Remix.run Logo
lousken a day ago

Is hmac-sha1 and umac-64 still enabled by default?

throw0101a a day ago | parent [-]

Yes:

* https://man.openbsd.org/ssh_config.5#MACs

* https://man.openbsd.org/sshd_config.5#MACs

ETM, encrypt-than-mac, variants are at the front of the preference list.

* https://en.wikipedia.org/wiki/UMAC_(cryptography)

lousken 17 hours ago | parent [-]

That sucks, that means they will still appear in audits, they should remove them from the default.

16 hours ago | parent | next [-]
[deleted]
PunchyHamster 16 hours ago | parent | prev [-]

OpenSSH thankfully cares little for corporate security theathre

But I can sympathise, our stuff got flagged in audit because we foolishly assumed that some requirement was checked by just having OpenSSH "new enough",but it turned out that RedHat for that RHEL version patched back some old considered insecure primitives to keep their customers happy...

lousken 11 hours ago | parent | next [-]

It would be nice to have defaults that are following regulations because it sucks to have and maintain explicit list. If it would be a simple toggle - secureciphersonly=yes sure, but listing them is just creating tech debt.

ok123456 14 hours ago | parent | prev [-]

aka FIPS.