Date: Thu, 4 Oct 2001 08:09:01 -0700 (PDT) From: Caitlen <caitlen888@yahoo.com> To: security@FreeBSD.ORG Subject: Re: default cipher types in openssh Message-ID: <20011004150901.93436.qmail@web13904.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Great... it's good to know that AES is the default now. I'm running FreeBSD 4.4-STABLE #0: Thu Sep 27 17:50:26 ADT 2001 root@pain.nb.vibe.net:/usr/src/sys/compile/PAIN i386 and it looks like the upgrade to openssh 2.9 was just committed. So I'll have to make world today while I'm working on something else. I'm glad it's defaulting to aes 128, but we should ask ourselves about the rest of the allowable cipher types. IS arcfour something we want to leave in there? Is it really needed? Also, we should think about the order of preferrance... I realize that most people who know anything about cipher types are going to alter this ciphers parameter based on personal preferrances, but we should get something that's reasonable fast/secure for most people who can't be bothered. As for AES at 256 or 128 bit... which do you think we should issue as the default. Certainly AES256bit is a more secure cipher.... however it probably comes at a much higher cpu cost. So maybe it's best not to make it the default. Is there any reason we need to keep cast128 and arcfour in the default ciphers string for the client or the server? I can understand keeping it in the client configuration in case of connecting to legacy hosts, but isn't almost everyone with protocol 2 ssh capable of doing 3des or blowfish atleast? I still think changing the default logging facility to "security" might be a good idea.. or atleast logging "auth" by default :) Anyways, I'm personally setting Ciphers AES256 in my sshd_config files and ssh client configuration files (including securecrt from vandyke on my windoze box). Yeah it may waste more horse power, but I feel safer... Though I seriously doubt anyone can crack AES128 at the momment. Or 3des for that matter.... __________________________________________________ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011004150901.93436.qmail>