Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add OpenSSH 8 recommendations

See original GitHub issue

Hi Joe,

The tool currently suggests recommended settings for OpenSSH 7.6 but I currently have OpenSSH_8.0p1, OpenSSL 1.1.1c 28 May 2019, so it would be great to have up-to-date kex/mac/etc recommendations what to enable, disable, and so on. There might be such in the official docs but the tool should make it easy to find them via its output.

# algorithm recommendations (for OpenSSH 7.6)

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:11 (5 by maintainers)

github_iconTop GitHub Comments

jtestacommented, Aug 23, 2019

I followed this guide since published:

That’s funny, because that exact same guide is what got me into this SSH hardening topic years ago! It hasn’t been updated in a while, though, so I made my own based on it here:

The Encrypt-and-MAC design introduced much more attack surface (see DJM’s blog post about it here; he’s the OpenSSH maintainer: Encrypt-then-MAC (ETM) doesn’t have these problems, but they introduce another issue: the plaintext packet lengths are exposed. So the question is: is it better to use the EAM algorithms with their problems, or ETM and get a higher risk of traffic analysis? Generally, it seems people are leaning towards ETM being a little bit better.

(rec) -hmac-sha2-256                        -- mac algorithm to remove         
(rec) -hmac-sha2-512                        -- mac algorithm to remove         
(rec)                 -- mac algorithm to remove

The above algorithms are flagged as warnings (not failures), because they use the EAM method instead of ETM. The tool recommends that all algorithms that have at least warnings be removed. I didn’t change this behavior; that’s how it worked before.

immanuelfodorcommented, Aug 27, 2019

Wow, bookmarked it!

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to Install OpenSSH 8.0 Server from Source in Linux
In this article, we will explain how to install and configure the latest version of OpenSSH 8.0 server and client on a Linux...
Read more >
How to Install OpenSSH 8 Server from Source in Linux?
First of all, we will install all the dependencies, before installing OpenSSH (make to build and install the source code, wget to download...
Read more >
Release Notes - OpenSSH
sftp-server(8): add a "" extension request that allows the client ... OpenSSH recommends the use of libfido2 1.5.0 or greater.
Read more >
Building and configuring OpenSSH - Steve Friedl
Post-Install Configuration · Insure that sshd gets launched properly at system startup. In our installation, the daemon is located in /usr/local/sbin instead of ......
Read more >
Install openssh-server 8.0p1 on Ubuntu 18.04.3 LTS
To upgrade openssh from 7.6 to 8.0 on Ubuntu 18.04 (bionic), I followed the instructions given here. The version I started with:
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found