[CentOS] sshd key exchange security

Fri Sep 11 21:55:06 UTC 2015
Alice Wonder <alice at domblogger.net>

On 09/11/2015 08:44 AM, Chris Adams wrote:
> Once upon a time, Alice Wonder <alice at domblogger.net> said:
>> They recommend setting the following:
>>
>> KexAlgorithms curve25519-sha256 at libssh.org
>>
>> I don't even see that directive in my sshd config to set it, I
>> suppose it may be one that is manually added when needed but I want
>> to verify it actually means something in CentOS 7 ssh.
>>
>> Also I'm a little worried that maybe curve25519 is one of the curves
>> that Red Hat (and thus CentOS 7) doesn't support due to patent
>> concerns.
>
> That is supported in the CentOS 7 version of OpenSSH.  Look at the man
> page for sshd_config and you'll see the KexAlgorithms option listed and
> its valid values.  You can always see what your exact copy and config of
> OpenSSH are using by running "sshd -T".
>
> However, if you set it as above, you would _only_ be able to connect
> with that algorithm, and not all SSH clients support that (even for
> example OpenSSH on CentOS 6).
>

Thanks - what I ended up doing is:

KexAlgorithms 
curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256

Then I generated fresh 2048 and 4096 primes for the moduli file.

So far it seems all the ssh clients I have tried work.