OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Caitlen (caitlen888yahoo.com)
Date: Thu Oct 04 2001 - 10:09:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Great... it's good to know that AES is the default
    now.

    I'm running
    FreeBSD 4.4-STABLE #0: Thu Sep 27 17:50:26 ADT 2001
     rootpain.nb.vibe.net:/usr/src/sys/compile/PAIN i386

    and it looks like the upgrade to openssh 2.9 was just
    committed. So I'll have to make world today while I'm
    working on something else.

    I'm glad it's defaulting to aes 128, but we should ask
    ourselves about the rest of the allowable cipher
    types. IS arcfour something we want to leave in
    there? Is it really needed? Also, we should think
    about the order of preferrance... I realize that most
    people who know anything about cipher types are going
    to alter this ciphers parameter based on personal
    preferrances, but we should get something that's
    reasonable fast/secure for most people who can't be
    bothered.

    As for AES at 256 or 128 bit... which do you think we
    should issue as the default. Certainly AES256bit is a
    more secure cipher.... however it probably comes at a
    much higher cpu cost. So maybe it's best not to make
    it the default.

    Is there any reason we need to keep cast128 and
    arcfour in the default ciphers string for the client
    or the server? I can understand keeping it in the
    client configuration in case of connecting to legacy
    hosts, but isn't almost everyone with protocol 2 ssh
    capable of doing 3des or blowfish atleast?

    I still think changing the default logging facility to
    "security" might be a good idea.. or atleast logging
    "auth" by default :)

    Anyways, I'm personally setting Ciphers AES256 in my
    sshd_config files and ssh client configuration files
    (including securecrt from vandyke on my windoze box).
    Yeah it may waste more horse power, but I feel
    safer... Though I seriously doubt anyone can crack
    AES128 at the momment. Or 3des for that matter....

    __________________________________________________
    Do You Yahoo!?
    NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
    http://geocities.yahoo.com/ps/info1

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message