[Ach] SSH improvements

christian mock cm at coretec.at
Sun Nov 17 16:51:25 CET 2013

On Sun, Nov 17, 2013 at 03:30:18PM +0100, Aaron Zauner wrote:
> On a second thought:
> We should not exclude Rhosts/RhostsRSAauthentication. A lot of people use pre-shared keys.

I'm not sure we should go into that type of question anyways, I think
it's out of scope for this paper.

What we could go into: remind admins that their ssh server and user
keys are probably rather old and only 1024 bits long... Shall we
recommend to not use DSA server keys at all?

Another issue section: why is “diffie-hellman-group14-sha1” excluded?
that is a 2048 bit exchange...

Also, how does one specify the DH key size for
diffie-hellman-group-exchange- sha256 and

And what is the algorithm to actually negotiate a cipher? Because it
doesn't seem to depend on the order that you give in the "Cipher"


Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

CoreTEC: Web Application Audit - Damit so etwas nicht passiert!



More information about the Ach mailing list