Martin-Éric RACINE
Martin-Éric RACINE
Debian has apparently migrated to `ntpsec` as its preferred standalone NTP daemon for cases when `timesyncd` won't be used. Debian ships the config file as `/etc/ntpsec/ntp.conf`which might require some adaptation...
Reporting aginstt what's in Git up to commit 8124c8e4430c2d570cdff3773f1d9ead0ef2bb67: If connection trottling is enabled as a mitigation against CVE-2002-20001, all warnings about diffie-hellman-group-exchange-sha256's risks disappear. What's expected: (kex) diffie-hellman-group-exchange-sha256 (3072-bit)...
One aspect mentioned in #262 was connection trottling as a mitigation against CVE-2002-20001. However, the hardening guide that accompanies ssh-audit doesn't specify what the settings should be. As a result,...
What we currently have: ``` (kex) ext-info-s -- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions ``` What I recommend instead: ``` (kex) ext-info-s -- [info] supports RFC8308 extensions...
We currently have e.g. ``` -- [info] available since OpenSSH 6.5 `- [info] default cipher since OpenSSH 6.9 ``` or ``` -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76...
What we currently have: ``` (kex) [email protected] -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795) ``` What...
It's been 5 months since the last release. Given the plethora of commits sitting in Git, it would be desirable to immediately release what we have as 10.0.7, in concordance...
There are inconsistencies between policies when it comes to the order in which options should appear. Hardened Debian 12 (version 1) wants "[email protected], [email protected], [email protected], aes256-ctr, aes192-ctr, aes128-ctr" while Hardened...
In its current form (10.0.6), dhcpcd ignores kernel settings and creates pseudo-private IPv6 addresses. If `net.ipv6.conf.*.addr_gen_mode=3` or `net.ipv6.conf.*.use_tempaddr=2` (Linux) are set by procps during bootup, dhcpcd ignores them. This is...
Gitlab offers its own optional SSH daemon written in Go: https://gitlab.com/gitlab-org/gitlab-shell/-/tree/main/internal/sshd A basic test against `ssh.gitlab.freedesktop.org` shows that it supports a number of outdated algoritms. It might be a good...