[Ach] OpenSSH: hmac-ripemd160

Aaron Zauner azet at azet.org
Mon Oct 9 14:17:56 CEST 2017

> On 08 Oct 2017, at 05:12, respiranto <ach-list-member at respiranto.de> wrote:
> Hi,
> I just noted the (recommended) hmac-ripemd160 MAC having become excluded
> from the list of possible MACs in the OpenSSH 7.6 release.
> Upgrading to OpenSSH 7.6, having enabled hmac-ripemd160, does cause sshd
> to fail.
> Unfortunately I don't know of the right way to add this information to
> the document. If a new configuration for 7.6 was to be created, I assume
> more things should be thought about (such as the note about Curve25519
> being supported since 6.6p1 requires). The simple alternative would be
> to add another such note.

That's true. With recent OpenSSH releases there isn't anything that needs to be changed from the defaults, IMO. The only thing may be hints to disable Password-based authentication among other things. There is an open Pull Request on GitHub regrding the topic/issue if you are interested in contributing: https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/133

Aaron / azet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20171009/802fbc15/attachment.sig>

More information about the Ach mailing list