort konfiguriert und überschreibt die Tool-Konfiguration} + \item{Crypto-Einstellungen in Konfigurations-Dateien werden wirkungslos} + \item{leichter zu maintainen, zu updaten, anzupassen} + \item{bisher in Fedora, RHEL, CentOS, OpenSuse, Oracle Linux, Ubuntu, Debian-sid(testing), ...} + \item{Entwicklung: + \begin{columns} + \only{\begin{column}{0.1\textwidth} + \qrcode[hyperlink,height=1cm]{https://gitlab.com/redhat-crypto/fedora-crypto-policies} + \end{column}} + \begin{column}{0.9\textwidth} + \url{https://gitlab.com/redhat-crypto/fedora-crypto-policies} + \end{column} + \end{columns}} + \item{Eigenentwicklung von RedHat, Idee findet jedoch Konsens in Community} + \end{itemize} + } + \vspace{0.5cm} +\end{frame} + +\subsection{Facts zu den Policies} +\begin{frame} + \frametitle{One tool to rule them all} + \small{ + Wofür können Crypto-policies momentan verwendet werden: + \begin{itemize} + \item{libssh SSH2 protocol implementation (scopes: libssh, SSH)} + \item{sequoia PGP, outside of rpm-sequoia (scopes: sequoia)} + \item{rpm-sequoia PGP backend (scopes: rpm, rpm-sequoia)} + \item{BIND DNS (scopes: BIND, DNSSec)} + \item{GnuTLS (scopes: GnuTLS, SSL, TLS)} + \item{Kerberos 5 (scopes: krb5, Kerberos)} + \item{Libreswan IPsec and IKE protocol implementation (scopes: libreswan, IPSec, IKE)} + \item{NSS TLS library (scopes: NSS, SSL, TLS)} + \item{OpenJDK runtime environment (scopes: java-tls, SSL, TLS)} + \item{OpenSSH SSH2 (scopes: OpenSSH, SSH)} + \item{OpenSSL TLS library (scopes: OpenSSL, SSL, TLS)} + \end{itemize}} + weitere Libraries sind in aktiver Entwicklung. + \vspace{0.5cm} + \note{Crypto-Policies nutzen die Bibliotheken der Tools im Fall von SSH sind das libssh und OpenSSH als Optionen für Scopes.} +\end{frame} + +\begin{frame} + \frametitle{Arten von Policies} + \framesubtitle{Grob Überblick} + \begin{description} + \item[LEGACY] kompatibel mit RHEL 5 + \item[FUTURE] Vorhersage zu zukünftigen Bedrohungen *\textsuperscript{1} + \item[BSI] nach BSI Standardisierung TR-02102-2 (bisher erst in Fedora?) *\textsuperscript{2} + \item[FIPS] genügt FIPS 140 Anforderungen *\textsuperscript{3} + \item[DEFAULT] + \item[EMPTY] für Debugging deaktiviert alle Crypto + \end{description} + \pause + *\textsuperscript{1} fun fakt: Die RedHat Customer Portal API kann zur Zeit noch nicht mit Future.\\ + \pause + *\textsuperscript{2} \url{https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/blob/master/policies/BSI.pol} + \note{*\textsuperscript{3} Amerikanische Zertifizierung für Kryptographie bezieht sich auf die Kryptographischen Teile eines Produkts im Gegensatz dazu CC (Common Criteria for Information Technology Security Evaluation) ist das Europäische Gegenstück bezieht sich auf Sicherheitsbezogene Themen nach ISO 15408} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Policies anzeigen und setzen} + \vspace{-0.5cm} + \begin{itemize} + \item{anzeigen: \mintinline{bash}{update-crypto-policies --show}} + \item{ändern: \mintinline{bash}{update-crypto-policies --set FUTURE:NO-SHA1}} + \begin{itemize} + \item{setzt die systemweiten Policies auf Future} + \item{unabhängig davon welche vorher aktiv war} + \item{Module dazu geladen: mit Doppelpunkt trennen, auch mehrfach} + \item{sind symbolische links von /etc/crypto-policies/back-ends nach /usr/share/crypto-policies.} + \item{generiert Backend Konfigurations-Dateien} + \end{itemize} + \item{deaktivieren} + \begin{itemize} + \item{Bei SSH über eine Variable in der Konfigurationsdatei (sshd.config) als opt-out} + \item{über die CLI mit cipher Optionen} + \end{itemize} + \item{nach Änderungen an den Policies wird ein Neustart empfohlen, weil evtl. viele Services betroffen sind} + \end{itemize} +\end{frame} + +\section{Problemlösungsweg} + +\subsection{Lösungsweg} +\begin{frame}[fragile] + \frametitle{erster Lösungsweg} + \framesubtitle{Was läuft hier?} + \begin{itemize} + \item{\mintinline{bash}{ssh -o } wird benötigt} + \pause + \item{Algorithmus-Änderungen in /etc/ssh/sshd\_config ohne Effekt} + \pause + \item{sshd-Unit?} +\begin{minted}[fontsize=\footnotesize,breakanywhere,escapeinside=||]{console} +[root@crypt-arbeit8 ~]# systemctl status sshd +* sshd.service - OpenSSH server daemon + Loaded: loaded (/usr/lib/systemd/system/sshd.service) + Active: active (running) since 6min ago + Docs: man:sshd(8) + man:sshd_config(5) + Main PID: 669 (sshd) + Tasks: 1 (limit: 11160) + Memory: 6.4M + CGroup: /system.slice/sshd.service + \-669 /usr/sbin/sshd -D |\colorbox{green}{-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2}| +\end{minted} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{erster Lösungsweg} + \framesubtitle{die mysteriöse Variable} + \begin{itemize} + \item{die Service Unit /usr/lib/systemd/system/sshd.service} + \begin{minted}[fontsize=\footnotesize,escapeinside=||]{linux-config} +[Unit] +Description=OpenSSH server daemon +Documentation=man:sshd(8) man:sshd_config(5) +After=network.target sshd-keygen.target +Wants=sshd-keygen.target +[Service] +Type=notify +EnvironmentFile=|\colorbox{green}{-/etc/crypto-policies/back-ends/opensshserver.config}| +EnvironmentFile=-/etc/sysconfig/sshd +ExecStart=/usr/sbin/sshd -D $OPTIONS |\colorbox{green}{\$CRYPTO\_POLICY}| +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartSec=42s +[Install] +WantedBy=multi-user.target + \end{minted} + \end{itemize} + \note{Realisiert werden Policies darüber, das die Variabel CRYPTOPOLICY beim Aufruf der Systemd Unit gefüllt werden} +\end{frame} + +\begin{frame}[fragile] + \frametitle{erster Lösungsweg} + \framesubtitle{das Backend} + \begin{itemize} + \item{\mintinline{bash}{update-crypto-policies --show}} + \item{FIPS} + \pause + \item{/etc/crypto-policies/back-ends/opensshserver.config bearbeitet} + \begin{minted}[fontsize=\footnotesize,breakanywhere]{linux-config} +CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha2-512 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512' + \end{minted} + \end{itemize} + \note{Einstellungen im Backend halten bis zum Reboot} +\end{frame} + +\subsection{Versprechung oder Werbung?} + +\begin{frame}[fragile] + \frametitle{Umfrage} + \framesubtitle{Eurer Meinung nach...} + Eine Man Page + \begin{itemize} + \item{ist die single source of truth um zu wissen was ein Programm kann, bzw nicht kann} + \pause + \item{stellt die ideale Funktionsweise einen Programms dar} + \pause + \item{ist der perfekte Ort um CLI-Nerds (rtfm) mit Werbung für ein Programm zu versorgen} + \pause + \item{enthält Programm Features, die noch nicht im Programm integiert sind} + \pause + \item{ist ein farbelhaftes Versprechen was ein Programm alles für Funktionen hat} + \pause + \item{ist keine Anleitung zu dem Programm} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Crypto-Policy Man-Page} + \vspace{-0.5cm} + \begin{minted}[fontsize=\scriptsize,escapeinside=||]{linux-config} + PROVIDED POLICIES + DEFAULT + The DEFAULT policy is a reasonable default policy for today's standards. It allows the TLS 1.2 and TLS 1.3 protocols, as well as IKEv2 and SSH2. The RSA and Diffie-Hellman parameters are accepted if larger than 2047 bits. + The level provides at least 112-bit security with the exception of SHA-1 signatures needed for DNSSec and other still prevalent legacy use of SHA-1 signatures. + - MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305 etc.) + - Curves: all prime >= 255 bits (including Bernstein curves) + - Signature algorithms: with SHA-1 hash or better (no DSA) + - TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20, including AES-CBC) + - non-TLS Ciphers: as TLS Ciphers with added Camellia + - key exchange: ECDHE, RSA, DHE (no DHE-DSS) + - DH params size: >= 2048 + - |\colorbox{green}{RSA keys size: $>=$ 2048}| + - TLS protocols: TLS >= 1.2, DTLS >= 1.2 + \end{minted} + \vspace{-0.1cm} + \pause + \color{red}{überprüfen wir das mal \dots} +\end{frame} + +\begin{frame}[fragile] + \frametitle{ssh-key-size} + \framesubtitle{unter alma8} + \vspace{-0.2cm} + \begin{minted}[fontsize=\tiny,escapeinside=||]{console} +sibille@Libelle:~$ ssh-copy-id -i ~/.ssh/crypt_1024rsa.pub root@crypt-arbeit8 +Number of key(s) added: 1 +sibille@Libelle:~$ ssh-copy-id -i ~/.ssh/crypt_2048rsa.pub root@crypt-arbeit8 +Number of key(s) added: 1 +sibille@Libelle:~$ ssh root@crypt-arbeit8 +root@crypt-arbeit8:# update-crypto-policies --show +LEGACY +root@crypt-arbeit8:# update-crypto-policies --set Default +|\colorbox{green}{Setting system policy to DEFAULT}| +root@crypt-arbeit8:# reboot +sibille@Libelle:~$ ssh -i .ssh/crypt_1024rsa root@crypt-arbeit8 -v +debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1 +debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0 +debug1: Next authentication method: publickey +debug1: Offering public key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit +|\colorbox{red}{debug1: Server accepts key: .ssh/crypt\_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit}| +debug1: Authentication succeeded (publickey). +Authenticated to crypt-arbeit8 ([192.168.2.38]:22). +root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# exit +logout + \end{minted} + \vspace{0.5cm} +\end{frame} + +\begin{frame}[fragile] + \frametitle{ssh-key-size} + \framesubtitle{unter alma9} + \begin{minted}[fontsize=\tiny,escapeinside=||]{console} +sibille@Libelle:~$ ssh-copy-id -i ~/.ssh/crypt_1024rsa.pub root@crypt-arbeit9 +Number of key(s) added: 1 +sibille@Libelle:~$ ssh-copy-id -i ~/.ssh/crypt_2048rsa.pub root@crypt-arbeit9 +Number of key(s) added: 1 +sibille@Libelle:~$ ssh root@crypt-arbeit9 +root@crypt-arbeit9:# update-crypto-policies --showypto-policies --show +LEGACY +root@crypt-arbeit9:# update-crypto-policies --set Defaultlicies --set Default +|\colorbox{green}{Setting system policy to DEFAULT}| +root@crypt-arbeit9:# reboot +sibille@Libelle:~$ ssh -i .ssh/crypt_1024rsa root@crypt-arbeit9 -v +debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1 +debug1: Offering public key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit +debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password +|\colorbox{green}{debug1: Next authentication method: password}| +root@crypt-arbeit9's password: +sibille@Libelle:~$ ssh -i .ssh/crypt_2048rsa root@crypt-arbeit9 -v +debug1: Offering public key: .ssh/crypt_2048rsa RSA SHA256:g5pZruCXK0Ng2/xW37JDXqQrMCo/XLL4jfETuZNcMQs explicit +|\colorbox{green}{debug1: Server accepts key: .ssh/crypt\_2048rsa RSA SHA256:g5pZruCXK0Ng2/xW37JDXqQrMCo/XLL4jfETuZNcMQs explicit}| +debug1: Authentication succeeded (publickey). +Authenticated to crypt-arbeit9 ([192.168.2.107]:22). + \end{minted} +\end{frame} + +\begin{frame} + \frametitle{Versprechung oder Werbung?} + \framesubtitle{ssh-key-size} + \small{% + \begin{proof}\phantom{\qedhere} + AlmaLinux8 hat noch eine ältere ssh Version, diese kennt die Option \textcolor{red}{RequiredRSASize} noch nicht. + \begin{block}{Auszug aus der ssh manpage AlmaLinux9} + RequiredRSASize\\ + Specifies the minimum RSA key size (in bits) that sshd(8) will accept. User and host-based authentication keys smaller than this limit will be refused. The default is 1024 bits. Note that this limit may only be raised from the default. + \end{block} + Dadurch sind die Optionen min\_rsa\_size in der Crypto-Policy für OpenSSH in AlmaLinux8 wirkungslos. + \end{proof}} + \pause + Nach Aussage von Red Hat, haben sie OpenSSH auf RHEL8 extra gepatched\dots \pause Ich hab einen Patch in Fedora 37 gefunden, in den Paketen von AlmaLinux und Rocky Linux jedoch nicht. + \note{In Alma- und Rocky Linux tritt der gleiche Fehler auf, jedoch nicht in Fedora 37} +\end{frame} + +\section{Problemlösungs\-möglichkeiten} + +\subsection{Policy Hand made} + +\subsubsection{configuration Parameter} +\begin{frame} + \frametitle{Konfigurations-Parameter} + \footnotesize{ + möglich Parameter innerhalb von Konfigurationsdateien: + \begin{itemize} + \item{Liste erlaubter:} + \begin{description} + \item[mac:] MAC Algorithmen + \item[group:] Gruppen oder elliptic curves für key exchanges + \item[hash:] cryptographic hash (message digest) + \item[sign:] signature + \item[cipher:] symmetric encryption Algorithmen(inkl. modes) + \item[key\_exchange:] key exchange algorithms + \item[protocol:] TLS, DTLS and IKE Protokoll Versions.\\ einige Backends erlauben kein selektives deaktivieren von Protokoll Versionen + \end{description} +\item{minimale Anzahl der Bits für:} + \begin{description} + \item[min\_dh\_size:] parameters for DH key exchange + \item[min\_dsa\_size:] DSA keys + \item[min\_rsa\_size:] RSA keys + \end{description} + \item{binärer Werte:} + \begin{description} + \item[sha1\_in\_certs:] 1 SHA1 erlaubt in certificate signatures + \item[arbitrary\_dh\_groups:] 1 arbitrary group in Diffie-Hellman erlaubt + \item[ssh\_certs:] 1 OpenSSH certificate authentication erlaubt, + \item[ssh\_etm:] 1 OpenSSH EtM (encrypt-then-mac) extension erlaubt + \end{description} + \end{itemize}} +\end{frame} + +\begin{frame} + \frametitle{Konfigurations-Parameter} + \framesubtitle{auf Bereiche eingrenzen} + Konfiguration auf bestimmte Backends (scopes) eingrenzen + \begin{itemize} + \item{option@scope1,scope2 = ...} + \begin{itemize} + \item{\mintinline{linux-config}{cipher@SSH = -*-CBC}} + \end{itemize} + \item{negierung mit option@!scope} + \item{scope ist case-insensitive} + \item{scopes sind bevorzugte schreibweise} + \item{die Reihenfolge der Crypto ist wichtig, was zuerst steht wird priorisiert} + \item{Reihenfolge der Optionen ist vorgegeben} + \end{itemize} + \pause + wichtige scopes für ssh: + \begin{itemize} + \item{OpenSSH SSH2 (scopes: OpenSSH, SSH)} + \item{libssh SSH2 protocol implementation (scopes: libssh, SSH)} + \end{itemize} +\end{frame} + +\subsubsection{policy Definition vom Scratch} +\begin{frame} + \frametitle{Policy Definition Hand-Made} + \begin{itemize} + \item{im Ordner /etc/crypto-policies/policies oder /usr/share/crypto-policies/policies} + \item{Dateiname muss GROSS geschrieben werden} + \item{Dateiextention ist .pol} + \end{itemize} +\end{frame} + +\begin{frame}[fragile,shrink] + \frametitle{policy from scratch} + \framesubtitle{Beispiel FIPS (stark gekürzt)} + \begin{minted}[fontsize=\scriptsize]{linux-config} +mac = AEAD HMAC-SHA2-256 HMAC-SHA2-384 +group = SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 +hash = SHA2-256 SHA2-384 SHA2-512 SHA2-224 +sign = ECDSA-SHA3-256 ECDSA-SHA2-256 +cipher = AES-256-GCM AES-256-CCM AES-256-CTR +cipher@TLS = AES-256-GCM AES-256-CCM AES-128-GCM +# Kerberos is an exception, +#allow CBC CTS ciphers no other options +cipher@Kerberos = AES-256-CBC AES-128-CBC +key_exchange = ECDHE DHE DHE-RSA PSK DHE-PSK +protocol@TLS = TLS1.3 TLS1.2 DTLS1.2 +protocol@IKE = IKEv2 +# Parameter sizes +min_dh_size = 2048 +min_dsa_size = 2048 # DSA is disabled +min_rsa_size = 2048 +# GnuTLS only for now +sha1_in_certs = 0 +arbitrary_dh_groups = 1 +ssh_certs = 1 +ssh_etm = 1 + \end{minted} + \vspace{-0.3cm} +\end{frame} + +\subsubsection{Policy Module - Hand made} +\begin{frame} + \frametitle{Mit Modulen bestehende Policies erweitern} + \begin{itemize} + \item{im Ordner /etc/crypto-policies/policies/modules oder /usr/share/crypto-policies/policies/modules} + \item{Dateiname muss GROSS geschrieben werden} + \item{Dateiextention ist .pmod } + \item{mit - (minus) Parameter entfernen} + \item{* ist wildcard} + \item{Konfiguration erlaubt (noch) vollständiges Überschreiben der key-exchange Parameter (von ECDHE keys)} + \end{itemize} +\end{frame} + +\begin{frame}[fragile,shrink] + \frametitle{Policy-Module} + \framesubtitle{Beispiel AES-128-Module} + \begin{minted}{linux-config} +# Disable the AES-128 cipher, all modes +cipher = -AES-128-* + +# Disable CHACHA20-POLY1305 for the TLS protocol (OpenSSL, GnuTLS, NSS, and OpenJDK) +cipher@TLS = -CHACHA20-POLY1305 + +# Allow using the FFDHE-1024 group with the SSH protocol (libssh and OpenSSH) +group@SSH = FFDHE-1024+ + +# Disable all CBC mode ciphers for the SSH protocol (libssh and OpenSSH) +cipher@SSH = -*-CBC +# Allow the AES-256-CBC cipher in applications using libssh +cipher@libssh = AES-256-CBC+ + \end{minted} + \vspace{0.5cm} +\end{frame} + +\subsection{Crypto-Policies und Ansible} +\begin{frame}[shrink] + \frametitle{Ansible-Role: Crypto-Policies} + Rolle: \textcolor{red}{linux-system-roles.crypto\_policies}\\ + \vspace{-0.3cm} + \begin{columns} + \only{\begin{column}{0.1\textwidth} + \qrcode[hyperlink,height=1cm]{https://galaxy.ansible.com/linux-system-roles/crypto_policies} + \end{column}} + \begin{column}{0.9\textwidth} + \url{https://galaxy.ansible.com/linux-system-roles/crypto_policies} + \end{column} + \end{columns} + Variablen: + \begin{description} + \item[crypto\_policies\_policy] Spezifizierung der Policy und Module + \item[crypto\_policies\_available\_policies] Liste der vorhandenen Policies + \item[crypto\_policies\_available\_subpolicies] Liste der vorhanden Module + \item[crypto\_policies\_reload] ob direkt nach dem Setzen der Policy die Services neu gestartet werden + \item[crypto\_policies\_reboot\_ok] ob das System neu gestartet wird + \item[crypto\_policies\_reboot\_required] wird von der Rolle gesetzt wenn Neustart des Systems erforderlich + \end{description} + \pause + Was die Rolle noch nicht kann: + \begin{itemize} + \item{Customized Module erstellen} + \item{Customized Policies erstellen} + \end{itemize} + \vspace{0.5cm} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Ansible-Role: Crypto-Policies} + \framesubtitle{Beispiel-Playbook} + \begin{minted}[linenos,numbersep=2pt]{yaml} +- name: Manage crypto policies + hosts: all + roles: + role: linux-system-roles.crypto_policies + vars: + crypto_policies_policy: "DEFAULT:NO-SHA1" + crypto_policies_reload: false + \end{minted} + Ist das gleiche wie: + \begin{minted}{bash} + update-crypto-policies --set DEFAULT:NO-SHA1 + \end{minted} +\end{frame} + +\section{Ende} +\begin{frame} + \frametitle{Resoucen zum Recherchieren} + \begin{itemize} + \item{man crypto-policies} + \item{man update-crypto-policies} + \item{Vorträge:} + \begin{itemize} + \item{\url{https://www.youtube.com/watch?v=NLSm8Kqd5N0}} + \item{\url{https://ftp.belnet.be/mirror/FOSDEM/video/2020/UA2.114/security_custom_crypto_policies.webm}} + \end{itemize} + \item{interaktives Lab: + \begin{columns} + \only{\begin{column}{0.1\textwidth} + \qrcode[hyperlink,height=1cm]{https://www.redhat.com/en/interactive-labs/customize-system-wide-cryptographic-policy} + \end{column}} + \begin{column}{0.9\textwidth} + \url{https://www.redhat.com/en/interactive-labs/customize-system-wide-cryptographic-policy} + \end{column} + \end{columns}} + \item{Entwicklungs Repo: + \begin{columns} + \only{\begin{column}{0.1\textwidth} + \qrcode[hyperlink,height=1cm]{https://gitlab.com/redhat-crypto/fedora-crypto-policies/} + \end{column}} + \begin{column}{0.9\textwidth} + \url{https://gitlab.com/redhat-crypto/fedora-crypto-policies/} + \end{column} + \end{columns}} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Ende} + \begin{center} + \Huge{Danke fürs zuhören und mitmachen!}\\ + Gibt es noch Fragen? + \vspace{0.5cm}\\ + \normalsize{Bücherratten} + \end{center} + \vspace{-0.5cm} + \begin{columns} + \only{\begin{column}{0.2\textwidth} + \qrcode[hyperlink,height=1.5cm,nolink]{ratten@buecherratten.in-berlin.de} + \end{column}} + \begin{column}{0.8\textwidth} + ratten@buecherratten.in-berlin.de + \end{column} + \end{columns} + URL zu Folien und Handout: + \vspace{0.2cm} + \begin{columns} + \only{\begin{column}{0.2\textwidth} + \qrcode[hyperlink,height=1.5cm]{http://git.tuxteam.de/gitweb/?p=susannes-git/Crypto-Policy-Vortrag.git;a=tree} + \end{column}} + \begin{column}{0.8\textwidth} + \url{http://git.tuxteam.de/gitweb/?p=susannes-git/Crypto-Policy-Vortrag.git;a=tree} + \end{column} + \end{columns} +\end{frame} + +\section{Handout} +\subsection{policies overview} +\begin{frame} + \frametitle{Welche Policies gibt es?} + \framesubtitle{LEGACY} + \vspace{-0.2cm} + \scriptsize{ + \begin{block}{LEGACY} + \begin{itemize} + \item{maximale Kompatibilität mit älteren Systemen} + \item{weniger sicher} + \item{Support für TLS 1.0, TLS 1.1, und SSH2} + \item{erlaubt DSA und 3DES} + \item{RSA and Diffie-Hellman Parameter $>$ 1024 Bit} + \item{mindestens 64-bit Sicherheit} + \end{itemize} + \vspace{-0.2cm} + \begin{description} + \item[MACs:] all HMAC with SHA-1 or $>$ + all modern MACs (Poly1305 etc.) + \item[Curves:] all prime $>=$ 255 bits (including Bernstein curves) + \item[Signature algorithms:] with SHA1 hash or better (DSA allowed) + \item[TLS Ciphers:] all $>=$ 112-bit key, $>=$ 128-bit block (incl. 3DES, no RC4) + \item[Non-TLS Ciphers:] same as TLS ciphers with added Camellia + \item[Key exchange:] ECDHE, RSA, DHE + \item[DH params size:] $>=$ 1023 + \item[RSA keys size:] $>=$ 1023 + \item[DSA params size:] $>=$ 1023 + \item[TLS protocols:] TLS $>=$ 1.0, DTLS $>=$ 1.0 + \end{description} + \end{block} + } + \vspace{0.5cm} +\end{frame} + +\begin{frame} + \frametitle{Welche Policies gibt es?} + \framesubtitle{DEFAULT} + \scriptsize{ + \begin{block}{DEFAULT} + \begin{itemize} + \item{ist heutiger Standard} + \item{erlaubt TLS 1.2, TLS 1.3, IKEv2 und SSH2} + \item{akzeptiert Diffie-Hellman Parameter $>$ 2048 Bits} + \item{mindestens 112-Bit Sicherheit} + \item{Ausnahmsweise sind SHA-1 Signaturen in DNSSec erlaubt} + \end{itemize} + \begin{description} + \item[MACs:] all HMAC with SHA-1 or better + all modern MACs (Poly1305 etc.) + \item[Curves:] all prime $>=$ 255 bits (including Bernstein curves) + \item[Signature algorithms:] with SHA-1 hash or better (no DSA) + \item[TLS Ciphers:] $>=$ 128-bit key, $>=$ 128-bit block (AES, ChaCha20, including AES-CBC) + \item[non-TLS Ciphers:] as TLS Ciphers with added Camellia + \item[key exchange:] ECDHE, RSA, DHE (no DHE-DSS) + \item[DH params size:] $>=$ 2048 + \item[RSA keys size:] $>=$ 2048 + \item[TLS protocols:] TLS $>=$ 1.2, DTLS $>=$ 1.2 + \end{description} + \end{block} + } + \vspace{0.5cm} +\end{frame} + +\begin{frame} + \frametitle{Welche Policies gibt es?} + \framesubtitle{FUTURE} + \tiny{ + \begin{block}{FUTURE} + \begin{itemize} + \item{Konservative Policy} + \item{Vermutung, das sie zukünftigen Angriffen widersteht, auf Kosten der Kompatibilität} + \item{es kann Kommunikation mit vielen Systemen verhindern, die schwächere Kryptographie verwenden} + \item{ es sind keine SHA-1 in Signaturen erlaubt} + \item{es wird eine (unvollständige) Post-Quanten Kryptographie unterstützt} + \item{Unterstützung von 256-Bit symmetrischer Verschlüsselung} + \item{RSA and Diffie-Hellman Parameter länger als 3071 Bits} + \item{mindestens 128-Bit Sicherheit} + \end{itemize} + \begin{description} + \item[MACs:] all HMAC with SHA-256 or $>$ + all modern MACs (Poly1305 etc.) + \item[Curves:] all prime $>=$ 255 bits (including Bernstein curves) + \item[Signature algorithms:] with SHA-256 hash or better (no DSA) + \item[TLS Ciphers:] $>=$ 256-bit key, $>=$ 128-bit block, only Authenticated Encryption (AE) ciphers, no CBC ciphers + \item[non-TLS Ciphers:] same as TLS ciphers with added non AE ciphers, CBC ones enabled only in Kerberos + \item[key exchange:] ECDHE, DHE (no DHE-DSS, no RSA) + \item[DH params size:] $>=$ 3072 + \item[RSA keys size:] $>=$ 3072 + \item[TLS protocols:] TLS $>=$ 1.2, DTLS $>=$ 1.2 + \end{description} + \end{block} + } + \vspace{0.5cm} +\end{frame} + +\begin{frame} + \frametitle{Welche Policies gibt es?} + \framesubtitle{FIPS} + \scriptsize{ +\begin{block}{FIPS} + \begin{itemize} + \item{Kompatible zu den FIPS 140-2 Voraussetzungen} + \item{wird für fips-mode-setup verwendet} + \item{bietet mindestens 112-Bit Sicherheit} + \end{itemize} + \begin{description} + \item[MACs:] all HMAC with SHA1 or better + \item[Curves:] all prime $>=$ 256 bits + \item[Signature algorithms:] with SHA-256 hash or better (no DSA) + \item[TLS Ciphers:] $>=$ 128-bit key, $>=$ 128-bit block (AES, including AES-CBC) + \item[non-TLS Ciphers:] same as TLS Ciphers + \item[key exchange:] ECDHE, DHE (no DHE-DSS, no RSA) + \item[DH params size:] $>=$ 2048 + \item[RSA params size:] $>=$ 2048 + \item[TLS protocols:] TLS $>=$ 1.2, DTLS $>=$ 1.2 + \end{description} +\end{block} + } + \vspace{0.5cm} +\end{frame} + +\begin{frame} + \frametitle{Die BSI-Policy} + \tiny{ + \begin{block}{BSI} + \begin{itemize} + \item{Author: Marcus Meissner von OpenSuse} + \item{Grundlage des BSI Standarts TR 02102 \url{https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.html}} + \item{Empfehlungen des BSI werden regelmäßig geupdated} + \item{unvollständige Unterstützung für Post-Quanten Kryptographie} + \item{128 Bit Sicherheit (ausser RSA)} + \item{erlaubt kein SHA1 (auser DNSSEC und RPM)} + \item{Beachtet Chacha20 and Camellia werden nicht vom BSI empfohlen} + \end{itemize} + \begin{description} + \item[MACs:] all HMAC with SHA-256 or better + all modern MACs + \item[Curves:] all prime $>=$ 255 bits (including Bernstein curves) + \item[Signature algorithms:] with SHA-256 hash or better (no DSA) + \item[TLS Ciphers:] $>=$ 256-bit key, $>=$ 128-bit block, only Authenticated + \item[Encryption] (AE) ciphers + \item[non-TLS Ciphers:] same as TLS ciphers with added non AE ciphers + \item[key exchange:] ECDHE, DHE (no DHE-DSS, no RSA) + \item[DH params size:] $>=$ 3072 + \item[RSA keys size:] $>=$ 2048 (until end of 2023, then it will switch to 3072) + \item[TLS protocols:] TLS $>=$ 1.2, DTLS $>=$ 1.2 + \end{description} + \end{block} + } +\end{frame} + +\begin{frame} + \frametitle{Welche Policies gibt es?} + \framesubtitle{NEXT und EMPTY} + \begin{block}{NEXT} + nur für Fedora, ähnlich wie RHEL-8 Default, daher Alias für Default + \end{block} +\begin{block}{EMPTY} + Alle Kryptographischen Algorithmen sind deaktiviert, soll nur für Debugging genutzt werden +\end{block} +\end{frame} + +\begin{frame} + \frametitle{Deaktivierte Cipher suites} + \begin{itemize} + \item{DH with parameters $<$ 1024 bits} + \item{RSA with key size $<$ 1024 bits} + \item{Camellia} + \item{RC4} + \item{ARIA} + \item{SEED} + \item{IDEA} + \item{TLS CBC mode ciphersuites using SHA-384 HMAC} + \item{AES-CCM8} + \item{all ECC curves incompatible with TLS 1.3, including secp256k1} + \item{IKEv1} + \end{itemize} + diese können jedoch aktiviert werden + \end{frame} + +\subsection{Konfigurations Dateien} +\begin{frame} + \frametitle{Konfigurations Dateien} + \scriptsize{ + \begin{description} + \item[/etc/crypto-policies/back-ends] Back-End Config-Dateien, verlinkt zur Package Crypto-Policies, es sei den local.d -Konfiguration wurde hinzugefügt + \item[/etc/crypto-policies/config] Beinhaltet Namen der aktiven Cryto-Policies + \item[/etc/crypto-policies/local.d] weitere Konfiguration, entweder Package basierend, oder vom Admin erstellt. Die back-end.config wird angehängt, wie ausgeliefert, vom Packet. + \item[/usr/share/crypto-policies/policies] Policy Definitions Datei + \item[/usr/share/crypto-policies/policies/modules] Unter Definitions Dateien + \item[/etc/crypto-policies/policies] Änderungen der Policy-Definitionen des System Admins + \item[/etc/crypto-policies/policies/modules] Änderungen der Unter-Policy-Definitionen des System Admins + \item[/usr/share/crypto-policies/$<$POLICYNAME$>$] generierte Datei des back-ends für die Policy POLICYNAME + \end{description} + } + \vspace{0.5cm} +\end{frame} + + +\end{document} diff --git a/ssh_key_size_bug.log b/ssh_key_size_bug.log new file mode 100644 index 0000000..0686bd4 --- /dev/null +++ b/ssh_key_size_bug.log @@ -0,0 +1,460 @@ +Script started on 2023-11-05 15:46:43+00:00 [TERM="xterm-256color" TTY="/dev/pts/0" COLUMNS="239" LINES="64"] +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ssh-keygen -t rsa -b 1024 -f ~/.ssh/crypt_1024rsa +[?2004l Generating public/private rsa key pair. +Enter passphrase (empty for no passphrase): +Enter same passphrase again: +Your identification has been saved in /home/sibille/.ssh/crypt_1024rsa +Your public key has been saved in /home/sibille/.ssh/crypt_1024rsa.pub +The key fingerprint is: +SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI sibille@Libelle +The key's randomart image is: ++---[RSA 1024]----+ +| ooEo+oooooo | +| . ..= . +oo. | +| . . o..o | +| ..oo... | +| S o..+o..| +| . . .+.| +| +.. .o| +| o++.o++| +| .+*=++.O| ++----[SHA256]-----+ +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ssh-copy-id -i ~/.ssh/crypt_1024rsa.pub root@crypt-arbeit8 +[?2004l /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/sibille/.ssh/crypt_1024rsa.pub" +/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed +/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys + root@crypt-arbeit8's password: + +Number of key(s) added: 1 + +Now try logging into the machine, with: "ssh 'root@crypt-arbeit8'" +and check to make sure that only the key(s) you wanted were added. + +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ssh-copy-id -i ~/.ssh/crypt_1024rsa.pub root@crypt-arbeit89 +[?2004l /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/sibille/.ssh/crypt_1024rsa.pub" +/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed +/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys + root@crypt-arbeit9's password: +Permission denied, please try again. + root@crypt-arbeit9's password: + +Number of key(s) added: 1 + +Now try logging into the machine, with: "ssh 'root@crypt-arbeit9'" +and check to make sure that only the key(s) you wanted were added. + +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ssh root@crypt-arbeit8 +[?2004l root@crypt-arbeit8's password: +Last login: Sun Nov 5 10:45:31 2023 from 192.168.2.14 +]0;root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# cat /etc/os-release +NAME="AlmaLinux" +VERSION="8.8 (Sapphire Caracal)" +ID="almalinux" +ID_LIKE="rhel centos fedora" +VERSION_ID="8.8" +PLATFORM_ID="platform:el8" +PRETTY_NAME="AlmaLinux 8.8 (Sapphire Caracal)" +ANSI_COLOR="0;34" +LOGO="fedora-logo-icon" +CPE_NAME="cpe:/o:almalinux:almalinux:8::baseos" +HOME_URL="https://almalinux.org/" +DOCUMENTATION_URL="https://wiki.almalinux.org/" +BUG_REPORT_URL="https://bugs.almalinux.org/" + +ALMALINUX_MANTISBT_PROJECT="AlmaLinux-8" +ALMALINUX_MANTISBT_PROJECT_VERSION="8.8" +REDHAT_SUPPORT_PRODUCT="AlmaLinux" +REDHAT_SUPPORT_PRODUCT_VERSION="8.8" +]0;root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# systupdate-crypto-policies --show +FUTURE +]0;root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# update-crypto-policies --showet DEFAULT +Setting system policy to DEFAULT +Note: System-wide crypto policies are applied on application start-up. +It is recommended to restart the system for the change of policies +to fully take place. +]0;root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# reboot +Connection to crypt-arbeit8 closed by remote host. +Connection to crypt-arbeit8 closed. +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ssh root@crypt-arbeit8crypt-arbeit8crypt-arbeit8crypt-arbeit8crypt-arbeit8crypt-arbeit8crypt-arbeit8crypt-arbeit8crypt-arbeit8crypt-arbeit8pcrypt-arbeit8icrypt-arbeit8ncrypt-arbeit8gcrypt-arbeit8 crypt-arbeit8 +[?2004l PING crypt-arbeit8.lan (192.168.2.38) 56(84) bytes of data. +64 bytes from 192.168.2.38 (192.168.2.38): icmp_seq=8 ttl=64 time=2.49 ms +^C +--- crypt-arbeit8.lan ping statistics --- +8 packets transmitted, 1 received, 87.5% packet loss, time 7149ms +rtt min/avg/max/mdev = 2.490/2.490/2.490/0.000 ms +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ping crypt-arbeit8ssh root@crypt-arbeit8-root@crypt-arbeit8iroot@crypt-arbeit8 root@crypt-arbeit8~root@crypt-arbeit8/root@crypt-arbeit8.root@crypt-arbeit8sroot@crypt-arbeit8sroot@crypt-arbeit8h/root@crypt-arbeit8croot@crypt-arbeit8root@crypt-arbeit8yptroot@crypt-arbeit8_root@crypt-arbeit81root@crypt-arbeit8024root@crypt-arbeit8root@crypt-arbeit8saroot@crypt-arbeit8 root@crypt-arbeit8 +[?2004l Last login: Sun Nov 5 10:48:31 2023 from 192.168.2.14 +]0;root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# exit +logout +Connection to crypt-arbeit8 closed. +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ssh -i ~/.ssh/crypt_1024rsa root@crypt-arbeit8 -v +[?2004l OpenSSH_8.4p1 Debian-5+deb11u2, OpenSSL 1.1.1w 11 Sep 2023 +debug1: Reading configuration data /home/sibille/.ssh/config +debug1: Reading configuration data /etc/ssh/ssh_config +debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files +debug1: /etc/ssh/ssh_config line 21: Applying options for * +debug1: Connecting to crypt-arbeit8 [192.168.2.38] port 22. +debug1: Connection established. +debug1: identity file /home/sibille/.ssh/crypt_1024rsa type 0 +debug1: identity file /home/sibille/.ssh/crypt_1024rsa-cert type -1 +debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u2 +debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0 +debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000 +debug1: Authenticating to crypt-arbeit8:22 as 'root' +debug1: SSH2_MSG_KEXINIT sent +debug1: SSH2_MSG_KEXINIT received +debug1: kex: algorithm: curve25519-sha256 +debug1: kex: host key algorithm: ecdsa-sha2-nistp256 +debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none +debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none +debug1: expecting SSH2_MSG_KEX_ECDH_REPLY +debug1: Server host key: ecdsa-sha2-nistp256 SHA256:WTB/KjAiMUe/RHDAvtFkujZ2O3+4UXjHTB0vb4bZAWg +debug1: Host 'crypt-arbeit8' is known and matches the ECDSA host key. +debug1: Found key in /home/sibille/.ssh/known_hosts:57 +debug1: rekey out after 134217728 blocks +debug1: SSH2_MSG_NEWKEYS sent +debug1: expecting SSH2_MSG_NEWKEYS +debug1: SSH2_MSG_NEWKEYS received +debug1: rekey in after 134217728 blocks +debug1: Will attempt key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit +debug1: SSH2_MSG_EXT_INFO received +debug1: kex_input_ext_info: server-sig-algs= +debug1: SSH2_MSG_SERVICE_ACCEPT received +debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password +debug1: Next authentication method: gssapi-with-mic +debug1: Unspecified GSS failure. Minor code may provide more information +No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000) + + +debug1: Unspecified GSS failure. Minor code may provide more information +No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000) + + +debug1: Next authentication method: publickey +debug1: Offering public key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit +debug1: Server accepts key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit +debug1: Authentication succeeded (publickey). +Authenticated to crypt-arbeit8 ([192.168.2.38]:22). +debug1: channel 0: new [client-session] +debug1: Requesting no-more-sessions@openssh.com +debug1: Entering interactive session. +debug1: pledge: network +debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 +debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding +debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding +debug1: Sending environment. +debug1: Sending env LANG = de_DE.UTF-8 +Last login: Sun Nov 5 10:49:47 2023 from 192.168.2.14 +]0;root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# exitrebootupdate-crypto-policies --set DEFAULThow +DEFAULT +]0;root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# man crypto-policies +man: can't set the locale; make sure $LC_* and $LANG are correct +[?1049h[?1h= CRYPTO-POLICIES(7) CRYPTO-POLICIES(7) + +NAME + crypto-policies - system-wide crypto policies overview + +DESCRIPTION + The security of cryptographic components of the operating system does not remain constant over time. Algorithms, such as cryptographic hashing and encryption, typically have a lifetime, after which they are considered either + too risky to use or plain insecure. That means, we need to phase out such algorithms from the default settings or completely disable them if they could cause an irreparable problem. + + While in the past the algorithms were not disabled in a consistent way and different applications applied different policies, the system-wide crypto-policies followed by the crypto core components allow consistently + deprecating and disabling algorithms system-wide. + + Several preconfigured policies (DEFAULT, LEGACY, FUTURE, and FIPS) and subpolicies are included in the crypto-policies(7) package. System administrators or third-party vendors can define custom policies. + + For rationale, see RFC 7457 for a list of attacks taking advantage of legacy crypto algorithms. + +COVERED APPLICATIONS + Crypto-policies apply to the configuration of the core cryptographic subsystems, covering TLS, IKE, IPSec, DNSSec, and Kerberos protocols; i.e., the supported secure communications protocols on the base operating system. + + Once an application runs in the operating system, it follows the default or selected policy and refuses to fall back to algorithms and protocols not within the policy, unless the user has explicitly requested the application + to do so. That is, the policy applies to the default behavior of applications when running with the system-provided configuration but the user can override it on an application-specific basis. + + The policies currently provide settings for these applications and libraries: + + o BIND DNS name server daemon (scopes: BIND, DNSSec) + + o GnuTLS TLS library (scopes: GnuTLS, SSL, TLS) + + o OpenJDK runtime environment (scopes: java-tls, SSL, TLS) + + o Kerberos 5 library (scopes: krb5, Kerberos) + + o Libreswan IPsec and IKE protocol implementation (scopes: libreswan, IPSec, IKE) + + o NSS TLS library (scopes: NSS, SSL, TLS) + + o OpenSSH SSH2 protocol implementation (scopes: OpenSSH, SSH) + + o OpenSSL TLS library (scopes: OpenSSL, SSL, TLS) + + o libssh SSH2 protocol implementation (scopes: libssh, SSH) + + Applications using the above libraries and tools are covered by the cryptographic policies unless they are explicitly configured otherwise. + +PROVIDED POLICIES + LEGACY + This policy ensures maximum compatibility with legacy systems; it is less secure and it includes support for TLS 1.0, TLS 1.1, and SSH2 protocols or later. The algorithms DSA, 3DES, and RC4 are allowed, while RSA and + Diffie-Hellman parameters are accepted if larger than 1023 bits. This policy provides at least 64-bit security. + + o MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305 etc.) + + o Curves: all prime >= 255 bits (including Bernstein curves) + + o Signature algorithms: with SHA1 hash or better (DSA allowed) + + o TLS Ciphers: all available >= 112-bit key, >= 128-bit block (including RC4 and 3DES) + + o Non-TLS Ciphers: same as TLS ciphers with added Camellia + + o Key exchange: ECDHE, RSA, DHE + + o DH params size: >= 1023 + + Manual page crypto-policies(7) line 1 (press h for help or q to quit)  ESCESCOOBB  o RSA keys size: >= 1023 + Manual page crypto-policies(7) line 2 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 3 (press h for help or q to quit)  ESCESCOOBB  o DSA params size: >= 1023 + Manual page crypto-policies(7) line 4 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 5 (press h for help or q to quit)  ESCESCOOBB  o TLS protocols: TLS >= 1.0, DTLS >= 1.0 + Manual page crypto-policies(7) line 6 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 7 (press h for help or q to quit)  ESCESCOOBB  DEFAULT + Manual page crypto-policies(7) line 8 (press h for help or q to quit)  ESCESCOOBB  The DEFAULT policy is a reasonable default policy for today's standards. It allows the TLS 1.2 and TLS 1.3 protocols, as well as IKEv2 and SSH2. The RSA and Diffie-Hellman parameters are accepted if larger than 2047 bits. + Manual page crypto-policies(7) line 9 (press h for help or q to quit)  ESCESCOOBB  The level provides at least 112-bit security with the exception of SHA-1 signatures needed for DNSSec and other still prevalent legacy use of SHA-1 signatures. + Manual page crypto-policies(7) line 10 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 11 (press h for help or q to quit)  ESCESCOOBB  o MACs: all HMAC with SHA-1 or better + all modern MACs (Poly1305 etc.) + Manual page crypto-policies(7) line 12 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 13 (press h for help or q to quit)  ESCESCOOBB  o Curves: all prime >= 255 bits (including Bernstein curves) + Manual page crypto-policies(7) line 14 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 15 (press h for help or q to quit)  ESCESCOOBB  o Signature algorithms: with SHA-1 hash or better (no DSA) + Manual page crypto-policies(7) line 16 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 17 (press h for help or q to quit)  ESCESCOOBB  o TLS Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20, including AES-CBC) + Manual page crypto-policies(7) line 18 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 19 (press h for help or q to quit)  ESCESCOOBB  o non-TLS Ciphers: as TLS Ciphers with added Camellia + Manual page crypto-policies(7) line 20 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 21 (press h for help or q to quit)  ESCESCOOBB  o key exchange: ECDHE, RSA, DHE (no DHE-DSS) + Manual page crypto-policies(7) line 22 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 23 (press h for help or q to quit)  ESCESCOOBB  o DH params size: >= 2048 + Manual page crypto-policies(7) line 24 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 25 (press h for help or q to quit)  ESCESCOOBB  o RSA keys size: >= 2048 + Manual page crypto-policies(7) line 26 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 27 (press h for help or q to quit)  ESCESCOOBB  o TLS protocols: TLS >= 1.2, DTLS >= 1.2 + Manual page crypto-policies(7) line 28 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 29 (press h for help or q to quit)  ESCESCOOBB  FUTURE + Manual page crypto-policies(7) line 30 (press h for help or q to quit)  ESCESCOOBB  A conservative security policy that is believed to withstand any near-term future attacks. This policy does not allow the use of SHA-1 in signature algorithms. The policy also provides some (not complete) preparation for + Manual page crypto-policies(7) line 31 (press h for help or q to quit)  ESCESCOOBB  post-quantum encryption support in form of 256-bit symmetric encryption requirement. The RSA and Diffie-Hellman parameters are accepted if larger than 3071 bits. This policy provides at least 128-bit security. + Manual page crypto-policies(7) line 32 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 33 (press h for help or q to quit)  ESCESCOOBB  o MACs: all HMAC with SHA-256 or better + all modern MACs (Poly1305 etc.) + Manual page crypto-policies(7) line 34 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 35 (press h for help or q to quit)  ESCESCOOBB  o Curves: all prime >= 255 bits (including Bernstein curves) + Manual page crypto-policies(7) line 36 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 37 (press h for help or q to quit)  ESCESCOOBB  o Signature algorithms: with SHA-256 hash or better (no DSA) + Manual page crypto-policies(7) line 38 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 39 (press h for help or q to quit)  ESCESCOOBB  o TLS Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated Encryption (AE) ciphers, no CBC ciphers + Manual page crypto-policies(7) line 40 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 41 (press h for help or q to quit)  ESCESCOOBB  o non-TLS Ciphers: same as TLS ciphers with added non AE ciphers, CBC ones enabled only in Kerberos + Manual page crypto-policies(7) line 42 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 43 (press h for help or q to quit)  ESCESCOOBB  o key exchange: ECDHE, DHE (no DHE-DSS, no RSA) + Manual page crypto-policies(7) line 44 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 45 (press h for help or q to quit)  ESCESCOOBB  o DH params size: >= 3072 + Manual page crypto-policies(7) line 46 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 47 (press h for help or q to quit)  ESCESCOOBB  o RSA keys size: >= 3072 + Manual page crypto-policies(7) line 48 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 49 (press h for help or q to quit)  ESCESCOOBB  o TLS protocols: TLS >= 1.2, DTLS >= 1.2 + Manual page crypto-policies(7) line 50 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 51 (press h for help or q to quit)  ESCESCOOBB  FIPS + Manual page crypto-policies(7) line 52 (press h for help or q to quit)  ESCESCOOBB  A policy to aid conformance to the FIPS 140-2 requirements. This policy is used internally by the fips-mode-setup(8) tool which can switch the system into the FIPS 140-2 mode. This policy provides at least 112-bit + Manual page crypto-policies(7) line 53 (press h for help or q to quit)  ESCESCOOBB  security. + Manual page crypto-policies(7) line 54 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 55 (press h for help or q to quit)  ESCESCOOBB  o MACs: all HMAC with SHA1 or better + Manual page crypto-policies(7) line 56 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 57 (press h for help or q to quit)  ESCESCOOBB  o Curves: all prime >= 256 bits + Manual page crypto-policies(7) line 58 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 59 (press h for help or q to quit)  ESCESCOOBB  o Signature algorithms: with SHA-256 hash or better (no DSA) + Manual page crypto-policies(7) line 60 (press h for help or q to quit)  ESCESCOOBB  + Manual page crypto-policies(7) line 61 (press h for help or q to quit) [?1l>[?1049l]0;root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# eman crypto-policiesupdate-crypto-policies --showet FURTURE +Unknown policy `FURTURE`: file `FURTURE.pol` not found in (., policies, /etc/crypto-policies/policies, /usr/share/crypto-policies/policies) +]0;root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# update-crypto-policies --set FURTURETURE +Setting system policy to FUTURE +Note: System-wide crypto policies are applied on application start-up. +It is recommended to restart the system for the change of policies +to fully take place. +]0;root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# reboot +debug1: channel 0: free: client-session, nchannels 1 +Connection to crypt-arbeit8 closed by remote host. +Connection to crypt-arbeit8 closed. +Transferred: sent 5788, received 21772 bytes, in 56.9 seconds +Bytes per second: sent 101.6, received 382.4 +debug1: Exit status -1 +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ssh -i ~/.ssh/crypt_1024rsa root@crypt-arbeit8 -v ping crypt-arbeit8 +[?2004l PING crypt-arbeit8.lan (192.168.2.38) 56(84) bytes of data. +64 bytes from 192.168.2.38 (192.168.2.38): icmp_seq=9 ttl=64 time=2.38 ms +64 bytes from 192.168.2.38 (192.168.2.38): icmp_seq=10 ttl=64 time=1.60 ms +^C +--- crypt-arbeit8.lan ping statistics --- +10 packets transmitted, 2 received, 80% packet loss, time 9172ms +rtt min/avg/max/mdev = 1.598/1.991/2.384/0.393 ms +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ping crypt-arbeit8ssh -i ~/.ssh/crypt_1024rsa root@crypt-arbeit8 -v +[?2004l OpenSSH_8.4p1 Debian-5+deb11u2, OpenSSL 1.1.1w 11 Sep 2023 +debug1: Reading configuration data /home/sibille/.ssh/config +debug1: Reading configuration data /etc/ssh/ssh_config +debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files +debug1: /etc/ssh/ssh_config line 21: Applying options for * +debug1: Connecting to crypt-arbeit8 [192.168.2.38] port 22. +debug1: Connection established. +debug1: identity file /home/sibille/.ssh/crypt_1024rsa type 0 +debug1: identity file /home/sibille/.ssh/crypt_1024rsa-cert type -1 +debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u2 +debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0 +debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000 +debug1: Authenticating to crypt-arbeit8:22 as 'root' +debug1: SSH2_MSG_KEXINIT sent +debug1: SSH2_MSG_KEXINIT received +debug1: kex: algorithm: curve25519-sha256 +debug1: kex: host key algorithm: ecdsa-sha2-nistp256 +debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none +debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none +debug1: expecting SSH2_MSG_KEX_ECDH_REPLY +debug1: Server host key: ecdsa-sha2-nistp256 SHA256:WTB/KjAiMUe/RHDAvtFkujZ2O3+4UXjHTB0vb4bZAWg +debug1: Host 'crypt-arbeit8' is known and matches the ECDSA host key. +debug1: Found key in /home/sibille/.ssh/known_hosts:57 +debug1: rekey out after 134217728 blocks +debug1: SSH2_MSG_NEWKEYS sent +debug1: expecting SSH2_MSG_NEWKEYS +debug1: SSH2_MSG_NEWKEYS received +debug1: rekey in after 134217728 blocks +debug1: Will attempt key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit +debug1: SSH2_MSG_EXT_INFO received +debug1: kex_input_ext_info: server-sig-algs= +debug1: SSH2_MSG_SERVICE_ACCEPT received +debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password +debug1: Next authentication method: gssapi-with-mic +debug1: Unspecified GSS failure. Minor code may provide more information +No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000) + + +debug1: Unspecified GSS failure. Minor code may provide more information +No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000) + + +debug1: Next authentication method: publickey +debug1: Offering public key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit +debug1: Server accepts key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit +debug1: Authentication succeeded (publickey). +Authenticated to crypt-arbeit8 ([192.168.2.38]:22). +debug1: channel 0: new [client-session] +debug1: Requesting no-more-sessions@openssh.com +debug1: Entering interactive session. +debug1: pledge: network +debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 +debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding +debug1: Remote: /root/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding +debug1: Sending environment. +debug1: Sending env LANG = de_DE.UTF-8 +Last login: Sun Nov 5 10:49:54 2023 from 192.168.2.14 +]0;root@crypt-arbeit8:~[root@crypt-arbeit8 ~]# exit +logout +debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 +debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 +debug1: channel 0: free: client-session, nchannels 1 +Connection to crypt-arbeit8 closed. +Transferred: sent 2912, received 2852 bytes, in 5.4 seconds +Bytes per second: sent 541.3, received 530.2 +debug1: Exit status 0 +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ssh -i ~/.ssh/crypt_1024rsa root@crypt-arbeit8 -v -v9 -v +[?2004l root@crypt-arbeit9's password: +Last failed login: Sun Nov 5 16:48:07 CET 2023 from 192.168.2.14 on ssh:notty +There was 1 failed login attempt since the last successful login. +Last login: Sun Nov 5 16:44:50 2023 from 192.168.2.14 +]0;root@crypt-arbeit9:~[?2004h[root@crypt-arbeit9 ~]# upcat /etc/os-release +[?2004l NAME="AlmaLinux" +VERSION="9.2 (Turquoise Kodkod)" +ID="almalinux" +ID_LIKE="rhel centos fedora" +VERSION_ID="9.2" +PLATFORM_ID="platform:el9" +PRETTY_NAME="AlmaLinux 9.2 (Turquoise Kodkod)" +ANSI_COLOR="0;34" +LOGO="fedora-logo-icon" +CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" +HOME_URL="https://almalinux.org/" +DOCUMENTATION_URL="https://wiki.almalinux.org/" +BUG_REPORT_URL="https://bugs.almalinux.org/" + +ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" +ALMALINUX_MANTISBT_PROJECT_VERSION="9.2" +REDHAT_SUPPORT_PRODUCT="AlmaLinux" +REDHAT_SUPPORT_PRODUCT_VERSION="9.2" +]0;root@crypt-arbeit9:~[?2004h[root@crypt-arbeit9 ~]# update-crypto-policies --show +[?2004l FUTURE +]0;root@crypt-arbeit9:~[?2004h[root@crypt-arbeit9 ~]# update-crypto-policies --showet DEFAULT +[?2004l Setting system policy to DEFAULT +Note: System-wide crypto policies are applied on application start-up. +It is recommended to restart the system for the change of policies +to fully take place. +]0;root@crypt-arbeit9:~[?2004h[root@crypt-arbeit9 ~]# reboot +[?2004l ]0;root@crypt-arbeit9:~[?2004h[root@crypt-arbeit9 ~]# Connection to crypt-arbeit9 closed by remote host. +Connection to crypt-arbeit9 closed. +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ssh root@crypt-arbeit9  root@crypt-arbeit9root@crypt-arbeit9oot@crypt-arbeit9t@crypt-arbeit9t@crypt-arbeit9@crypt-arbeit9crypt-arbeit9pcrypt-arbeit9icrypt-arbeit9ncrypt-arbeit9gcrypt-arbeit9 crypt-arbeit9 +[?2004l PING crypt-arbeit9.lan (192.168.2.107) 56(84) bytes of data. +64 bytes from 192.168.2.107 (192.168.2.107): icmp_seq=10 ttl=64 time=2.80 ms +^C +--- crypt-arbeit9.lan ping statistics --- +10 packets transmitted, 1 received, 90% packet loss, time 9219ms +rtt min/avg/max/mdev = 2.803/2.803/2.803/0.000 ms +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ping crypt-arbeit9ssh root@crypt-arbeit9-root@crypt-arbeit9iroot@crypt-arbeit9 root@crypt-arbeit9~root@crypt-arbeit9/root@crypt-arbeit9.root@crypt-arbeit9sroot@crypt-arbeit9sroot@crypt-arbeit9hroot@crypt-arbeit9/root@crypt-arbeit9croot@crypt-arbeit9root@crypt-arbeit9yptroot@crypt-arbeit9_root@crypt-arbeit9root@crypt-arbeit9oot@crypt-arbeit91root@crypt-arbeit9024root@crypt-arbeit9root@crypt-arbeit9saroot@crypt-arbeit9 root@crypt-arbeit9 +[?2004l root@crypt-arbeit9's password: + +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ ssh -i ~/.ssh/crypt_1024rsa root@crypt-arbeit9 -v +[?2004l OpenSSH_8.4p1 Debian-5+deb11u2, OpenSSL 1.1.1w 11 Sep 2023 +debug1: Reading configuration data /home/sibille/.ssh/config +debug1: Reading configuration data /etc/ssh/ssh_config +debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files +debug1: /etc/ssh/ssh_config line 21: Applying options for * +debug1: Connecting to crypt-arbeit9 [192.168.2.107] port 22. +debug1: Connection established. +debug1: identity file /home/sibille/.ssh/crypt_1024rsa type 0 +debug1: identity file /home/sibille/.ssh/crypt_1024rsa-cert type -1 +debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u2 +debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7 +debug1: match: OpenSSH_8.7 pat OpenSSH* compat 0x04000000 +debug1: Authenticating to crypt-arbeit9:22 as 'root' +debug1: SSH2_MSG_KEXINIT sent +debug1: SSH2_MSG_KEXINIT received +debug1: kex: algorithm: curve25519-sha256 +debug1: kex: host key algorithm: ecdsa-sha2-nistp256 +debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none +debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none +debug1: expecting SSH2_MSG_KEX_ECDH_REPLY +debug1: Server host key: ecdsa-sha2-nistp256 SHA256:mIpHNA796VvtdG0w2bBY26niQhrGjhF+ahH2nckoI1M +debug1: Host 'crypt-arbeit9' is known and matches the ECDSA host key. +debug1: Found key in /home/sibille/.ssh/known_hosts:58 +debug1: rekey out after 134217728 blocks +debug1: SSH2_MSG_NEWKEYS sent +debug1: expecting SSH2_MSG_NEWKEYS +debug1: SSH2_MSG_NEWKEYS received +debug1: rekey in after 134217728 blocks +debug1: Will attempt key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit +debug1: SSH2_MSG_EXT_INFO received +debug1: kex_input_ext_info: server-sig-algs= +debug1: SSH2_MSG_SERVICE_ACCEPT received +debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password +debug1: Next authentication method: gssapi-with-mic +debug1: Unspecified GSS failure. Minor code may provide more information +No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000) + + +debug1: Unspecified GSS failure. Minor code may provide more information +No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000) + + +debug1: Next authentication method: publickey +debug1: Offering public key: /home/sibille/.ssh/crypt_1024rsa RSA SHA256:bU1xGTs+738/JuKRpu85uU+bH0cjnAid5QEEJAtWXDI explicit +debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password +debug1: Next authentication method: password + root@crypt-arbeit9's password: + +[?2004h]0;sibille@Libelle: ~sibille@Libelle:~$ exit +[?2004l exit + +Script done on 2023-11-05 15:53:03+00:00 [COMMAND_EXIT_CODE="130"] diff --git a/ssh_key_size_bug.tm b/ssh_key_size_bug.tm new file mode 100644 index 0000000..7db8fda --- /dev/null +++ b/ssh_key_size_bug.tm @@ -0,0 +1,1094 @@ +0.422690 8 +0.002232 68 +2.147395 1 +0.158916 1 +0.180565 1 +0.494639 1 +0.338112 1 +0.257066 1 +0.222547 1 +0.172713 1 +0.743610 1 +0.152161 3 +1.709094 1 +0.299853 1 +0.217566 1 +0.201024 1 +0.458725 1 +0.179011 1 +0.218487 1 +1.017711 1 +0.377476 1 +0.159122 1 +0.318990 1 +0.139148 1 +0.354833 1 +0.237958 1 +0.839189 1 +0.750955 1 +0.357477 1 +0.214500 1 +1.549959 1 +0.612408 1 +0.516680 1 +0.863456 1 +0.159789 1 +0.443433 2 +1.085845 1 +0.237704 1 +0.312736 1 +0.001576 3 +3.229494 1 +0.973287 1 +0.176879 1 +0.436116 1 +0.234917 1 +2.986407 1 +0.410961 1 +0.115563 1 +0.918573 11 +0.075080 39 +0.001427 2 +2.534249 44 +0.631664 2 +0.002254 29 +0.881337 2 +0.003813 70 +0.001340 2 +0.003821 70 +0.001426 2 +0.001663 23 +0.001729 2 +0.000892 66 +0.000358 2 +0.000396 29 +0.000318 2 +0.000343 19 +0.000307 2 +0.000468 19 +0.000304 2 +0.000290 19 +0.000412 2 +0.000301 19 +0.000284 2 +0.000367 19 +0.000326 2 +0.000316 19 +0.001343 2 +0.005056 21 +0.000308 84 +0.007347 8 +0.001713 68 +3.305224 1 +0.185911 1 +0.143394 1 +1.341008 1 +0.309890 1 +0.345321 7 +2.042457 1 +0.337387 1 +0.466197 1 +1.020374 1 +0.742137 1 +0.219070 1 +0.418300 1 +0.161034 1 +0.404582 1 +1.369575 1 +0.902829 1 +0.519581 1 +0.183393 1 +0.354202 1 +0.001638 3 +1.523827 1 +0.519048 1 +0.525430 1 +0.001771 3 +3.465551 1 +0.419979 7 +3.059932 1 +0.205850 1 +0.162571 1 +0.082104 1 +0.712221 1 +3.044691 1 +0.356684 1 +0.382947 1 +0.511898 1 +0.242422 1 +0.339590 1 +0.320887 1 +0.219874 1 +0.197026 1 +0.118429 1 +0.139889 1 +0.100247 1 +1.321603 1 +1.558548 11 +0.132589 102 +0.454869 116 +0.455801 118 +0.392509 1 +0.001779 31 +2.823414 2 +0.322077 2 +0.001559 25 +0.001632 2 +0.001635 2 +0.001670 68 +0.000678 2 +0.000386 66 +0.000369 2 +0.000326 2 +0.005379 8 +0.000709 68 +1.904422 58 +1.412214 4 +0.386893 1 +1.151448 11 +0.133656 102 +0.465606 116 +0.460944 118 +0.398205 1 +0.002090 31 +2.938540 2 +2.836721 71 +1.841325 2 +0.478527 2 +0.001431 25 +0.001604 2 +0.001691 2 +0.000764 68 +0.000341 2 +0.001281 66 +0.000349 2 +0.000746 2 +0.005361 8 +0.000734 68 +4.543066 1 +0.179554 1 +0.139817 1 +0.611465 1 +0.614096 1 +0.215364 1 +0.182314 1 +0.078092 1 +1.151492 1 +4.019426 1 +0.199150 1 +0.485835 1 +1.458365 1 +0.160663 1 +1.581941 1 +0.222652 1 +0.223866 1 +0.181948 1 +0.101560 1 +0.158415 1 +0.079732 1 +1.052242 1 +1.277417 11 +0.362495 1 +0.002179 31 +1.742922 2 +0.217840 57 +0.049827 49 +3.763517 1 +0.139844 1 +0.200002 1 +0.536657 1 +0.812332 1 +0.838023 1 +0.179274 1 +0.499724 1 +0.198438 1 +0.436945 1 +0.157508 1 +0.635132 1 +0.181239 1 +0.100001 1 +0.218724 6 +0.599515 2 +0.002950 624 +3.567093 1 +0.155239 1 +0.134072 1 +0.270654 1 +0.593527 4 +0.172954 4 +0.153560 4 +0.152112 4 +0.177696 1 +0.172628 1 +0.227028 1 +2.358709 1 +1.106016 1 +0.189660 1 +0.105391 1 +0.270802 4 +2.920094 1 +0.208700 1 +0.192706 14 +1.942455 1 +0.180761 1 +0.582962 1 +0.162283 1 +0.955585 1 +0.179220 1 +0.372621 2 +0.094952 8 +0.005031 49 +1.850497 29 +0.460366 4 +0.164142 4 +0.333688 4 +0.756775 1 +0.187258 1 +0.738154 1 +0.570182 1 +0.188286 1 +0.188436 1 +0.274584 1 +0.145961 1 +0.189010 1 +0.126908 1 +1.001631 2 +0.109231 34 +0.377193 162 +0.090791 49 +1.731606 1 +0.126309 1 +0.210220 1 +0.297952 1 +0.155488 1 +0.116342 1 +0.875236 2 +0.068728 51 +0.000654 2 +0.000400 36 +0.000423 2 +0.013027 8 +0.001615 68 +0.690988 22 +1.959243 1 +0.602442 1 +0.037554 1 +0.039142 1 +0.039644 1 +0.039826 1 +0.039213 1 +0.037483 1 +0.038452 1 +0.038048 1 +0.038052 1 +0.057770 1 +0.037963 1 +0.607594 31 +0.587805 31 +0.038760 31 +0.038794 31 +0.057397 31 +0.039653 31 +0.038804 31 +0.038853 31 +0.041057 31 +0.038196 1 +0.039758 1 +0.040175 1 +0.039703 1 +0.037568 1 +0.642281 27 +0.252141 27 +0.213770 27 +0.214117 27 +0.155508 27 +0.827183 11 +0.032284 59 +0.001406 2 +7.157093 73 +0.001440 2 +0.666008 2 +0.002647 163 +0.004156 8 +0.001626 68 +0.799904 18 +0.771596 40 +1.047000 1 +0.600086 1 +0.040674 1 +0.041194 1 +0.041773 1 +0.040874 1 +0.041133 1 +0.040438 1 +0.041794 1 +0.040779 1 +0.042243 1 +0.041365 1 +0.040803 1 +0.041700 1 +0.041461 1 +0.040840 1 +0.020409 1 +0.040509 1 +0.889117 37 +0.392028 37 +0.166404 37 +0.937072 37 +0.415559 37 +0.208820 37 +0.372508 37 +0.146044 37 +0.335814 38 +1.180260 37 +0.164394 39 +0.342830 1 +0.002467 39 +1.246550 37 +0.351266 37 +0.579924 1 +0.002603 39 +1.332286 39 +0.385116 38 +3.476637 37 +5.361973 11 +0.621787 57 +0.060440 49 +2.549299 1 +0.210291 1 +0.134403 1 +0.097672 1 +0.252589 10 +0.003330 36 +0.001681 2 +0.014624 8 +0.001744 68 +0.655609 46 +0.722234 1 +0.391464 1 +0.385661 1 +0.768319 11 +0.082015 60 +0.001274 2 +0.002264 61 +0.001349 2 +0.003467 55 +0.001330 2 +0.003282 91 +0.001384 2 +0.001892 60 +0.000766 2 +0.015692 60 +0.001309 2 +0.003906 32 +0.001432 2 +0.003472 62 +0.001326 2 +0.002572 68 +0.001355 2 +0.001464 68 +0.001704 2 +0.004993 73 +0.000361 2 +0.000443 58 +0.000330 2 +0.000463 53 +0.001148 2 +0.019439 30 +0.001447 2 +0.002734 34 +0.001651 2 +0.002354 42 +0.001357 2 +0.000921 53 +0.000444 2 +0.000569 100 +0.001451 2 +0.000970 100 +0.000411 2 +0.044021 42 +0.001333 2 +0.018916 96 +0.001353 2 +0.035132 70 +0.001709 2 +0.001760 55 +0.001707 2 +0.052178 41 +0.001305 2 +0.001691 30 +0.001732 2 +0.001706 35 +0.000742 2 +0.001462 34 +0.001311 2 +0.001068 40 +0.000380 2 +0.001041 123 +0.001341 2 +0.001220 35 +0.001325 2 +0.000833 160 +0.000475 2 +0.034479 41 +0.000325 2 +0.010360 91 +0.000363 2 +0.000469 52 +0.000415 2 +0.016608 73 +0.001423 2 +0.001697 72 +0.001628 2 +0.001514 2 +0.000660 1 +0.000507 2 +0.009730 73 +0.001377 2 +0.001622 72 +0.001587 2 +0.002247 2 +0.000410 1 +0.000329 2 +0.001013 46 +0.000458 2 +0.000777 126 +0.001434 2 +0.007198 125 +0.001283 2 +0.038979 46 +0.001335 2 +0.001700 52 +0.001740 2 +0.001868 40 +0.000885 2 +0.000611 48 +0.000332 2 +0.000709 38 +0.001321 2 +0.000979 24 +0.000390 2 +0.009963 81 +0.001664 120 +0.042224 120 +0.002322 30 +0.000552 40 +0.008126 57 +0.051421 49 +5.038597 4 +0.381135 10 +0.421150 42 +0.880776 16 +0.971698 2 +0.099812 9 +0.006474 49 +2.759137 1 +0.123463 1 +0.101649 1 +0.147110 1 +0.374009 1 +0.187251 1 +0.417253 1 +0.252039 1 +1.015682 1 +0.456251 1 +0.144249 1 +1.156808 1 +0.251459 1 +0.188492 1 +0.186632 1 +0.205493 1 +0.350575 1 +0.353783 1 +0.188968 1 +0.204449 1 +0.543114 2 +0.007328 66 +0.030846 25 +0.045774 2048 +0.000973 2048 +0.000514 586 +1.053186 166 +0.600054 120 +0.042181 168 +0.042154 120 +0.041688 200 +0.040303 120 +0.021766 142 +0.042092 415 +0.041271 318 +0.039737 121 +0.040630 232 +0.041000 121 +0.041184 194 +0.041138 121 +0.041443 210 +0.041518 121 +0.041286 252 +0.041493 121 +0.041451 204 +0.043006 121 +0.041022 214 +0.040764 121 +0.040447 168 +0.021327 121 +0.042447 167 +0.040474 121 +0.041860 201 +0.040593 121 +0.040284 142 +1.300674 361 +0.207592 359 +0.206296 121 +0.415126 234 +0.474514 121 +0.226629 194 +0.143928 121 +0.205057 212 +0.226710 121 +0.597084 259 +0.042070 121 +0.043211 251 +0.039757 121 +0.042367 217 +0.041338 121 +0.041500 168 +0.041575 121 +0.042098 167 +0.042068 121 +0.040820 201 +0.040858 121 +0.021038 140 +0.039947 372 +0.042047 141 +0.041421 121 +0.272437 188 +0.309071 121 +0.247406 165 +0.203973 121 +0.625289 212 +3.306327 121 +2.863737 28 +0.002274 49 +4.420972 1 +0.666637 4 +0.751589 19 +1.545546 48 +0.687980 4 +0.167266 4 +0.169028 4 +0.727263 1 +0.147786 1 +0.187783 1 +1.168095 1 +0.169156 1 +0.230047 1 +0.482265 1 +0.522576 1 +0.252909 1 +1.274505 1 +0.912972 2 +0.092225 141 +0.006019 49 +1.099314 36 +0.689166 4 +0.189521 4 +0.186139 4 +0.579929 4 +0.166712 4 +0.757437 1 +0.398916 1 +0.148348 1 +0.312448 1 +0.708205 2 +0.104720 33 +0.332253 162 +0.095928 49 +2.140590 1 +0.114729 1 +0.153944 1 +0.211075 1 +0.175876 1 +0.095569 1 +0.851629 2 +0.071071 54 +0.000745 51 +0.000296 2 +0.000295 36 +0.000285 2 +0.000520 62 +0.000329 2 +0.000461 45 +0.000333 2 +0.000391 23 +0.000316 2 +0.013581 8 +0.001581 68 +1.811908 49 +0.792391 6 +0.616419 81 +3.590668 11 +0.032745 59 +0.001412 2 +8.178097 73 +0.001424 2 +0.999017 74 +0.001450 2 +0.541808 2 +0.001455 2 +0.001139 41 +0.000338 2 +0.000528 64 +0.000350 2 +0.000432 49 +0.000324 2 +0.006924 8 +0.001601 68 +0.573923 18 +0.441981 67 +2.629327 11 +0.085528 60 +0.001329 2 +0.002094 61 +0.001747 2 +0.003464 55 +0.001311 2 +0.003003 91 +0.001413 2 +0.000937 60 +0.000376 2 +0.015605 60 +0.001332 2 +0.004140 32 +0.001414 2 +0.003359 62 +0.001395 2 +0.002427 68 +0.001398 2 +0.001450 68 +0.001656 2 +0.007047 73 +0.000393 2 +0.000449 58 +0.000290 2 +0.000500 53 +0.000319 2 +0.020658 30 +0.001331 2 +0.002816 34 +0.001738 2 +0.002078 42 +0.001674 2 +0.000841 53 +0.000635 2 +0.000528 100 +0.001254 2 +0.001023 100 +0.000443 2 +0.044172 42 +0.001449 2 +0.019499 96 +0.001338 2 +0.035758 70 +0.001319 2 +0.001831 55 +0.001660 2 +0.052202 41 +0.001397 2 +0.001721 30 +0.001603 2 +0.001730 35 +0.000776 2 +0.001168 34 +0.001402 2 +0.001068 40 +0.000377 2 +0.000957 123 +0.001432 2 +0.001164 35 +0.001341 2 +0.001085 160 +0.000392 2 +0.034122 41 +0.000343 2 +0.010566 91 +0.000360 2 +0.000446 52 +0.000329 2 +0.016449 73 +0.001408 2 +0.002343 72 +0.001538 2 +0.001726 2 +0.000737 1 +0.000403 2 +0.009810 73 +0.001322 2 +0.001669 72 +0.001687 2 +0.001583 2 +0.000332 1 +0.001133 2 +0.000584 46 +0.000317 2 +0.000728 126 +0.001320 2 +0.010300 125 +0.001335 2 +0.042993 46 +0.001311 2 +0.001867 52 +0.001684 2 +0.001919 40 +0.000672 2 +0.000656 48 +0.000307 2 +0.000645 38 +0.000341 2 +0.000547 24 +0.000352 2 +0.154075 81 +0.001689 120 +0.042077 120 +0.000882 30 +0.001538 40 +0.008379 57 +0.062213 25 +0.002460 24 +3.017140 1 +0.246885 1 +0.143766 1 +0.124795 1 +1.564218 10 +0.002111 71 +0.001617 75 +0.002718 53 +0.000346 2 +0.001555 36 +0.001725 2 +0.000945 60 +0.001322 2 +0.001039 45 +0.000350 2 +0.000411 22 +0.000322 2 +0.013664 8 +0.001702 68 +1.609516 49 +2.075653 1 +0.235098 1 +0.212863 1 +0.645731 11 +1.188857 7 +3.989373 1 +0.606270 1 +0.041854 1 +0.041933 1 +0.040907 1 +0.041667 1 +0.040869 1 +0.039751 1 +0.040729 1 +0.042217 1 +0.042247 1 +0.040073 1 +0.040694 1 +0.039796 1 +0.039432 1 +0.039993 1 +0.039087 1 +0.040898 1 +0.040596 1 +0.040353 1 +0.039637 1 +0.021007 1 +0.328884 3 +0.205686 3 +0.163931 3 +0.454565 5 +0.598920 5 +0.039394 5 +0.041471 5 +0.040808 5 +0.041302 5 +0.040397 5 +0.040449 5 +0.040969 5 +0.039919 5 +0.020382 5 +0.042225 5 +0.040444 5 +0.041397 5 +0.039763 5 +0.039680 5 +0.040064 5 +0.040507 5 +0.041446 5 +0.041635 5 +0.042040 5 +0.041135 5 +0.325672 5 +0.425989 5 +0.856024 66 +0.287745 4 +0.183302 4 +0.369886 4 +0.714666 2 +0.001320 9 +0.368522 1 +0.001691 31 +2.075387 2 +0.387490 204 +0.114564 57 +1.934803 1 +0.201241 1 +0.490994 4 +0.185349 4 +0.687681 1 +0.102965 1 +0.163832 1 +0.141423 1 +0.547036 1 +0.346216 1 +0.324189 1 +0.162440 2 +0.809427 1 +0.179978 1 +0.122722 9 +0.790268 11 +0.004956 116 +0.002989 516 +3.792127 1 +0.264728 1 +0.205894 1 +0.122356 1 +0.119586 1 +0.204376 3 +1.132133 1 +0.180011 1 +0.162868 14 +1.634228 1 +0.181124 1 +0.303039 1 +0.203814 1 +0.162549 1 +0.141657 1 +0.562492 11 +0.090791 8 +0.007136 57 +3.312878 29 +0.675678 4 +0.173400 4 +0.193111 4 +0.733823 1 +0.174042 1 +0.135794 1 +0.292002 1 +0.215190 1 +0.193389 1 +0.176735 1 +0.132588 1 +0.174174 1 +0.116201 1 +3.389732 11 +0.105421 34 +0.376569 162 +0.104138 57 +1.849946 1 +0.101092 1 +0.139499 1 +0.244304 1 +0.160042 1 +0.102891 1 +1.310176 11 +0.029709 57 +0.029429 51 +0.001647 2 +0.000349 36 +0.000737 2 +0.013001 8 +0.002132 68 +1.148456 22 +0.922328 58 +0.363914 8 +0.219571 4 +0.182406 42 +0.582799 40 +0.040924 38 +0.038665 38 +0.039415 34 +0.041485 32 +0.542873 30 +0.780192 27 +0.221915 27 +0.161031 27 +0.224788 27 +0.163204 27 +0.748112 11 +0.034019 60 +0.001336 2 +9.227349 76 +0.001508 2 +0.690659 2 +0.000477 2 +0.001496 41 +0.000701 2 +0.000607 64 +0.000392 2 +0.000439 49 +0.000347 2 +0.005254 76 +0.551471 18 +0.559108 40 +1.369377 1 +0.599609 1 +0.036890 1 +0.036816 1 +0.038532 1 +0.058540 1 +0.020209 1 +0.059090 1 +0.038488 1 +0.039080 1 +0.038761 1 +0.038468 1 +0.039831 1 +0.038788 1 +0.038394 1 +0.037998 1 +0.038850 1 +0.038107 1 +0.941894 37 +0.364023 37 +0.170121 37 +2.110370 37 +1.211724 37 +0.241827 37 +0.316165 37 +0.157148 37 +0.099441 37 +0.331510 37 +1.250462 37 +0.209662 39 +0.344155 1 +0.002416 39 +1.388021 37 +0.463532 39 +0.347091 1 +1.082165 39 +0.971277 37 +0.573069 1 +0.002472 39 +1.408867 39 +0.386611 38 +0.989415 37 +0.949890 2 +0.004322 9 +0.383994 1 +0.002207 31 +3.939467 2 +0.007130 78 +0.687383 46 +0.816037 1 +0.199927 1 +0.648753 1 +1.076772 11 +0.084787 60 +0.001316 2 +0.002273 61 +0.001388 2 +0.003460 55 +0.001326 2 +0.002935 91 +0.001330 2 +0.001862 60 +0.000823 2 +0.015813 61 +0.001336 2 +0.003956 32 +0.001514 2 +0.003415 62 +0.001439 2 +0.002442 68 +0.001451 2 +0.001482 68 +0.001717 2 +0.012845 73 +0.000361 2 +0.000461 58 +0.000311 2 +0.000458 53 +0.000806 2 +0.020114 30 +0.001421 2 +0.002653 34 +0.001767 2 +0.002451 42 +0.001358 2 +0.000946 53 +0.000432 2 +0.000590 100 +0.001493 2 +0.000995 100 +0.000374 2 +0.044257 42 +0.001333 2 +0.020329 96 +0.001320 2 +0.035475 70 +0.001320 2 +0.002107 55 +0.001385 2 +0.052560 41 +0.001312 2 +0.001818 30 +0.001634 2 +0.001792 35 +0.000652 2 +0.001198 34 +0.000332 2 +0.000503 40 +0.001398 2 +0.001439 123 +0.001325 2 +0.001335 35 +0.001423 2 +0.000957 266 +0.000393 2 +0.034634 41 +0.000361 2 +0.008492 91 +0.000364 2 +0.000568 52 +0.000336 2 +0.017588 73 +0.001354 2 +0.001730 72 +0.001612 2 +0.000339 2 +0.000774 1 +0.001294 2 +0.010251 73 +0.001428 2 +0.001597 72 +0.002000 2 +0.001644 2 +0.000326 1 +0.000739 2 +0.001048 46 +0.000493 2 +0.000730 126 +0.001365 2 +0.009426 91 +0.001324 2 +0.000853 45 +0.000432 2 +0.000668 1 +0.001734 31 +5.287036 2 +0.007043 78 +1.406902 1 +0.252031 1 +0.273190 1 +0.212890 1 +1.999942 17