--- /dev/null
+Debian/OpenSSH6 man page shows the following:
+ Ciphers
+ Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be
+ comma-separated. The supported ciphers are “3des-cbc”, “aes128-cbc”, “aes192-cbc”,
+ “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128”, “arcfour256”,
+ “arcfour”, “blowfish-cbc”, and “cast128-cbc”. The default is:
+
+ aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+ aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
+ aes256-cbc,arcfour
+
+TODO: which of those should be used?
+
+ MACs Specifies the available MAC (message authentication code) algorithms. The MAC algo‐
+ rithm is used in protocol version 2 for data integrity protection. Multiple algo‐
+ rithms must be comma-separated. The default is:
+
+ hmac-md5,hmac-sha1,umac-64@openssh.com,
+ hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
+ hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,
+ hmac-sha2-512-96
+
+TODO: which of those should be used?
+
+Regarding compression: the default for compression is "delayed" which means, that compression
+will only kick in after successful authentication (possibilities: yes, no, delayed).
+
+TODO: does this put users at risk? shall compression be disabled alltogether?
+
+
--- /dev/null
+in Debian/Ubuntu add the following to your /etc/ssh/sshd_config:
+# disable displaying of Debian version
+DebianBanner no
+
+# this disables version strings SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 and uses
+# the default: SSH-2.0-OpenSSH_5.8p1
--- /dev/null
+PermitRootLogin shall be disabled (aka 'no') or at least reasonably restricted
+('without-password', 'forced-commands-only').
+
+Possible options:
+ChrootDirectory jails the user into a separate environment
+
+ForceCommand might help (especially with internal-sftp) to further limit possibilities of
+a remote use. rssh might be used as a shell to achieve similar behaviour.
--- /dev/null
+taken from http://auntitled.blogspot.co.at/2010/07/identified-ubuntu-version-from-ssh.html and extended:
+
+Debian:
+Debian 4: SSH-2.0-OpenSSH_4.3p2 Debian-9
+Debian 5: SSH-2.0-OpenSSH_5.1p1 Debian-5
+Debian 6: SSH-2.0-OpenSSH_5.5p1 Debian-6
+Debian 7: SSH-2.0-OpenSSH_6.0p1 Debian-4
+
+Ubuntu:
+Ubuntu 5.10: SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4
+Ubuntu 6.04: SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3[.x]
+Ubuntu 7.04: SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1[.x]
+Ubuntu 7.10: SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0[.x]
+Ubuntu 8.04: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1[.x]
+Ubuntu 8.10: SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
+Ubuntu 9.04: SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
+Ubuntu 9.10: SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
+Ubuntu 10.04: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu3
+Ubuntu 10.04.1: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
+Ubuntu 10.04.2: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu{5,6}
+Ubuntu 10.04.3: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
+Ubuntu 10.10: SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu{4,5}
+Ubuntu 11.04: SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
+Ubuntu 11.10: SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
+Ubuntu 12.04: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
+
+FreeBSD
+FreeBSD 7.0: SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
+FreeBSD 7.2: SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
+FreeBSD 8.0: SSH-2.0-OpenSSH_5.2p1 FreeBSD-20090522
+FreeBSD 8.1: SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308
+FreeBSD 9.0: SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
+
+OpenSUSE
+openSUSE 10.0: SSH-2.0-OpenSSH_5.0
+openSUSE 10.1: SSH-2.0-OpenSSH_5.1
+openSUSE 10.2: SSH-2.0-OpenSSH_5.2
+
+CentOS
+CentOS 4.x: SSH-2.0-OpenSSH_3.9
+CentOS 5.x: SSH-2.0-OpenSSH_4.3
+CentOS 6.x: SSH-2.0-OpenSSH_5.3
+
+Fedora
+Fedora 12: SSH-2.0-OpenSSH_5.2
+Fedora 13: SSH-2.0-OpenSSH_5.4
+Fedora 14: SSH-2.0-OpenSSH_5.5
+Fedora 15: SSH-2.0-OpenSSH_5.6
+Fedora 16: SSH-2.0-OpenSSH_5.8
+
+complete removal of version string seems to be not desireable: http://www.snailbook.com/faq/version-string.auto.html
git.bettercrypto.org / ach-master.git / commitdiff