From owner-freebsd-security@FreeBSD.ORG Mon Jan 12 02:22:05 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1CD52F87 for ; Mon, 12 Jan 2015 02:22:05 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E4C98BF; Mon, 12 Jan 2015 02:22:04 +0000 (UTC) Received: from joe.local (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id t0C2M1ZQ026541; Mon, 12 Jan 2015 02:22:03 GMT (envelope-from jonathan@FreeBSD.org) Message-ID: <54B32FC8.1080000@FreeBSD.org> Date: Sun, 11 Jan 2015 22:52:00 -0330 From: Jonathan Anderson User-Agent: Postbox 3.0.11 (Macintosh/20140602) MIME-Version: 1.0 To: Greg Rivers Subject: Re: Securing SSH References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2015 02:22:05 -0000 Hi, I can't comment much on the elliptic-curve stuff, but I think it's a bit of a stretch to say that SHA-1 isn't safe for use in a KDF. Just my two cents, Jon > Greg Rivers > 11 January 2015 at 21:52 > I came across an interesting article[1] about more secure SSH > configurations. What do our resident cryptographers think about this? > Would it make sense to adjust FreeBSD defaults accordingly? > > [1] https://stribika.github.io/2015/01/04/secure-secure-shell.html > -- Jonathan Anderson jonathan@FreeBSD.org