[Ach] More OpenSSH Hardening

Aaron Zauner azet at azet.org
Wed Jan 7 18:55:22 CET 2015

Axel Hübl wrote:
> The thing is: on my standard debian testing the file /etc/ssh/moduli
> already existed anyway and contains size < 2000 moduli.
> I am not talking about recreation of the whole file but just the
> "tampering" (removal) of these values. A stupid idea, too?

That comes back to the issue of how far you want to go with locking down
your system. You can of course remove everything below a certain value,
only allow chacha20/poly1305, AES-GCM and UMAC or 512bit
encrypt-then-mac HMAC. The problem I see is that you won't be able to
connect to a lot of SSH hosts out there. You can pretty much do the same
thing with different host settings for hosts you know support large DH
params and use e.g. group14.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150107/985ba3cf/attachment.sig>

More information about the Ach mailing list