You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was reading through https://blog.stribik.technology/2015/01/04/secure-secure-shell.html because I was trying to understand the whole /etc/ssh/moduli and it seems like we could drop diffie-hellman-group-exchange-sha256 for diffie-hellman-group14-sha256/diffie-hellman-group16-sha512/diffie-hellman-group18-sha512 and not have to deal with the moduli file. But I guess the group exchange one is preferred?
Also instead of setting a fixed list, we could just subtract the ones we don't want, so we get the advantage of newer algos without needing to manually update our lists each time. It also supports wildcards so theoretically do something like KexAlgorithms -*sha1.
Description
Our sshd_config ships with:
We should update this for noble.
I was reading through https://blog.stribik.technology/2015/01/04/secure-secure-shell.html because I was trying to understand the whole
/etc/ssh/moduli
and it seems like we could dropdiffie-hellman-group-exchange-sha256
fordiffie-hellman-group14-sha256
/diffie-hellman-group16-sha512
/diffie-hellman-group18-sha512
and not have to deal with the moduli file. But I guess the group exchange one is preferred?Also instead of setting a fixed list, we could just subtract the ones we don't want, so we get the advantage of newer algos without needing to manually update our lists each time. It also supports wildcards so theoretically do something like
KexAlgorithms -*sha1
.Per https://www.man7.org/linux/man-pages/man5/sshd_config.5.html the upstream default currently is:
Ciphers
[email protected],
aes128-ctr,aes192-ctr,aes256-ctr,
[email protected],[email protected]
KexAlgorithms
[email protected],
curve25519-sha256,[email protected],
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
diffie-hellman-group14-sha256
MACs
[email protected],[email protected],
[email protected],[email protected],
[email protected],
[email protected],[email protected],
hmac-sha2-256,hmac-sha2-512,hmac-sha1
The text was updated successfully, but these errors were encountered: