[Ach] OpenSSH: hmac-ripemd160

respiranto ach-list-member at respiranto.de
Wed Oct 11 18:27:46 CEST 2017

On 2017-10-09 14:17, Aaron Zauner wrote:
>> On 08 Oct 2017, at 05:12, respiranto <ach-list-member at respiranto.de> wrote:
>> Hi,
>> I just noted the (recommended) hmac-ripemd160 MAC having become excluded
>> from the list of possible MACs in the OpenSSH 7.6 release.
>> Upgrading to OpenSSH 7.6, having enabled hmac-ripemd160, does cause sshd
>> to fail.
>> Unfortunately I don't know of the right way to add this information to
>> the document. If a new configuration for 7.6 was to be created, I assume
>> more things should be thought about (such as the note about Curve25519
>> being supported since 6.6p1 requires). The simple alternative would be
>> to add another such note.
> That's true. With recent OpenSSH releases there isn't anything that needs to be changed from the defaults, IMO. The only thing may be hints to disable Password-based authentication among other things. There is an open Pull Request on GitHub regrding the topic/issue if you are interested in contributing: https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/133

That is, you would recommend not to set anything? Or rather to set the
defaults explicitly?

> Thanks,
> Aaron / azet

More information about the Ach mailing list