Martin-Éric RACINE
Martin-Éric RACINE
I'm still wondering why or where dhcpcd disables this.
I think that venturing into iptables falls outside the scope of OpenSSH configuration hardening. What I was asking about (which the hardening guide should address) is how to achieve the...
The key question was how to achieve "less than 20.0 conns/sec" and with which setting. `PerSourceMaxStartups 1` would merely limit the number of connection per source to one. It would...
It doesn't make sense. Vulnerability to low bit number doesn't disappear just because we're also testing for something else. Which gets us back to why diffie-hellman-group-exchange-sha256 hasn't been deprecated yet.
> > Vulnerability to low bit number doesn't disappear just because we're also testing for something else. That point wasn't addressed in your reply. > You'll notice that the tests...
The logic for this is still broken. ssh-audit currently skips testing diffie-hellman-group-exchange-sha256's number of bits if any DHEat mitigation is in use.
@jtesta I have removed diffie-hellman-group-exchange-sha256 from my configuration since it's an insecure kex that should no longer be recommended anyhow.
> Is this the same as #202 ? No, this one is a general request. Others are more specific.
I don't see why that aspect is so important. Bttw, according to [this](https://www.openssh.com/specs.html), support for `ext-info-c` was also added. Do we test for this?
To me, the key point is to keep the explanation as concise as possible. Headlines rather than long sentences. Mentioning that a feature exists as mitigation against a CVE remains...