On 10/03/2021 20:05, Aaron Jones wrote: > On 10/03/2021 15:55, Daniel Pocock wrote: >> Does the command for checking ssh-rsa distinguish between SHA-1 >> (insecure) and SHA-2? > > The older ssh-rsa algorithm *only* uses SHA-1. The SHA-2 versions are > rsa-sha2-256 and rsa-sha2-512. If connecting to a server succeeds when > the former is excluded, the server supports SHA-2. If it does not, it > only supports SHA-1. > > This also has nothing to do with the MACs setting; HMAC-SHA1 is still > secure (as is HMAC-MD5). Thanks for the fast reply This is one of the search results for hardening that suggests tweaking MACs, this is the reason I wanted to seek clarification: https://access.redhat.com/discussions/3121481 What about KexAlgorithms - should people change this either on client, server or both to remove entries like diffie-hellman-group-exchange-sha1, and diffie-hellman-group14-sha1 ? Is there any SHA1 value cached in known_hosts or does that only contain full public keys? Regards, Daniel _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
