From 5caf64cc821fbf66541a708f85585d9fec15b337 Mon Sep 17 00:00:00 2001
From: Aaron Zauner <azet@azet.org>
Date: Fri, 6 Dec 2013 21:04:21 +0100
Subject: [PATCH] make this more sub :p

---
 src/practical_settings/ssh.tex | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 src/practical_settings/ssh.tex

diff --git a/src/practical_settings/ssh.tex b/src/practical_settings/ssh.tex
new file mode 100644
index 0000000..b127ffc
--- /dev/null
+++ b/src/practical_settings/ssh.tex
@@ -0,0 +1,21 @@
+\subsubsection{OpenSSH}
+\paragraph*{sshd_config}
+\begin{lstlisting}[breaklines]
+	# ...
+
+	Protocol 2
+	PermitEmptyPasswords no
+	PermitRootLogin no
+	StrictModes yes
+	HostKey /etc/ssh/ssh_host_rsa_key
+	ServerKeyBits 4096
+	Ciphers aes256-gcm@openssh.com aes128-gcm@openssh.com aes256-ctr aes128-ctr
+	MACs umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
+\end{lstlisting}
+
+% XXX: curve25519-sha256@libssh.org only available upstream(!)
+Note: Older linux systems won't support SHA2. PuTTY (Windows) does not support RIPE-MD160. Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH 6.1). DSA host keys have been removed on purpose, the DSS standard does not support for DSA keys stronger than 1024bit
+\footnote{\url{https://bugzilla.mindrot.org/show_bug.cgi?id=1647}} 
+which is far below current standards (see section \ref{section:keylengths}). Legacy systems can use this configuration and simply omit unsupported ciphers, key exchange algorithms and MACs.
+\\
-- 
2.20.1