Hi Debian ssh maintainers, Recently I've been working on hardening my ssh config, specifically setting the following to a subset of recent, stronger options in ssh_config:
KexAlgorithms Ciphers MACs unfortunately the set of things I would like to use didn't exist in squeeze and unfortunately I am still working on on transitioning off of a few remaining squeeze-lts systems. Would you please consider backporting the wheezy openssh to squeeze-backports? Or alternatively (and maybe more useful) backporting the jessie version to squeeze-backports-sloppy? I also noticed the current wheezy-backports version is out of date from the version that is in jessie (1:6.6p1-4~bpo70+1 vs 1:6.7p1-5) And finally, I noticed that there isn't yet a jessie-backports version (although I don't personally have a need for that yet). On a related note, is there any plan for deprecating old KexAlgorithms/Ciphers/MACs in order to prevent downgrade attacks? I know this is tricky, but surely we can start removing really old and weak stuff from the default lists? (even if it's still enabled so admins can enable for special cases). I can file a wishlist bug for this if you think it's a good idea. Thanks, -- Matt Taggart [email protected]
