Bug#774711: recommendations for changing openssh defaults

Also here are some interesting upstream messages that are relevant to this bug. FYI: SSH1 now disabled at compile-time by default Wed Mar 25 2015 https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-March/033701.html Obsolete MD5 Tue May 5 2015

Bug#774711: recommendations for changing openssh defaults

Given the recent news about advances in causing SHA1 collisions, I think it's even more important for openssh to start not accepting known weak crypto (including sha1) by default. https://sites.google.com/site/itstheshappening/ I don't see any upstream bugs about this. Should this bug be

Bug#774711: recommendations for changing openssh defaults

Matt Taggart writes: > Jens Thiele writes: >> Afair I have seen small default primes with this one. I can't reproduce it (maybe my memory was just wrong). >> Did you inspect this? > I didn't. I just did a quick test connecting 100 times from jessie to wheezy and wheezy to

Bug#774711: recommendations for changing openssh defaults

Matt Taggart writes: > Hi, Hi, thanks for your great work > * diffie-hellman-group-exchange-sha256: has existed since squeeze at least Afair I have seen small default primes with this one. Did you inspect this? greetings, jens

Bug#774711: recommendations for changing openssh defaults

Jens Thiele writes: > Hi, > > thanks for your great work I should make it clear, I was only applying the advice I found in https://stribika.github.io/2015/01/04/secure-secure-shell.html to what versions exist in Debian, stribika and others get credit for that work. Also I realized I had

Bug#774711: recommendations for changing openssh defaults

Hi, Based on the charts I already sent and using the recommendations from: https://stribika.github.io/2015/01/04/secure-secure-shell.html and the openssh 7.0 release notes: http://www.openssh.com/txt/release-7.0 Here are some suggestions for changing the default things that are