From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mimir.eigenstate.org ([206.124.132.107]) by ewsd; Mon Apr 27 19:17:23 EDT 2020
Received: from abbatoir.fios-router.home (pool-162-83-132-245.nycmny.fios.verizon.net [162.83.132.245])
	by mimir.eigenstate.org (OpenSMTPD) with ESMTPSA id d3d7d54e (TLSv1.2:ECDHE-RSA-AES256-SHA:256:NO);
	Mon, 27 Apr 2020 16:17:14 -0700 (PDT)
Message-ID: <0C39C1809DC1D57A53EE360E6670555B@eigenstate.org>
To: unobe@cpan.org, 9front@9front.org
Subject: Re: [9front] [patch] /sys/src/cmd/ssh.c notify user of unavailable cipher
Date: Mon, 27 Apr 2020 16:17:13 -0700
From: ori@eigenstate.org
In-Reply-To: <50B506EB-6D46-4FA6-9651-270B96942ABA@cpan.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: XMPP over WEB2.0 wrapper-scale base component 

> As a follow-up: I started speaking with IT today. They're using the CIS CentOS Linux Benchmark v2.1.0, but the last check missed yhe faxt that an entire section, section 5.2.11, was removed. That section restricts ciphers but even the audit looks wrong considering what it describes. The latest version of the document, v2.2.0 does not restrict ciphers more than the defaults shipped with openssh, and so IT looks like they're fine with updating.
> 
> I'll still look into patching to provide better diagnostic info to yhe user when supported cipher/mac isn't available.

Ok -- If you don't get to it first, I'll probably take a look at doing proper negotiation
and maybe adding some more ciphers a couple of weeks down the road. I'll let you know when
I start thinking about it.