Re: Strange crypto choices

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



https://man.openbsd.org/ssh_config
If hostkeys are known for the destination host then this default is
modified to prefer their algorithms.

On Sat, May 26, 2018 at 5:54 PM, Stuart Henderson <stu@xxxxxxxxxxxxxxx> wrote:
> Answering the first part of your mail:
>
> On 2018-05-25, Yegor Ievlev <koops1997@xxxxxxxxx> wrote:
>> The defaults for HostKeyAlgorithms option are:
>>
>> ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,
>> ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,
>> ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,
>> ssh-ed25519-cert-v01@xxxxxxxxxxx,
>> ssh-rsa-cert-v01@xxxxxxxxxxx,
>> ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
>> ssh-ed25519,ssh-rsa
>>
>> Why does OpenSSH prefer older and less secure
>> (https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519?
>
> Changing HostKeyAlgorithms means that the existing entries in known_hosts
> don't match, so the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED"
> message is triggered.
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux