| Michael Leone on 12 Sep 2017 08:09:35 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Removing ciphers from an old Open-SSH server |
On Tue, Sep 12, 2017 at 10:14 AM, Charlie Li <ml+PLUG@vishwin.info> wrote: > > Refer to the sshd_config man page from OpenBSD 3.9, which contained > OpenSSH 4.3, where it details the Ciphers keyword-argument pair, > specifically the last part: > > The default is: > > > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, > > arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, > > aes192-ctr,aes256-ctr > These are OpenBSD's defaults, obviously. I'm not sure if Red Hat changed them for their portable version they compile and distribute (because, Red Hat). But the first sentence of the man page's description of Ciphers does say > Specifies the ciphers allowed for protocol version 2. meaning, opt-in. AH. OK, that made it click into place.I need to explicitly list what I want to opt into. I explicitly listed my ciphers and MACs (per http://www.accella.net/knowledgebase/ask-the-sysadmin-fixing-cipher-and-mac-ssh-security-problems/ and did the test shown at the bottom of that page, and it showed the allowed and disallowed ciphers. Thanks. Like a lot of things, once a part falls into place, the rest becomes obvious and connected. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug