From patchwork Fri Sep 20 14:20:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 8134 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0j15sBz3wxp for ; Fri, 20 Sep 2024 14:20:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0c3YQWz2DC; Fri, 20 Sep 2024 14:20:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X9F0c22gpz33wr; Fri, 20 Sep 2024 14:20:32 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X9F0Y3M3dz2yTm for ; Fri, 20 Sep 2024 14:20:29 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9F0X4Bnjz60t; Fri, 20 Sep 2024 14:20:28 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4X9F0T0L8Wz2y9M; Fri, 20 Sep 2024 14:20:25 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 3/5] sshd_config: Drop RSA key Date: Fri, 20 Sep 2024 14:20:20 +0000 Message-Id: <20240920142022.589371-3-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240920142022.589371-1-peter.mueller@ipfire.org> References: <20240920142022.589371-1-peter.mueller@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: E3LR5AROCQE6OSCF2DGF6D3LSNNMFR3Z X-Message-ID-Hash: E3LR5AROCQE6OSCF2DGF6D3LSNNMFR3Z X-MailFrom: pmueller@people01.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?utf-8?q?Peter_M=C3=BCller?= X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Peter Müller --- config/ssh/sshd_config | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 76c9b3eb1..630370411 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -24,10 +24,9 @@ KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sh Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com -# Only allow cryptographically safe SSH host keys (adjust paths if needed) +# Only allow cryptographically safe SSH host keys HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_rsa_key # Only allow login via public key by default PubkeyAuthentication yes