On Sun, Jan 26, 2025 at 09:01:35PM +0000, Colin Watson wrote: > On Sun, Jan 26, 2025 at 08:20:56PM +0200, Martin-Éric Racine wrote: > > No, I just directly e-mailed Damien asking him whether he agreed with > > the recommendations 'ssh-audit' makes. He wasn't aware of the > > existence of the tool or the hardening guide. His initial impression > > was that some recommendations are perplexing. For instance, he doesn't > > understand Joe's recommendation against ECDH kex being justified by > > "heavy suspicion in the community that it is backdoored by a 3-letter > > agency." > > Yeah, at this point I'm not inclined to treat ssh-audit as having any > special authority. It's mostly just one person's recommendations, which > may or may not be good on their own individual merits - but I don't > intend to accept it as a target to work towards in general.
I'd also like to say that I think some of ssh-audit's recommendations are harmful to some extent. In particular the first of the following issues looks as though it'll cause me some problems in the forky cycle. This makes me reluctant to give it any more prominence than it already has. https://github.com/jtesta/ssh-audit/issues/324 https://github.com/jtesta/ssh-audit/issues/325 -- Colin Watson (he/him) [cjwat...@debian.org]
