[Ach] More OpenSSH Hardening

Axel Hübl axel.huebl at web.de
Wed Jan 7 15:10:57 CET 2015



coming back to the "moduli" part of OpenSSH: would you guys remove all
"below 2000", too? That was my central question.

On 07.01.2015 14:39, Aaron Zauner wrote:
> The writeup gets a couple of things wrong (most have been corrected by
> now). I think we should still stick to our recommendations - if you're
> using upstream OpenSSH, use their defaults, they are very good. My
> personal opinion.
> Sure it'd be nice to just use AES-GCM (or AES-CTR) and UMAC - but
> your're probably not going to be able to connect to 85%+ of all servers
> and appliances/networking gear etc. - so what you end up with is, as
> with the updated guide on GitHub; different configurations for different
> hosts (e.g. GitHub, your Cisco equipment et cetera). We don't have the
> capacity to include all that in every recommendation for OpenSSH for
> every version and every package for every distribution, hence we should
> stick to our current recommendations. If there are flaws in them, I'm
> happy to accept pull requests or issues on GitHub or this very mailinglist.
> Aaron
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150107/5fc2bd66/attachment.sig>

More information about the Ach mailing list