Talk:Security/Guidelines/OpenSSH

From MozillaWiki
Revision as of 19:59, 2 March 2015 by Gdestuynder (talk | contribs)
Jump to navigation Jump to search

Question from JanZerebecki

Shouldn't HostKeyAlgorithms 1) have ecdsa-sha2-nistp256-cert-v01@openssh.com after ecdsa-sha2-nistp384-cert-v01@openssh.com and 2) not list all openssh.com variants first but primarily order by algorithm?

New suggestion: 

HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256

-JanZerebecki (talk) 10:28, 2 March 2015 (PST)

Reply from kang

1) Fixed, thanks!

2) There's an argument to be add for cert keys vs no cert keys. I linked the doc and we currently prefer cert keys, even thus the negociated algorithm may be weaker (eg ecdsa sha2 nistp256 with cert keys prefered to ecdsa sha nistp521 without cert).

Retrieved from "https://wiki.allizom.org/index.php?title=Talk:Security/Guidelines/OpenSSH&oldid=1059158"