SHA-1 practical recommendations?
Mark D. Baushke
mdb at juniper.net
Thu Mar 11 07:06:33 AEDT 2021
Daniel Pocock <daniel at pocock.pro> writes:
> What about KexAlgorithms - should people change this either on client,
> server or both to remove entries like
> diffie-hellman-group-exchange-sha1, and diffie-hellman-group14-sha1 ?
You may find interest in the IETF draft
https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/
Any KeX with *sha1* in the name should be avoided or put last in the
list to be negotiated.
> Is there any SHA1 value cached in known_hosts or does that only
> contain full public keys?
The SSH host keys are just the public keys. The hash is determined by
the negotiation.
Be safe, stay healthy,
-- Mark
More information about the openssh-unix-dev
mailing list