[Ach] More OpenSSH Hardening

Aaron Zauner azet at azet.org
Wed Jan 7 14:39:00 CET 2015


The writeup gets a couple of things wrong (most have been corrected by
now). I think we should still stick to our recommendations - if you're
using upstream OpenSSH, use their defaults, they are very good. My
personal opinion.

Sure it'd be nice to just use AES-GCM (or AES-CTR) and UMAC - but
your're probably not going to be able to connect to 85%+ of all servers
and appliances/networking gear etc. - so what you end up with is, as
with the updated guide on GitHub; different configurations for different
hosts (e.g. GitHub, your Cisco equipment et cetera). We don't have the
capacity to include all that in every recommendation for OpenSSH for
every version and every package for every distribution, hence we should
stick to our current recommendations. If there are flaws in them, I'm
happy to accept pull requests or issues on GitHub or this very mailinglist.

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150107/3377fa34/attachment.sig>


More information about the Ach mailing list