From patchwork Thu Sep 13 03:50:45 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
X-Patchwork-Id: 1931
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.ipfire.org
 [IPv6:2001:470:7183:25::1])
	by web02.i.ipfire.org (Postfix) with ESMTP id C7D9A61A14
	for <patchwork@web02.i.ipfire.org>; Wed, 12 Sep 2018 19:51:03 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 867DD11340B1;
	Wed, 12 Sep 2018 18:51:03 +0100 (BST)
Received: from mx-nbg.link38.eu (mx-nbg.link38.eu
 [IPv6:2a03:4000:6:432c:1f9e:48:ac3:199])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx-nbg.link38.eu",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail01.ipfire.org (Postfix) with ESMTPS id D8A26109612F
 for <development@lists.ipfire.org>; Wed, 12 Sep 2018 18:50:49 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803;
 t=1536774647; h=from:from:sender:reply-to:subject:subject:date:date:
 message-id:message-id:to:to:cc:mime-version:mime-version:
 content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=I/TgaM1zCjXoS/1Y3SDmpYzJ082fKDAxqNme2xZ39ms=;
 b=dal7n0hD/uapYqGArYjjDbkmE2nTs7sd1ViXsS45r5ScFWjeX66s8usyoyx4lPvZTOO1uO
 3G3KpIO0GoJXLzuM3EL8ri2bCoD+77AEDPbar/FRLzSwlXAsMBM4EkcS7xs3p6XblJgL2k
 FWo6WkmkLD2qmWYN8QkTf3I9SP5JddI8P8mAeTD5Cdp1gIumxtzD8mprrZX6F3sJg1ERVB
 8ABk2nd8e5I2lV2s+mH7jIiGFZ0wOAfpEKKEaqNXk1e7OGSB5qnBIqv/lfsKp/kC4T6F41
 InkIsf5m/coltPO/qk4XQodslGrpZdL5uBBtUBh3YU77k25ytj/ipMaYpDpwOg==
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH 3/3] SSH client configuration: Prefer server host keys in
 different order
Date: Wed, 12 Sep 2018 19:50:45 +0200
Message-Id: <20180912175045.7636-3-peter.mueller@link38.eu>
In-Reply-To: <20180912175045.7636-1-peter.mueller@link38.eu>
References: <20180912175045.7636-1-peter.mueller@link38.eu>
MIME-Version: 1.0
Authentication-Results: mail01.ipfire.org; dkim=pass header.d=link38.eu;
 dmarc=pass (policy=none) header.from=link38.eu;
 spf=pass smtp.mailfrom=peter.mueller@link38.eu
X-Spamd-Result: default: False [-11.54 / 11.00]; ARC_NA(0.00)[];
 R_DKIM_ALLOW(-0.20)[link38.eu]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1];
 DKIM_TRACE(0.00)[link38.eu:+];
 RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org
 : 127.0.6.2]; MID_CONTAINS_FROM(1.00)[];
 MX_GOOD(-0.01)[cached: mx-nbg.link38.eu];
 DMARC_POLICY_ALLOW(-0.25)[link38.eu,none];
 NEURAL_HAM(-3.00)[-0.999,0]; RCVD_COUNT_ZERO(0.00)[0];
 FROM_EQ_ENVFROM(0.00)[];
 IP_SCORE(-3.78)[ip: (-9.91), ipnet: 2a03:4000::/32(-4.95),
 asn: 197540(-3.96),
 country: DE(-0.09)];
 ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE];
 RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%]
X-Spam-Status: No, score=-11.54
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

SSH clients can set a preference for server host keys. To achive best
security and performance, ED25519 is preferred over ECDSA (also secure,
but a bit bigger and some of them use ECC curves from non-trustworthy
sources) which is preferred over RSA.

Since ED25519 keys are smaller and need less CPU time on both client and
server, this also achives a better performance.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/ssh/ssh_config | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
index 9f7121c76..462f2f1a0 100644
--- a/config/ssh/ssh_config
+++ b/config/ssh/ssh_config
@@ -36,4 +36,7 @@ Host *
 	# hash entries in ~/.ssh/known_hosts file to avoid permission disclosure
 	HashKnownHosts yes
 
+	# prefer server host keys in different order (ED25519, ECDSA, RSA)
+	HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa-cert-v01@openssh.com,ssh-rsa
+
 # EOF