Should SSH server compression default be reevaluated? #921
Description
Hello, as part of an internal migration we have been rechecking the ssh compression configuration, and we were wondering if the role should reevaluate the current default for:
- By default, ssh_hardening disables ssh compression with
ssh_compression: false - In the past, openssh had vulnerabilities with the zlib libraries, so they introduced a new setting
Compression delayedin 4.2 but since then, it looks likeCompression yesactually applies that delayed setup and is the default in openssh. - The release notes in 7.4 are relatively clear https://www.openssh.org/txt/release-7.4
sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client. - The following thread is quite helpful with the historical context: https://serverfault.com/a/1125762
Is there anything against enabling the setting by default? or perhaps leaving it as-is for avoiding unnecessary compatibility-affecting changes, but is there any concern enabling it in general in a deployment?
Any feedback here would be welcome, thanks!