[CentOS] Notes on openssh configuration

Sat Jan 28 00:17:58 UTC 2017
Leonard den Ottolander <leonard at den.ottolander.nl>

On Fri, 2017-01-27 at 13:56 -0800, Gordon Messmer wrote:
> On 01/27/2017 10:59 AM, Leonard den Ottolander wrote:
> > https://en.wikipedia.org/wiki/MD5  seems to disagree:
> 
> 
> No, it doesn't.  That page links to RFC 6151, which notes:
> 
> "It is not urgent to stop using MD5 in other ways, such as HMAC-MD5"
> 
> There's nothing wrong with disabling hmac-md5 in your own 
> configurations.  I do it.  But having it enabled is not considered by 
> experts to be a flaw, and it should not be alarming.

Six years have gone since md5 is considered broken. I find the fact that
MD5 is still configured as the default HMAC alarming in itself as it
indicates a lack of proactiveness that we so bitterly need in this day
and age of heartbleeds and the like. I consider it a faulty default.
This is a broken primitive. It needs to be phased out so it should not
be the default configuration. That's just common sense. No RFC can beat
that ;-) .

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research