[Ach] SSH HostKey ECDSA / Ciphers
Torge Riedel
torgeriedel at gmx.de
Tue Jan 7 07:29:16 CET 2014
Hi @all,
I used the draft paper to harden my private server (ssh, mail, web). And it was good help. I was faced with two things:
1.
In my /etc/ssh/sshd_config (Ubuntu 12.04 LTS) I have three entries:
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
As told in the document I commented the first entry to disable DSA. Checking with ssh -vvv I saw that it seems to use ECDSA on connection. As there is no reference to ECDSA in the paper:
Q: Is it more ore less secure than RSA? And should I disable one of these (RSA / ECDSA)?
2.
At the first time it was not really clear for me that my OpenSSH version does not support the ... at openssh.org / ... at libssh.org Ciphers / MACs / KexAlgorithms. Afterwards no connection was possible.
Luckily I still had a connection open, so I was able to fix that. I think there should be at least a good placed / formatted hint in the document, that this should be checked / tested well.
Thanks for your work
Torge
More information about the Ach
mailing list