ssh backports

To: debian-ssh@lists.debian.org
Subject: ssh backports
From: Matt Taggart <taggart@debian.org>
Date: Wed, 26 Aug 2015 12:46:20 -0700
Message-id: <[🔎] 20150826194620.19FD51F3@taggart.lackof.org>

Hi Debian ssh maintainers,

Recently I've been working on hardening my ssh config, specifically
setting the following to a subset of recent, stronger options in
ssh_config:

KexAlgorithms
Ciphers
MACs

unfortunately the set of things I would like to use didn't exist in
squeeze and unfortunately I am still working on on transitioning off
of a few remaining squeeze-lts systems.

Would you please consider backporting the wheezy openssh to
squeeze-backports?
Or alternatively (and maybe more useful) backporting the jessie
version to squeeze-backports-sloppy?

I also noticed the current wheezy-backports version is out of date
from the version that is in jessie (1:6.6p1-4~bpo70+1 vs 1:6.7p1-5)

And finally, I noticed that there isn't yet a jessie-backports version
(although I don't personally have a need for that yet).

On a related note, is there any plan for deprecating old
KexAlgorithms/Ciphers/MACs in order to prevent downgrade attacks?
I know this is tricky, but surely we can start removing really old
and weak stuff from the default lists? (even if it's still enabled
so admins can enable for special cases). I can file a wishlist bug
for this if you think it's a good idea.

Thanks,

-- 
Matt Taggart
taggart@debian.org

Reply to:

Follow-Ups:
- Re: ssh backports
  - From: Matt Taggart <taggart@debian.org>

Prev by Date: openssh 1:6.9p1-1 MIGRATED to testing
Next by Date: Re: ssh backports
Previous by thread: openssh 1:6.9p1-1 MIGRATED to testing
Next by thread: Re: ssh backports
Index(es):
- Date
- Thread