[Ach] Settings for OpenSSH - missing client side configuration.

Dariusz Puchalak Dariusz at Puchalak.net
Tue Jul 15 10:02:19 CEST 2014


I just skimed over Applied Crypto Hardening.
Excelent guide! Thanks. :)

I have some remarks:

1. On the OpenSSH part, you missed client side
Just as you can specify server side sshd_config
you can also specify client side ssh_config.

I think it's worth including this one too.
So we can enforce good crypto on the client side too.
And it can be a good education, because I have heard many
complains about OpenSSH that were not true 
i.e. you cannot choose AES mode
(in putty only - but almost no one knew that they can
do it on openssh). 
People take putty shortcommings as OpenSSH problems. :(

In example part of my config file
(can be /etc/ssh/ssh_config and/or ~/.ssh/config)
Host *
        StrictHostKeyChecking ask
        ForwardAgent no
        ForwardX11 no
        ForwardX11Trusted no
        GatewayPorts no
        Protocol 2
        CheckHostIP yes
        Ciphers aes256-ctr,aes128-ctr
        MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
        KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
	HostKeyAlgorithms ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa
        ServerAliveInterval 30
        TCPKeepAlive yes
        PreferredAuthentications publickey,password
        IPQoS lowdelay throughput

It's the default that can be change on per host basis by doing thing like:
Host old_and_buggy
        HostName example.com
        User scorpius
        Port 80
        Ciphers aes128-cbc
	MACs hmac-sha1

2. HostKeyAlgorithms - I'm not sure about what's the 
difference beetwen ssh-rsa-cert-v01 at openssh.com and
ssh-rsa-cert-v00 at openssh.com .
I need to dig more into the specification and source code.

But I still think it's esssential to disable DSA on server
and client too.

3. Why no ECDSA for OpenSSH?
I have read Theory part and 
3.5. A note on Elliptic Curve Cryptography,
but I'm not convinced :)
A few more sentences about SSH and ECDSA would be nice,
just like about DSS. 


"If money is your hope for independence you will never have it. 
 The only real security that a man will have in this world is a 
 reserve of knowledge, experience, and ability."
                                                -- Henry Ford 

More information about the Ach mailing list