Cipher Order in sshd_config
Damien Miller
djm at mindrot.org
Tue Aug 26 09:12:06 EST 2014
On Mon, 25 Aug 2014, Ron Frederick wrote:
> I noticed some time ago that OpenSSH still prefers aes128 over aes192/aes256
> ciphers in multiple cases (CTR, GCM, and CBC). Is this due to concerns about
> CPU usage? These days, I would think we?d want to have clients prefer AES256.
It's a tradeoff for performance/security. I don't think attacks on AES128
are particularly feasible.
> It also still prefers MD5 over everything else for hashing, and SHA1 over
> SHA2. While it still makes sense to support MD5 for backward compatibility
> (and indeed the SSH RFC requires it), I?m not sure it still makes sense to
> prefer either it or SHA1 at this point.
For OpenSSH 6.7, the default MAC ordering does indeed demote HMAC-MD5.
That being said, there are no practical attacks on HMAC-MD5 that I know
of. HMAC is pretty forgiving of problems with the underlying hash.
-d
More information about the openssh-unix-dev
mailing list