On Mon, 25 Aug 2014, Ron Frederick wrote: > I noticed some time ago that OpenSSH still prefers aes128 over aes192/aes256 > ciphers in multiple cases (CTR, GCM, and CBC). Is this due to concerns about > CPU usage? These days, I would think we?d want to have clients prefer AES256. It's a tradeoff for performance/security. I don't think attacks on AES128 are particularly feasible. > It also still prefers MD5 over everything else for hashing, and SHA1 over > SHA2. While it still makes sense to support MD5 for backward compatibility > (and indeed the SSH RFC requires it), I?m not sure it still makes sense to > prefer either it or SHA1 at this point. For OpenSSH 6.7, the default MAC ordering does indeed demote HMAC-MD5. That being said, there are no practical attacks on HMAC-MD5 that I know of. HMAC is pretty forgiving of problems with the underlying hash. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev