Date: Wed, 3 Oct 2001 18:18:40 -0700 (PDT) From: Caitlen <caitlen888@yahoo.com> To: security@freebsd.org Subject: default cipher types in openssh Message-ID: <20011004011840.74747.qmail@web13904.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
I'm noticed that openssh, even when connecting with protocol 2, seems to default to 3des. While that's a pretty conversative stance, isn't AES256 a little more secure? The order of preferrence seems to a little off. For example. 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se I believe are the default cipher types. Why is arcfour even in the list? I removed it many months ago on my production servers (with no ill effect). Infact right now I'm running with. Host * Ciphers rijndael256-cbc in my ~/.ssh/config and Ciphers rijndael256-cbc in my /etc/ssh/sshd_config, with no ill effect. SecureCRT from vandyke seems to support AES 256 with no difficulty either. Now I'm not suggesting we remove all of the other cipher types except for AES, that would certainly backwards compability. I am however suggesting that we should have some open dicussion on the order of preference here. Certainly arcfour should not be listed as being more preferrable then AES. Personally I think it should be something along the lines of. Ciphers AES256, AES192, AES128, blowfish, 3des As I stand back in january, it'd sure be niced if failed ssh logins showed up in the logs (at all) by default.... auth.info really should be in the default syslog.conf, most people dont know to add it in themselves. Sparing that, in sshd_config move the logging facility to security. __________________________________________________ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011004011840.74747.qmail>