From owner-freebsd-security@FreeBSD.ORG Mon Jan 12 02:23:36 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 54D7BDE; Mon, 12 Jan 2015 02:23:36 +0000 (UTC) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EA999D9; Mon, 12 Jan 2015 02:23:35 +0000 (UTC) X-AuditID: 12074425-f798e6d000000d1a-65-54b330200b57 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id D6.74.03354.02033B45; Sun, 11 Jan 2015 21:23:28 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t0C2NRkG002726; Sun, 11 Jan 2015 21:23:28 -0500 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t0C2NPl1007906 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 11 Jan 2015 21:23:27 -0500 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t0C2NP9b028433; Sun, 11 Jan 2015 21:23:25 -0500 (EST) Date: Sun, 11 Jan 2015 21:23:25 -0500 (EST) From: Benjamin Kaduk To: Jonathan Anderson Subject: Re: Securing SSH In-Reply-To: <54B32FC8.1080000@FreeBSD.org> Message-ID: References: <54B32FC8.1080000@FreeBSD.org> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPIsWRmVeSWpSXmKPExsUixCmqratgsDnE4Nx2WYueTU/YLL4d1bK4 cPUmuwOzx4xP81k8rv1jD2CK4rJJSc3JLEst0rdL4MqYePsmc8E7jor3hzcwNTAuYu9i5OSQ EDCReL3oFROELSZx4d56ti5GLg4hgcVMEp/u72SCcDYyShy6f5YVwjnEJHH51D1mCKeBUeLd 5cVsIP0sAtoS5zrbWEBsNgEViZlvNoLFRQR0JN6d2gG0j4ODWSBS4v1+EZCwsICkxJxju5lB wpxArQ/+Z4GEeQUcJU49vs4MYgsJJEpsPzwZ7FJRoCmr909hgagRlDg58wmYzSygJbF8+jaW CYyCs5CkZiFJLWBkWsUom5JbpZubmJlTnJqsW5ycmJeXWqRroZebWaKXmlK6iREUruwuqjsY JxxSOsQowMGoxMM7QWZziBBrYllxZe4hRkkOJiVR3rP8QCG+pPyUyozE4oz4otKc1OJDjBIc zEoivMeVgXK8KYmVValF+TApaQ4WJXHeTT/4QoQE0hNLUrNTUwtSi2CyMhwcShK8EvpAjYJF qempFWmZOSUIaSYOTpDhPEDD3+qBDC8uSMwtzkyHyJ9iVJQS5+UFaRYASWSU5sH1wtLJK0Zx oFeEeb+DtPMAUxFc9yugwUxAg/2nrgcZXJKIkJJqYCzv/Dz/czLL4savse7b789mzUw0O8aw VL/sQqLbwTP35385nn32hPGbKsaFYp8TNi9nOqKi49DVWr/L1HjVGYXPk9n3P/9wcVay4jbD hTM6BDokVknJJl6c91NL+0vy0ZD9xo+n/437Wmt69z1/bbeRSm2EV2ykwHkhtc7qK702641Y k9RdLJVYijMSDbWYi4oTAX2pGe8CAwAA Cc: Greg Rivers , freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2015 02:23:36 -0000 The author also appears to not understand the difference between single-DES and triple-DES, so I would expect the value of that posting to be only as a brainstormed list of ideas to consider for further analysis. -Ben On Sun, 11 Jan 2015, Jonathan Anderson wrote: > Hi, > > I can't comment much on the elliptic-curve stuff, but I think it's a bit of a > stretch to say that SHA-1 isn't safe for use in a KDF. > > Just my two cents, > > > Jon > > > Greg Rivers > > 11 January 2015 at 21:52 > > I came across an interesting article[1] about more secure SSH > > configurations. What do our resident cryptographers think about this? > > Would it make sense to adjust FreeBSD defaults accordingly? > > > > [1] https://stribika.github.io/2015/01/04/secure-secure-shell.html > > > > -- Jonathan Anderson > jonathan@FreeBSD.org > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >