Am 19.10.2016 um 00:58 schrieb Gordon Messmer <gordon.mess...@gmail.com>:
> On 10/18/2016 03:28 PM, Clint Dilks wrote:
>> So first
>> question is are people generally modifying the list of ciphers supported by
>> the ssh client and sshd?
>
> I suspect that "generally" people are not. I do, because I can, and so that
> I can offer at least some advice to people who aim to do so.
>
>> On CentOS 6 currently it looks like if I remove all the ciphers they are
>> concerned about then I am left with Ciphers
>> aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and
>> /etc/ssh/ssh_config.
>
> If you're going to go down this road, you should probably look at key
> exchanges and HMACs as well. On CentOS 7, I use:
>
> KexAlgorithms
> curve25519-sha...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
> Ciphers
> chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
> MACs
> hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-...@openssh.com
>
> On CentOS 6, I believe you'd have to drop all of the @openssh.com items.
Is there any command to find the supported list of KeyAlgos, MACs and Ciphers
for
the particular system (e.g. EL{5,6,7})? Similar to $ openssl ciphers -v ...
>> Is just using these three ciphers like to cause me
>> any problems? Could having so few ciphers be creating a security concern
>> itself?
>
> I don't think it'd be a security concern, just compatibility issues. So far,
> I've had minimal problems with restricted algorithms. I do have to make an
> exception for a slightly old WD MyBook World edition.
--
LF
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
