You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
after reading about the recent DH attack I was wondering if we should change the default key exchange methods for this module. I know that we could still use DH using parameters of at least of 2048-bit but I'm worried that most of the sysadmins will not do it.
I also like the idea of this module that provide an hardened ssh config with a simple
include ::modulename
I don't think we should add: "...BUT in case you use DH kex methods this is not valid anymore if you use DH parameters < 2048bit"
Hi,
after reading about the recent DH attack I was wondering if we should change the default key exchange methods for this module. I know that we could still use DH using parameters of at least of 2048-bit but I'm worried that most of the sysadmins will not do it.
I also like the idea of this module that provide an hardened ssh config with a simple
I don't think we should add: "...BUT in case you use DH kex methods this is not valid anymore if you use DH parameters < 2048bit"
Ref:
https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
The text was updated successfully, but these errors were encountered: