Martijn van Duren <openbsd+t...@list.imperialat.at> wrote: > What about something like the phrasing below? It puts a heavy emphasis > on not relying on the defaults (currently the auth and enc keyword > aren't marked as optional in the syntax anyway), but keeps the current > defaults as a strong hint on what is adviced. I also downscaled the > example a little by setting seclevel auth, so it gives a little more > substance to how seclevel can be used. Don't know if that's needed.
That is pretty ridiculous. Shall we force users to select their ssh hmacs? Or, maybe you don't mean users, shall we force admins to select their sshd hmacs before sshd will startup? Defaults exist so that systems are easy to use. This discussion has made it clear that there is no security justification, it is simply a case of murdering older hash algorithms EVEN IF THEY ARE SAFELY EMBEDDED INSIDE A HMAC. There are circumstances where the sha256 cult are wrong, and this is one of them.
