![]() The warning is useful when the user (on the client side) can, at some point, alter the configuration of the server. Does it really make sense to have a warning popup under these conditions ? If the user does nothing else about the warning than deciding whether to keep connecting or abort, then the warning is meaningless it would be simpler and safer to simply omit from the list all algorithms that the user is not ready to use. ![]() So what will the human user actually do if he gets the warning ? Will he click on "OK, I got it" and proceed with the connection ? Or will he bail out ? In the first case, the algorithms are thus functionally supported, while in the second they are not. It means that there are some algorithms that the human user would really prefer not to use - but, for some reason, he included them in its list of supported algorithms. I recall that point because it highlights what this "warn below here" option really means. In SSH, for all algorithm classes (encryption, MAC, key exchange and public-key authentication), the client and the server send to each other their lists of supported algorithms the client lists are ordered by preference, and that preference is honoured: the protocol is such defined that the chosen algorithms will be the first in each client list that also appears in the corresponding server list. And we could also date each answer to ensure they give an hint as to their relevance one could then update them when things change, to keep the info as current as possible] Pointers welcomed!Ī simple search was not enough for me. Putty allows one to move a "warn below here" setting, but I wonder where to place it at nowadays. ![]() (and any other relevant config you may want to add)Ĭommon choices for "SSH" "Encryption cipher selection policy" : AES (SSH-2 only)Īnd for SSH - Kex (Key Exchange) Diffie-Hellman group exchange ![]() What are the algorithm (as of March 2016) that one needs to be warned about (ie, those that no longer are considered safe enough) when logging on a ssh server.įor Putty, I want to talk about the "SSH" and "SSH-Kex" sections of the config, ie the Encryption Cipher and the Key exchange algorithms. I specify "Putty" as otherwise I feel the question would be too broad.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |