[Ach] openssh recommendataions: overview of algorithms in different versions

[Aaron Zauner]

BTW:

> On 11.11.2018, at 12:53, Hanno Böck <hanno at hboeck.de> wrote:
> 
> Hi,
> 
> On Sun, 11 Nov 2018 12:31:34 +0100
> Sebastian <sebix at sebix.at> wrote:
> 
>> to update our recommendations for openssh I collected the supported
>> and default settings for Ciphers, MACs and KexAlgorithms of various
>> openssh versions. Mostly from manpages.(debian.org|ubuntu.com) and a
>> few systems accessible to me.
> 
> Here's my recommendation for OpenSSH algorithm security:
> Don't touch the default settings.
> 
> The OpenSSH developers have been busy aggressively deprecating
> everything that looks like fragile crypto over the past couple of
> versions. They can do that, because the SSH ecosystem is much less
> complex and the average users are more technical. (That doesn't mean it
> hasn't caused breakage - I had to tell lots of people to update their
> filezilla, putty and what else they use to connect to SSH.)
> 
> This is kinda an ideal situation. You don't want people to look up
> guides on how to best configure their crypto. You want good defaults.
> This is difficult in the TLS space, because compatibility
> considerations are complex and upstream projects are slow to adopt. But
> with OpenSSH this is happening and the defaults are good. Don't tell
> people to use anything else as long as they don't have very good
> reasons for it.

I (mostly) agree with that.

why “mostly”? For some reason the EtM (“*-etm-*” aka encrypt-then-mac) algorithms aren’t preferred in the standard config as shipped by OpenSSH upstream last time I took a look at it. Neither is UMAC which is also a very nice choice. Be aware that some distros don’t ship the upstream defaults but some variation that the package maintainer of that distro deems best-secure-for-everyone :)

Aaron