Hi, Just a quick update on #774711. As pre-announced in earlier releases, OpenSSH 7.6 did drop support for some old unsafe crypto options:
* dropped SSHv1 protocol support * removed hmac-ripemd160 MAC * removed arcfour, blowfish and CAST ciphers * refuses RSA keys <1024 bits in length * does not offer CBC ciphers by default As far as I know, the following potentially unsafe things are still supported in 7.7: Keys: * NIST curves Kex: * NIST curves * diffie-hellman-group14-sha1 * diffie-hellman-group-exchange-sha1 (min 2048 now at least) MACs: * sha1 * umac-64 Debian users wanting to drop support for the legacy crypto options mentioned previously in this bug can use the following: ======================================================================= HostKeyAlgorithms [email protected], ssh-ed25519,\ [email protected], [email protected],ssh-rsa KexAlgorithms [email protected],\ diffie-hellman-group-exchange-sha256 Ciphers [email protected],[email protected], [email protected],aes256-ctr,aes192-ctr,aes128-ctr MACs [email protected],[email protected],\ [email protected],hmac-sha2-512,hmac-sha2-256,\ [email protected] ======================================================================= -- Matt Taggart [email protected]
