[Ach] SSH improvements

L. Aaron Kaplan kaplan at cert.at
Sun Nov 17 21:24:26 CET 2013 

On Nov 17, 2013, at 4:51 PM, christian mock <cm at coretec.at> wrote:

> On Sun, Nov 17, 2013 at 03:30:18PM +0100, Aaron Zauner wrote:
>> On a second thought:
>> 
>> We should not exclude Rhosts/RhostsRSAauthentication. A lot of people use pre-shared keys.
> 
> I'm not sure we should go into that type of question anyways, I think
> it's out of scope for this paper.
> 

+1 We should stay focused.


> What we could go into: remind admins that their ssh server and user
> keys are probably rather old and only 1024 bits long... Shall we
> recommend to not use DSA server keys at all?
> 
> Another issue section: why is “diffie-hellman-group14-sha1” excluded?
> that is a 2048 bit exchange...
> 
> Also, how does one specify the DH key size for
> diffie-hellman-group-exchange- sha256 and
> diffie-hellman-group-exchange-sha1?
> 
> And what is the algorithm to actually negotiate a cipher? Because it
> doesn't seem to depend on the order that you give in the "Cipher"
> option.

Good point!

> 
> cm.
> 
> 
> -- 
> Christian Mock                          Wiedner Hauptstr. 15
> Senior Security Engineer                1040 Wien
> CoreTEC IT Security Solutions GmbH      +43-1-5037273
> FN 214709 z
> 
> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
> CoreTEC: Web Application Audit - Damit so etwas nicht passiert!
> 
> http://heise.de/-1260559
> 
> .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

--- 
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131117/7356734f/attachment.sig>

More information about the Ach mailing list