Talk:Security/Guidelines/OpenSSH: Difference between revisions

Revision as of 19:59, 2 March 2015

Question from JanZerebecki

Shouldn't HostKeyAlgorithms 1) have ecdsa-sha2-nistp256-cert-v01@openssh.com after ecdsa-sha2-nistp384-cert-v01@openssh.com and 2) not list all openssh.com variants first but primarily order by algorithm?

New suggestion:

HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256

-JanZerebecki (talk) 10:28, 2 March 2015 (PST)

Reply from kang

1) Fixed, thanks!

2) There's an argument to be add for cert keys vs no cert keys. I linked the doc and we currently prefer cert keys, even thus the negociated algorithm may be weaker (eg ecdsa sha2 nistp256 with cert keys prefered to ecdsa sha nistp521 without cert).

@@ Line 1: / Line 1: @@
+== Question from [[User:JanZerebecki|JanZerebecki]] ==
 Shouldn't HostKeyAlgorithms 1) have ecdsa-sha2-nistp256-cert-v01@openssh.com after ecdsa-sha2-nistp384-cert-v01@openssh.com and 2) not list all openssh.com variants first but primarily order by algorithm?
@@ Line 7: / Line 9: @@
 -[[User:JanZerebecki|JanZerebecki]] ([[User talk:JanZerebecki|talk]]) 10:28, 2 March 2015 (PST)
+=== Reply from kang ===
+) Fixed, thanks!
+) There's an argument to be add for cert keys vs no cert keys. I linked the [http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.9&content-type=text/plain doc] and we currently prefer cert keys, even thus the negociated algorithm may be weaker (eg ecdsa sha2 nistp256 with cert keys prefered to ecdsa sha nistp521 without cert).

Talk:Security/Guidelines/OpenSSH: Difference between revisions

Revision as of 19:59, 2 March 2015

Question from JanZerebecki

Reply from kang

Navigation menu

Search