[Labs-l] sshd config: using newer ciphers and protocols

[Platonides]

On 21/05/15 21:31, Daniel Zahn wrote:
> Finding the right balance between security and supporting older
> clients can sometimes be tough, so sorry for any possible inconvience
> caused and let us know if any other issues that can't be solved by
> upgrading clients.
>
> Best regards,
>
> Daniel

Thanks for your work into safe ciphers, Daniel.

Is the list of compatible ssh clients after all such cipher stripping 
documented somewhere?



Also, I take the opportunity of warning everyone that there are 
trojanized putty versions out there¹ that send out the user credentials 
to the Bad Guys (not a risk for labs, but the same ssh client may be 
used for other servers where passphrase authentication *is* enabled). 
The official PuTTY web page is at 
http://www.chiark.greenend.org.uk/~sgtatham/putty/ with putty.zip 0.64 
sha256 being
ff7a0bde4008208a5e30097336c5a41a4ae99fb097839c01ca74cbff19cbe666

Needless to say, PuTTY users should be using the last version (0.64, 
released 2015-02-28), there are several crashes prior to 0.63 and 
although 0.64 does not really have big fixes (albeit the default of 
allowing a SSH-1 downgrade is a bit scary), there's little reason for 
not upgrading.


(I am assuming *nix users don't need to be reminded about using an 
updated client… Mac OS users maybe?)

Have a safe ssh connection!

¹ http://blogs.cisco.com/security/trojanized-putty-software
http://www.symantec.com/connect/blogs/check-your-sources-trojanized-open-source-ssh-software-used-steal-information