Hi
Ciphers applies to the symmetric cipher for the communication channel,
MACs applies to the message authentication method for the communication
channel. The key establishment and host authentication methods are not
configurable, and do use sound cryptographic methods. I don't believe
it is possible to force openssh's sshd to accept unencrypted
communications, no matter how hard you try.
The key establishment methods, ciphers, and MACs used in both protocol
versions are described in the first paragraphs of the openssh sshd man
page (http://www.openbsd.org/cgi-bin/man.cgi?query=sshd).
Ciphers and MACs options in the config file apply to protocol version 2
only - protocol version 1 uses 3DES or Blowfish only for the cipher, and
CRC only for the MAC. CRC is not a cryptographically sound MAC, and
this is one of the major reasons to disable all use of version 1 if you
can possibly get away with it in your organization.
Regards
Mark
-----Original Message-----
From: Florin Andrei [mailto:florin@andrei.myip.org]
Sent: September 15, 2005 17:06
To: secureshell@securityfocus.com
Subject: audit perspective: proof that all connections are encrypted
I have what's perhaps a slightly unusual question.
Suppose company X is going through an audit (think: SOX).
Suppose one of the questions that the auditors ask is: "we
want proof that all your remote access devices only allow
encrypted connections, not plaintext".
With a VPN concentrator, that's easy: you show them the
encryption algorithms that are enabled, show them that
plaintext is a disabled option and they're happy.
But how about openssh? Which is the config item in
sshd_config that says "if the client does not agree with all
these encryption schemes, all of which are not plaintext,
terminate the connection"?
Essentially, we have to prove that plaintext is rejected by
the server.
Any connection with the Ciphers and MACs options in sshd_config?
Hopefully I'm making myself understood. This is not a
strictly technical question, it's somewhere on the border
between technical issues and legal issues. I need an answer
that will satisfy people who are not geeks - if I'm being
sent in the right direction I can build a coherent response
myself (hopefully) but I need a starting point.
I believe that this kind of issue will become more common in
the near future, as the practice of auditing will extend to
more and more companies.
Thanks,
--
Florin Andrei
http://florin.myip.org/
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If
you have received this email in error please notify the system manager. This
message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If
you have received this email in error please notify the system manager. This
message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail.
