diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2014-03-25 09:40:04 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2014-03-25 09:40:04 +0000 |
| commit | 15ab5937178e86d1ff6b575988ef7bffa5835dba (patch) | |
| tree | c917eec69d1e785e97a1659fc9e9967679a60171 | |
| parent | 5c181eeea0a1cc2a07897e7eec1d6af7654edc37 (diff) | |
trimm default proposals.
This commit removes the weaker pre-SHA2 hashes, the broken ciphers
(arcfour), and the broken modes (CBC) from the default configuration
(the patch only changes the default, all the modes are still available
for the config files).
ok djm@, reminded by tedu@ & naddy@ and discussed with many
| -rw-r--r-- | usr.bin/ssh/myproposal.h | 25 |
1 files changed, 5 insertions, 20 deletions
diff --git a/usr.bin/ssh/myproposal.h b/usr.bin/ssh/myproposal.h index 30061aea0ed..c1093eafb3d 100644 --- a/usr.bin/ssh/myproposal.h +++ b/usr.bin/ssh/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.35 2013/12/06 13:39:49 markus Exp $ */ +/* $OpenBSD: myproposal.h,v 1.36 2014/03/25 09:40:03 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -30,9 +30,7 @@ "ecdh-sha2-nistp384," \ "ecdh-sha2-nistp521," \ "diffie-hellman-group-exchange-sha256," \ - "diffie-hellman-group-exchange-sha1," \ - "diffie-hellman-group14-sha1," \ - "diffie-hellman-group1-sha1" + "diffie-hellman-group14-sha1" \ #define KEX_DEFAULT_PK_ALG \ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ @@ -52,31 +50,18 @@ #define KEX_DEFAULT_ENCRYPT \ "aes128-ctr,aes192-ctr,aes256-ctr," \ - "arcfour256,arcfour128," \ "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \ - "chacha20-poly1305@openssh.com," \ - "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ - "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" + "chacha20-poly1305@openssh.com" + #define KEX_DEFAULT_MAC \ - "hmac-md5-etm@openssh.com," \ - "hmac-sha1-etm@openssh.com," \ "umac-64-etm@openssh.com," \ "umac-128-etm@openssh.com," \ "hmac-sha2-256-etm@openssh.com," \ "hmac-sha2-512-etm@openssh.com," \ - "hmac-ripemd160-etm@openssh.com," \ - "hmac-sha1-96-etm@openssh.com," \ - "hmac-md5-96-etm@openssh.com," \ - "hmac-md5," \ - "hmac-sha1," \ "umac-64@openssh.com," \ "umac-128@openssh.com," \ "hmac-sha2-256," \ - "hmac-sha2-512," \ - "hmac-ripemd160," \ - "hmac-ripemd160@openssh.com," \ - "hmac-sha1-96," \ - "hmac-md5-96" + "hmac-sha2-512" \ #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_LANG "" |