back to article Liberating SSH from Logjam leftovers

A recent Request for Comment at the Internet Engineering Task Force calls for SSH developers to deprecate 1,024-bit moduli. RFC 8270 was authored by Mark Baushke (at Juniper Networks but working as an individual*) and Loganaden Velvindron (of Mauritian group Hackers.mu) in response to demand for a response to the 2015 Logjam …

  1. A Non e-mouse Silver badge

    Cisco

    Cisco need to step up to the plate here: Some of their IOS kit either only works with 1024 bit SSH keys and others have weird bugs if you don't use 2048 SSH keys.

  2. Alan J. Wylie

    Better still, use Elliptic Curve

    Some useful advice on hardening ssh, from 2 and a half years ago:

    https://stribika.github.io/2015/01/04/secure-secure-shell.html

    And a program to test an ssh server:

    https://github.com/arthepsy/ssh-audit

    djb rules, OK

    # key exchange algorithms

    (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62

    # host-key algorithms

    (key) ssh-ed25519 -- [info] available since OpenSSH 6.5

    # encryption algorithms (ciphers)

    (enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5

    `- [info] default cipher since OpenSSH 6.9.

  3. chasil

    detect, fix

    I wasn't expecting this, but 1024/1535 bit primes are in the latest CentOS.

    # fgrep ' 1023 ' /etc/ssh/moduli | wc -l

    29

    # fgrep ' 1535 ' /etc/ssh/moduli | wc -l

    49

    This "in-place" sed edit command will remove them (restart sshd after edit):

    sed -i.BAK 's/^.*[ ]1023[ ]/#&/;s/^.*[ ]1535[ ]/#&/' /etc/ssh/moduli

  4. bob, mon!
    Joke

    2048 bits????

    640 bits should be enough for anyone...

    oh wait. wrong thread.

  5. david 12 Silver badge

    HTTP internet is disapearing before my eyes

    6 months ago I could still connect from devices that only supported 256 bit encryption -- because I could still use HTTP. In the last 6 months that's shrunk down to a few pixels in the big picture -- large chunks of the internet no longer support HTTP.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like