[Ach] SSH HostKey ECDSA / Ciphers

Torge Riedel torgeriedel at gmx.de
Tue Jan 7 07:29:16 CET 2014

Hi @all,

I used the draft paper to harden my private server (ssh, mail, web). And it was good help. I was faced with two things:

In my /etc/ssh/sshd_config (Ubuntu 12.04 LTS) I have three entries:

HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

As told in the document I commented the first entry to disable DSA. Checking with ssh -vvv I saw that it seems to use ECDSA on connection. As there is no reference to ECDSA in the paper:

Q: Is it more ore less secure than RSA? And should I disable one of these (RSA / ECDSA)?

At the first time it was not really clear for me that my OpenSSH version does not support the ... at openssh.org / ... at libssh.org Ciphers / MACs / KexAlgorithms. Afterwards no connection was possible.
Luckily I still had a connection open, so I was able to fix that. I think there should be at least a good placed / formatted hint in the document, that this should be checked / tested well.

Thanks for your work

More information about the Ach mailing list