[Ach] More OpenSSH Hardening

Axel Hübl axel.huebl at web.de
Wed Jan 7 17:57:08 CET 2015


The thing is: on my standard debian testing the file /etc/ssh/moduli
already existed anyway and contains size < 2000 moduli.

I am not talking about recreation of the whole file but just the
"tampering" (removal) of these values. A stupid idea, too?


Axel
On 07.01.2015 16:38, Aaron Zauner wrote:
> 
> 
> Axel Hübl wrote:
>> Hi,
>>
>> absolutely!
>>
>> coming back to the "moduli" part of OpenSSH: would you guys remove all
>> "below 2000", too? That was my central question.
>>
> 
> I'd not recommend to generate DH params on your own, we had this
> discussion on this mailing list a couple of times now. There are known
> problems with that. And if I see that these params are written to /tmp
> I'm certain that we should not recommend that. :/
> 
> Aaron
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150107/22133bea/attachment.sig>


More information about the Ach mailing list