New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
By using ssh-audit -p [PORT] [IP] you can see your settings on a lot of distributions.
Advanced testing : try LYNIS
If you care about store now and decrypt later attacks, you should use OpenSSH 10+ (released in April this year) with the quantum resistant
mlkem768x25519-sha256at both client and server side. Otherwise, just useed25519(the most popular variant ofEdDSA) for better UX.I use some of these because no one would suspect it
Ed25519
I dont trust any. Roll a dice, its the same. Someone has backdoored or cracked it.
Flat earther.
md5 of "12345" (binary) AND 0x11111111111111.
I'm thinking though about reversing it to "54321" and appending 2 more (binary) 1's to the AND.
Reason: While I think that not using a 4-char key but a 5-char key plus additionally ANDing it is verrry sakkure, it might (maybe, just a wild worst case guess) be even more sakkure to use "54321".
P.S. Please keep this info super-private!
Did you reply in the wrong thread?
but you posted it in public..
Ooopsie. Oh well, I guess I'll have to change it to "abcde" now ...
RSA 4096 (or 2048 for yubikeys). I don't completely trust ECDSA or EdDSA.
The kerfuffle with Dual_EC-DRBG probable backdoor and brittleness of ECDSA are disappointing. Even though most web pages (even mine) use ECDSA. EdDSA is better, but I'd still prefer RSA 4096 over it.
rsa
Well then better be sure to only use the fastest Ryzens or even a TLS accelerator ... or no, wait, because these don't actually do the hard part at all.
And (seriously) maybe look at PQ algos and pick a decent one. Because if quantum computers, and I mean actually usable ones, ever become available RSA 4096 vs 2048 won't save you (nor will EC crypto).
It's just about making the best choices with what's available. For ssh, I think that's still RSA. For web pages, ECDSA is probably worth the faster response time, if the content isn't sensitive.
I've been using ECDSA for all my ssh keys. My reason was that I thought it had shorter key lengths, and gpt told me it's slightly more secure than RSA. But I should probably migrate all my keys to RSA because of the comments here lol.
To be continued...
See click link : Has your VPS secured entropy ?
And gpt (in that case) is correct. Elliptic curve algos are slightly harder to crack with PQ. And I've yet to see a credible indication of RSA somehow magically being more secure.
Hint: consider any and all NIST approved algos as tainted by the NSA (NIST is known to bend over for NSA). Yet another avantage of elliptic curves because you actually can find good and trustworthy algos which are not NIST approved/tainted.
Just saying ...
says who?
NIST Internal Report - NIST IR 8547 ipd - Transition to Post-Quantum Cryptography Standards -ClickMe
Thanks, but I don't give a flying fuck about their recommendations. Btw. reasonable professionals would have started/did strat to look deeper into PQ alternatives already quite a while ago and will certainly not wait till 2030 to pick one and use it.
I hope at least people use ssh-audit or are crypto specialist.
Just fun with cryptocurrency with edDSA.
sshd_config adviced by ssh-audit
RSA 3072 is enough. 4096 is just showing e-penis.
And at high cost at that, not only in terms or processing but also in terms of environment, electrical power, etc.
Fact is that most of us do not have a need to keep their communication hidden from NSA & friends. And the 3 letter agencies do not even care about most people's communication or data or, in case they did, so what, nothing evil and/or super secret to find there.
And against script kiddies and low level hackers even RSA 1024 is more than plenty enough.
But - of course! - "https everywhere" is the mantra and the herd follows obediently (and stupidly), even when by far most website are public anyway. But of course we must protect ourselves from thinking we are on Joe Nobody's site when in fact we might be tricked by evil Eve and led to her faked Joe Nobody's site!
So to hell with reason, let's use RSA 8192!!!
md5 without salt is the best, because I prefer sweets.
It's a pity to see how a lot of VPS come with NOT hardened sshd_config
We run everything in clear text because we're not little bitches.
in which lang !?
Binary.