[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#774711: openssh: OpenSSH should have stronger ciphers selected at least on the server side.

Christoph Anton Mitterer <calestyo@scientia.net> writes:

> On Tue, 2015-01-06 at 18:52 +0200, Vasil Kolev wrote: 
> > - get openssh to generate 4096-bit RSA keys by default;
> ... and disable DSA and RSA1 keys, which is possible if you name all
> other "default" key explicitly in the config, like:
> sshd_config: 
> HostKey                 /etc/ssh/ssh_host_ed25519_key
> HostKey                 /etc/ssh/ssh_host_ecdsa_key
> HostKey                 /etc/ssh/ssh_host_rsa_key
> #Note: SSH Version 2 DSA host keys are implicitly disabled.
> ##HostKey               /etc/ssh/ssh_host_dsa_key
> #Note: SSH Version 1 RSA host keys are implicitly disabled.
> ##HostKey               /etc/ssh/ssh_host_key

The problem with this approach is that you won't get any new keys onto
your system in future openSSH versions that support them. So if we did
this in Debian, then everyone would have to remember to update that
list themselves on subsequent upgrades. 

And, we'd rather use upstream config where possible, I think.

Regards,

Matthew 

-- 
"At least you know where you are with Microsoft."
"True. I just wish I'd brought a paddle."
http://www.debian.org
Reply to: