[Ach] Settings for OpenSSH - missing client side configuration.
Dariusz at Puchalak.net
Tue Jul 15 10:02:19 CEST 2014
I just skimed over Applied Crypto Hardening.
Excelent guide! Thanks. :)
I have some remarks:
1. On the OpenSSH part, you missed client side
Just as you can specify server side sshd_config
you can also specify client side ssh_config.
I think it's worth including this one too.
So we can enforce good crypto on the client side too.
And it can be a good education, because I have heard many
complains about OpenSSH that were not true
i.e. you cannot choose AES mode
(in putty only - but almost no one knew that they can
do it on openssh).
People take putty shortcommings as OpenSSH problems. :(
In example part of my config file
(can be /etc/ssh/ssh_config and/or ~/.ssh/config)
HostKeyAlgorithms ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa
IPQoS lowdelay throughput
It's the default that can be change on per host basis by doing thing like:
2. HostKeyAlgorithms - I'm not sure about what's the
difference beetwen ssh-rsa-cert-v01 at openssh.com and
ssh-rsa-cert-v00 at openssh.com .
I need to dig more into the specification and source code.
But I still think it's esssential to disable DSA on server
and client too.
3. Why no ECDSA for OpenSSH?
I have read Theory part and
3.5. A note on Elliptic Curve Cryptography,
but I'm not convinced :)
A few more sentences about SSH and ECDSA would be nice,
just like about DSS.
"If money is your hope for independence you will never have it.
The only real security that a man will have in this world is a
reserve of knowledge, experience, and ability."
-- Henry Ford
More information about the Ach