Re: [CentOS] Notes on openssh configuration

2017-01-29 Thread Gordon Messmer
On 01/29/2017 02:35 PM, Leon Fauster wrote: The next EL6 release (6.9) will have them marked as deprecated algorithms (disabled by default). The client will no longer attempt to use hmac-md5. The server will continue to accept them. https://access.redhat.com/documentation/en-US/Red_Hat_E

Re: [CentOS] Notes on openssh configuration

2017-01-29 Thread Leon Fauster
> Am 27.01.2017 um 19:03 schrieb Leonard den Ottolander > : > > You might want to add > > MACs > hmac-sha2-512-...@openssh.com,hmac-sha2-512,hmac-sha2-256-...@openssh.com,hmac-sha2-256,hmac-sha1-...@openssh.com,hmac-sha1,hmac-ripemd160-...@openssh.com,hmac-ripemd...@openssh.com,hmac-ripemd160,u

Re: [CentOS] Notes on openssh configuration

2017-01-27 Thread Leonard den Ottolander
On Fri, 2017-01-27 at 13:56 -0800, Gordon Messmer wrote: > On 01/27/2017 10:59 AM, Leonard den Ottolander wrote: > > https://en.wikipedia.org/wiki/MD5 seems to disagree: > > > No, it doesn't. That page links to RFC 6151, which notes: > > "It is not urgent to stop using MD5 in other ways, such

Re: [CentOS] Notes on openssh configuration

2017-01-27 Thread Gordon Messmer
On 01/27/2017 10:59 AM, Leonard den Ottolander wrote: https://en.wikipedia.org/wiki/MD5 seems to disagree: No, it doesn't. That page links to RFC 6151, which notes: "It is not urgent to stop using MD5 in other ways, such as HMAC-MD5" There's nothing wrong with disabling hmac-md5 in your ow

Re: [CentOS] Notes on openssh configuration

2017-01-27 Thread Leonard den Ottolander
Hello Gordon, On Fri, 2017-01-27 at 10:26 -0800, Gordon Messmer wrote: > Cryptographers still consider MD5 secure for HMAC use. Wikipedia's > references (currently 6, 7, and 8) in this article are useful: > > https://en.wikipedia.org/wiki/Hash-based_message_authentication_code https://en.wikipe

Re: [CentOS] Notes on openssh configuration

2017-01-27 Thread Gordon Messmer
On 01/27/2017 10:03 AM, Leonard den Ottolander wrote: To my astonishment the openssh versions on both C6 and C7 will by default negotiate an MD5 HMAC. Cryptographers still consider MD5 secure for HMAC use. Wikipedia's references (currently 6, 7, and 8) in this article are useful: https://en

[CentOS] Notes on openssh configuration

2017-01-27 Thread Leonard den Ottolander
Hello list, To my astonishment the openssh versions on both C6 and C7 will by default negotiate an MD5 HMAC. C6 client, C7 server: debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-