On 10/18/2016 03:28 PM, Clint Dilks wrote:
So first question is are people generally modifying the list of ciphers supported by the ssh client and sshd?
I suspect that "generally" people are not. I do, because I can, and so that I can offer at least some advice to people who aim to do so.
On CentOS 6 currently it looks like if I remove all the ciphers they are concerned about then I am left with Ciphers aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and /etc/ssh/ssh_config.
If you're going to go down this road, you should probably look at key exchanges and HMACs as well. On CentOS 7, I use:
KexAlgorithms curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx,hmac-sha2-512,hmac-sha2-256,umac-128@xxxxxxxxxxx
On CentOS 6, I believe you'd have to drop all of the @openssh.com items.
Is just using these three ciphers like to cause me any problems? Could having so few ciphers be creating a security concern itself?
I don't think it'd be a security concern, just compatibility issues. So far, I've had minimal problems with restricted algorithms. I do have to make an exception for a slightly old WD MyBook World edition.
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
