[Ach] More OpenSSH Hardening
Axel Hübl
axel.huebl at web.de
Wed Jan 7 15:10:57 CET 2015
Hi,
absolutely!
coming back to the "moduli" part of OpenSSH: would you guys remove all
"below 2000", too? That was my central question.
Axel
On 07.01.2015 14:39, Aaron Zauner wrote:
> The writeup gets a couple of things wrong (most have been corrected by
> now). I think we should still stick to our recommendations - if you're
> using upstream OpenSSH, use their defaults, they are very good. My
> personal opinion.
>
> Sure it'd be nice to just use AES-GCM (or AES-CTR) and UMAC - but
> your're probably not going to be able to connect to 85%+ of all servers
> and appliances/networking gear etc. - so what you end up with is, as
> with the updated guide on GitHub; different configurations for different
> hosts (e.g. GitHub, your Cisco equipment et cetera). We don't have the
> capacity to include all that in every recommendation for OpenSSH for
> every version and every package for every distribution, hence we should
> stick to our current recommendations. If there are flaws in them, I'm
> happy to accept pull requests or issues on GitHub or this very mailinglist.
>
> Aaron
>
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150107/5fc2bd66/attachment.sig>
More information about the Ach
mailing list