1 \subsubsection{OpenSSH}
5 \item[Tested with Version:] OpenSSH 6.1
7 \item[Settings:] \mbox{}
10 \paragraph*{sshd_config}
11 \begin{lstlisting}[breaklines]
15 PermitEmptyPasswords no
18 HostKey /etc/ssh/ssh_host_rsa_key
20 Ciphers aes256-gcm@openssh.com aes128-gcm@openssh.com aes256-ctr aes128-ctr
21 MACs umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
22 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
25 % XXX: curve25519-sha256@libssh.org only available upstream(!)
27 Note: Older linux systems won't support SHA2. PuTTY (Windows) does not support
28 RIPE-MD160. Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH
29 6.1). DSA host keys have been removed on purpose, the DSS standard does not
30 support for DSA keys stronger than 1024bit
31 \footnote{\url{https://bugzilla.mindrot.org/show_bug.cgi?id=1647}} which is far
32 below current standards (see section \ref{section:keylengths}). Legacy systems
33 can use this configuration and simply omit unsupported ciphers, key exchange
36 \item[Additional settings:] \mbox{}
38 Note that the setting \texttt{ServerKeyBits 4096} has no effect until you re-generate new ssh host keys. There might be issues if you have users which rely on the fingerprint of the old ssh host key being stored in their clients' \texttt{.ssh/known\_hosts} file.
40 \item[References:] The openssh sshd\_config man page is the best reference: \url{http://www.openssh.org/cgi-bin/man.cgi?query=sshd_config}
44 % describe here or point the admin to tools (can be a simple footnote or \ref{} to the tools section) which help the admin to test his settings.
46 Connect with a client to an ssh server like this: \\
47 \begin{lstlisting}[breaklines]
48 $ ssh -vvv myserver.com
50 and observe the key exchange in the verbose output.
git.bettercrypto.org / ach-master.git / blob