[Ach] More OpenSSH Hardening

Aaron Zauner azet at azet.org
Wed Jan 7 16:38:04 CET 2015

Axel Hübl wrote:
> Hi,
> absolutely!
> coming back to the "moduli" part of OpenSSH: would you guys remove all
> "below 2000", too? That was my central question.

I'd not recommend to generate DH params on your own, we had this
discussion on this mailing list a couple of times now. There are known
problems with that. And if I see that these params are written to /tmp
I'm certain that we should not recommend that. :/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150107/1dfe2c85/attachment.sig>

More information about the Ach mailing list