Jens Thiele writes: > Hi, > > thanks for your great work I should make it clear, I was only applying the advice I found in
https://stribika.github.io/2015/01/04/secure-secure-shell.html to what versions exist in Debian, stribika and others get credit for that work. Also I realized I had some mistakes in my charts/recommendations: * I forgot to fill in the Kex stretch column (but it's the same as sid) * I said "aes*-gcm: since squeeze" but it's only existed since jessie * I said to keep aes*-cbc, but the above page doesn't list them in the recommended Ciphers list (I guess they aren't AE?), so drop them. So for current openssh communicating with squeeze, that leaves only Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 in common but it will still work. I haven't looked at lenny. > > * diffie-hellman-group-exchange-sha256: has existed since squeeze at least > > Afair I have seen small default primes with this one. Did you inspect this? I didn't. -- Matt Taggart tagg...@debian.org