Hi, On Sun, 11 Nov 2018 12:31:34 +0100 Sebastian <[email protected]> wrote:
> to update our recommendations for openssh I collected the supported > and default settings for Ciphers, MACs and KexAlgorithms of various > openssh versions. Mostly from manpages.(debian.org|ubuntu.com) and a > few systems accessible to me. Here's my recommendation for OpenSSH algorithm security: Don't touch the default settings. The OpenSSH developers have been busy aggressively deprecating everything that looks like fragile crypto over the past couple of versions. They can do that, because the SSH ecosystem is much less complex and the average users are more technical. (That doesn't mean it hasn't caused breakage - I had to tell lots of people to update their filezilla, putty and what else they use to connect to SSH.) This is kinda an ideal situation. You don't want people to look up guides on how to best configure their crypto. You want good defaults. This is difficult in the TLS space, because compatibility considerations are complex and upstream projects are slow to adopt. But with OpenSSH this is happening and the defaults are good. Don't tell people to use anything else as long as they don't have very good reasons for it. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
pgpp0SgowHB9e.pgp
Description: OpenPGP digital signature
_______________________________________________ Ach mailing list [email protected] https://lists.cert.at/cgi-bin/mailman/listinfo/ach
