[Ach] SSH improvements

Aaron Zauner azet at azet.org
Sun Nov 17 17:06:00 CET 2013 

On 17 Nov 2013, at 16:51, christian mock <cm at coretec.at> wrote:

> On Sun, Nov 17, 2013 at 03:30:18PM +0100, Aaron Zauner wrote:
>> On a second thought:
>> 
>> We should not exclude Rhosts/RhostsRSAauthentication. A lot of people use pre-shared keys.
> 
> I'm not sure we should go into that type of question anyways, I think
> it's out of scope for this paper.
I agree.

> 
> What we could go into: remind admins that their ssh server and user
> keys are probably rather old and only 1024 bits long... Shall we
> recommend to not use DSA server keys at all?
This is why I only set an RSA key, usually you specify DSA and RSA host keys with the `HostKey` option.

We could get rid of RSAAuthentication since it only applies to SSH v. 1.


> Another issue section: why is “diffie-hellman-group14-sha1” excluded?
> that is a 2048 bit exchange…
My mistake, I was trying to avoid EC groups. Feel free to add it.

> Also, how does one specify the DH key size for
> diffie-hellman-group-exchange- sha256 and
> diffie-hellman-group-exchange-sha1?
Not sure.

> And what is the algorithm to actually negotiate a cipher? Because it
> doesn't seem to depend on the order that you give in the "Cipher"
> option.
http://tools.ietf.org/html/rfc4253#section-7.1

```
      encryption_algorithms
         A name-list of acceptable symmetric encryption algorithms (also
         known as ciphers) in order of preference.  The chosen
         encryption algorithm to each direction MUST be the first
         algorithm on the client's name-list that is also on the
         server's name-list.  If there is no such algorithm, both sides
         MUST disconnect.
```


BTW, the RFC also specifies OpenPGP:

```
   The following public key and/or certificate formats are currently
   defined:

   ssh-dss           REQUIRED     sign   Raw DSS Key
   ssh-rsa           RECOMMENDED  sign   Raw RSA Key
   pgp-sign-rsa      OPTIONAL     sign   OpenPGP certificates (RSA key)
   pgp-sign-dss      OPTIONAL     sign   OpenPGP certificates (DSS key)

```

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131117/60d90456/attachment.sig>

More information about the Ach mailing list