Skip to content

Commit 35388e3

Browse files
GigabyteProductionsGigabyteProductions
committed
Merge pull request ioerror#54 on upstream
2 parents 06fd3a6 + 9fa64b2 commit 35388e3

1 file changed

Lines changed: 32 additions & 9 deletions

File tree

configs/sshd/sshd-pfs_config

Lines changed: 32 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,34 @@
1-
# Specifies the ciphers allowed for protocol version 2.
2-
# The default is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,
3-
# arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
4-
# aes256-cbc,arcfour
5-
Ciphers aes256-ctr
1+
# Protocol v1 is broken.
2+
Protocol 2
3+
4+
# Specifies the available key exchange algorithms.
5+
# 1. ECDH over Curve25519 with SHA256
6+
# 2. Custom DH with SHA256 - generate primes using
7+
# ssh-keygen -G /tmp/moduli -b 4096
8+
# ssh-keygen -T /etc/ssh/moduli -f /tmp/moduli
9+
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
10+
11+
# Server authentication
12+
# 1. Ed25519 - generate key using
13+
# ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
14+
# 2. RSA - generate key using
15+
# ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null
16+
HostKey /etc/ssh/ssh_host_ed25519_key
17+
HostKey /etc/ssh/ssh_host_rsa_key
18+
19+
# Client authentication
20+
ChallengeResponseAuthentication no
21+
PasswordAuthentication no
22+
PubkeyAuthentication yes
23+
24+
# Specifies the allowed ciphers
25+
# 1. Chacha20-Poly1305 - Authenticated encryption, message length encrypted
26+
# 2. AES-GCM - Authenticated encryption, message length is Additional Data
27+
# 3. AES-CTR - Confidentiality only, works better with flawed Encrypt-and-MAC
28+
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
629

730
# Specifies the available MAC (message authentication code) algorithms.
8-
# The default is: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,
9-
# hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,
10-
# hmac-sha2-512-96
11-
MACs hmac-sha2-512
31+
# 1. Encrypt-then-MAC with at least 128 bit tags and keys - provable security
32+
# 2. Encrypt-and-MAC with at least 128 bit tags and keys - no security proof
33+
# probably fine with a CTR cipher, don't use them with CBC
34+
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128

0 commit comments

Comments
 (0)