Bug#611392: sshd_config should warn against use of RC4.
Agreed. In light of RC4's vulnerability to replay attacks
(explained in the context of SSH at
https://www.kb.cert.org/vuls/id/565052 )
sshd_config and ssh_config should at least specifically warn
against using RC4, as they currently do regarding DES.
OpenSSH itself should not enable RC4 or DES by default, and should
print a warning to stderr when weak ciphers are enabled explicitly.
Do we have any idea how much trouble it would cause for these
deprecated insecure ciphers to be completely disabled?
Ray Dillinger
Reply to: