[Ach] More OpenSSH Hardening
azet at azet.org
Wed Jan 7 18:55:22 CET 2015
Axel Hübl wrote:
> The thing is: on my standard debian testing the file /etc/ssh/moduli
> already existed anyway and contains size < 2000 moduli.
> I am not talking about recreation of the whole file but just the
> "tampering" (removal) of these values. A stupid idea, too?
That comes back to the issue of how far you want to go with locking down
your system. You can of course remove everything below a certain value,
only allow chacha20/poly1305, AES-GCM and UMAC or 512bit
encrypt-then-mac HMAC. The problem I see is that you won't be able to
connect to a lot of SSH hosts out there. You can pretty much do the same
thing with different host settings for hosts you know support large DH
params and use e.g. group14.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the Ach