At my company, we have been using BalenaOS for our IoT product. We had a penetration test done on the device, and here is a vulnerability they found with how the SSH is configured by default with openSSH.
An SSH service on both devices were found to be configured with weaknesses that could allow establishment of
sessions with algorithms and protocols containing known faults. These weakened features are therefore
susceptible to attack, even if from a theoretical point of view. At some point in time, a working exploit could be
developed and published, therefore a defence-in-depth approach is recommended to ensure the best possible
Specifically, the affected service was fingerprinted to permit the following weak algorithms and protocols:
Key Exchange Algorithms:
Host -key Algorithms:
Message Authentication Code Algorithms:
Ensure that SSH configuration is hardened as per the recommendations below, provided the software is up to
date and supports the features listed:
• Disable weak Message Authentication Code algorithms (MD5, truncated SHA1), in favour of the
• Disable arcfour and CBC-mode ciphers, in favour of CTR or GCM-mode ciphers listed below:
• Ensure that only ephemeral key exchange algorithms are used and prioritise Elliptic-Curve based ones:
• Disable DSA public key support and prioritise ed25519 and ECDSA over RSA. Ideally RSA key support
should also be disabled.
• Ensure that SSH protocol version 2.0 is enforced exclusively.
• If possible, disable password authentication in favour of key-based authentication.
• Ensure that Elliptic-Curve key exchange algorithms are prioritised in favour of RSA based.
I wonder if this is just a general guidance on getting the latest, most secure version of SSH encryption. I was a bit reluctant to start changing stuff around the hostOS/OpenSSH as it might be integral to the functioning of the system.
For our application: the report mentions 2 devices. But only 1 interfaces with the wider internet and forwards all packets to and from the other device.
Once productionised, we would only use SSH through the Balena dashboard for tech support purposes.
Our system runs BalenaOS 2.75.0+rev1 with supervisor version 12.5.10
Let me know if there are any approaches for remedying this.