1. 30

Could someone comment on this article points? I am not an crypto specialist (neither I am the author).


  2. 6

    Unfortunately, you can’t encrypt your server key and it must be always available, or else sshd won’t start. The only thing protecting it is OS access controls.

    Incorrect as of OpenSSH 6.3, see first item in http://www.openssh.com/txt/release-6.3.

    (Own-horn-tooting: I wrote most of the patch that implemented that.)

    1. 4

      I skimmed the article and am not a crypto expert. However, changes were recently made to OpenSSH in reaction to Snowden documents. Look for “The default set of ciphers and MACs has been altered to remove unsafe algorithms” in http://www.openbsd.org/56.html

      Theo de Raadt has done a great job keeping OpenSSH secure and I would trust him to continue doing so. All this said, I would welcome a crypto experts analysis of the OP.

      1. 3

        Not an expert either, just an interested onlooker.

        I’m not sure I’d prefer ChaCha20 over AES just because the latter has had much more cryptanalysis performed and you’re very likely to run into a hardware implementation of AES nowadays.

        Also, everything we’ve heard from Snowden says that the NSA has far more luck stealing keys and infiltrating standards bodies than attacking the math. So if I was a betting man, I’d bet:

        • the NIST curves were a clever side-channel attack that I need to stay far away from
        • my SSH sessions just aren’t interesting enough to warrant the significant supercomputer attention it’d take to mount an attack

        So I’d probably just turn off the NIST curves and call it a day. The recommendations are probably overkill for almost everyone - but hey, if you’re not rolling out a big deployment that means you have to support hundreds of clients, have fun breaking out the big guns.