[Ach] More OpenSSH Hardening

Aaron Zauner azet at azet.org
Wed Jan 7 18:55:22 CET 2015



Axel Hübl wrote:
> The thing is: on my standard debian testing the file /etc/ssh/moduli
> already existed anyway and contains size < 2000 moduli.
> 
> I am not talking about recreation of the whole file but just the
> "tampering" (removal) of these values. A stupid idea, too?
> 

That comes back to the issue of how far you want to go with locking down
your system. You can of course remove everything below a certain value,
only allow chacha20/poly1305, AES-GCM and UMAC or 512bit
encrypt-then-mac HMAC. The problem I see is that you won't be able to
connect to a lot of SSH hosts out there. You can pretty much do the same
thing with different host settings for hosts you know support large DH
params and use e.g. group14.

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150107/985ba3cf/attachment.sig>


More information about the Ach mailing list