[Ach] SSH HostKey ECDSA / Ciphers

Andy Wenk andy at nms.de
Tue Jan 7 09:54:59 CET 2014


On 7 January 2014 07:29, Torge Riedel <torgeriedel at gmx.de> wrote:

> Hi @all,
>
> I used the draft paper to harden my private server (ssh, mail, web). And
> it was good help. I was faced with two things:
>
> 1.
> In my /etc/ssh/sshd_config (Ubuntu 12.04 LTS) I have three entries:
>
> HostKey /etc/ssh/ssh_host_dsa_key
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_ecdsa_key
>
> As told in the document I commented the first entry to disable DSA.
> Checking with ssh -vvv I saw that it seems to use ECDSA on connection. As
> there is no reference to ECDSA in the paper:
>
> Q: Is it more ore less secure than RSA? And should I disable one of these
> (RSA / ECDSA)?
>
> 2.
> At the first time it was not really clear for me that my OpenSSH version
> does not support the ... at openssh.org / ... at libssh.org Ciphers / MACs /
> KexAlgorithms. Afterwards no connection was possible.
> Luckily I still had a connection open, so I was able to fix that. I think
> there should be at least a good placed / formatted hint in the document,
> that this should be checked / tested well.
>

+1 as many people seem to have problems with this (including me :) ). This
is also discussed in other threads. I suggest to add the advise to test the
configuration with

/usr/sbin/sshd -t

try and error with two open ssh connections is also possible but can lead
to problems (connection timeout and you're not able to revoke the config
and you're out ... )

-- 
Andy Wenk
Hamburg - Germany
RockIt!

http://www.couchdb-buch.de
http://www.pg-praxisbuch.de

GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588

https://people.apache.org/keys/committer/andywenk.asc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140107/bf0bce60/attachment.html>


More information about the Ach mailing list