Michael Leone on 12 Sep 2017 08:09:35 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Removing ciphers from an old Open-SSH server


On Tue, Sep 12, 2017 at 10:14 AM, Charlie Li <ml+PLUG@vishwin.info> wrote:
>

> Refer to the sshd_config man page from OpenBSD 3.9, which contained
> OpenSSH 4.3, where it details the Ciphers keyword-argument pair,
> specifically the last part:
> > The default is:
> >
> >                 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
> >                 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
> >                 aes192-ctr,aes256-ctr
>
These are OpenBSD's defaults, obviously. I'm not sure if Red Hat changed
them for their portable version they compile and distribute (because,
Red Hat). But the first sentence of the man page's description of
Ciphers does say
> Specifies the ciphers allowed for protocol version 2.
meaning, opt-in.

AH. OK, that made it click into place.I need to explicitly list what I
want to opt into.
 I explicitly listed my ciphers and MACs (per
http://www.accella.net/knowledgebase/ask-the-sysadmin-fixing-cipher-and-mac-ssh-security-problems/

and did the test shown at the bottom of that page, and it showed the
allowed and disallowed ciphers.

Thanks. Like a lot of things, once a part falls into place, the rest
becomes obvious and connected.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug