[Ach] SSH HostKey ECDSA / Ciphers
andy at nms.de
Tue Jan 7 09:54:59 CET 2014
On 7 January 2014 07:29, Torge Riedel <torgeriedel at gmx.de> wrote:
> Hi @all,
> I used the draft paper to harden my private server (ssh, mail, web). And
> it was good help. I was faced with two things:
> In my /etc/ssh/sshd_config (Ubuntu 12.04 LTS) I have three entries:
> HostKey /etc/ssh/ssh_host_dsa_key
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_ecdsa_key
> As told in the document I commented the first entry to disable DSA.
> Checking with ssh -vvv I saw that it seems to use ECDSA on connection. As
> there is no reference to ECDSA in the paper:
> Q: Is it more ore less secure than RSA? And should I disable one of these
> (RSA / ECDSA)?
> At the first time it was not really clear for me that my OpenSSH version
> does not support the ... at openssh.org / ... at libssh.org Ciphers / MACs /
> KexAlgorithms. Afterwards no connection was possible.
> Luckily I still had a connection open, so I was able to fix that. I think
> there should be at least a good placed / formatted hint in the document,
> that this should be checked / tested well.
+1 as many people seem to have problems with this (including me :) ). This
is also discussed in other threads. I suggest to add the advise to test the
try and error with two open ssh connections is also possible but can lead
to problems (connection timeout and you're not able to revoke the config
and you're out ... )
Hamburg - Germany
GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ach