[Ach] SSH improvements
Aaron Zauner
azet at azet.org
Sun Nov 17 17:44:20 CET 2013
Hi,
I’ve modified those settings accordingly.
Aaron
On 17 Nov 2013, at 17:06, Aaron Zauner <azet at azet.org> wrote:
>
> On 17 Nov 2013, at 16:51, christian mock <cm at coretec.at> wrote:
>
>> On Sun, Nov 17, 2013 at 03:30:18PM +0100, Aaron Zauner wrote:
>>> On a second thought:
>>>
>>> We should not exclude Rhosts/RhostsRSAauthentication. A lot of people use pre-shared keys.
>>
>> I'm not sure we should go into that type of question anyways, I think
>> it's out of scope for this paper.
> I agree.
>
>>
>> What we could go into: remind admins that their ssh server and user
>> keys are probably rather old and only 1024 bits long... Shall we
>> recommend to not use DSA server keys at all?
> This is why I only set an RSA key, usually you specify DSA and RSA host keys with the `HostKey` option.
>
> We could get rid of RSAAuthentication since it only applies to SSH v. 1.
>
>
>> Another issue section: why is “diffie-hellman-group14-sha1” excluded?
>> that is a 2048 bit exchange…
> My mistake, I was trying to avoid EC groups. Feel free to add it.
>
>> Also, how does one specify the DH key size for
>> diffie-hellman-group-exchange- sha256 and
>> diffie-hellman-group-exchange-sha1?
> Not sure.
>
>> And what is the algorithm to actually negotiate a cipher? Because it
>> doesn't seem to depend on the order that you give in the "Cipher"
>> option.
> http://tools.ietf.org/html/rfc4253#section-7.1
>
> ```
> encryption_algorithms
> A name-list of acceptable symmetric encryption algorithms (also
> known as ciphers) in order of preference. The chosen
> encryption algorithm to each direction MUST be the first
> algorithm on the client's name-list that is also on the
> server's name-list. If there is no such algorithm, both sides
> MUST disconnect.
> ```
>
>
> BTW, the RFC also specifies OpenPGP:
>
> ```
> The following public key and/or certificate formats are currently
> defined:
>
> ssh-dss REQUIRED sign Raw DSS Key
> ssh-rsa RECOMMENDED sign Raw RSA Key
> pgp-sign-rsa OPTIONAL sign OpenPGP certificates (RSA key)
> pgp-sign-dss OPTIONAL sign OpenPGP certificates (DSS key)
>
> ```
>
> Aaron
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131117/8ab748eb/attachment.sig>
More information about the Ach
mailing list