From patchwork Sat Sep 21 15:29:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 8146 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X9tVY1p5Xz3wyT for ; Sat, 21 Sep 2024 15:30:13 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9tVT1wkrz1fT; Sat, 21 Sep 2024 15:30:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X9tVT1KQMz343G; Sat, 21 Sep 2024 15:30:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X9tVN47Kyz344H for ; Sat, 21 Sep 2024 15:30:04 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9tVM4rCrztg; Sat, 21 Sep 2024 15:30:03 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4X9tVM3S4nz2xPM; Sat, 21 Sep 2024 15:30:03 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH v2 1/4] OpenSSH :Update to 9.9p1 Date: Sat, 21 Sep 2024 15:29:57 +0000 Message-Id: <20240921153000.706916-1-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 Message-ID-Hash: 4VBEFGFVMDII72JTKQ5XTHQOYEFABHU7 X-Message-ID-Hash: 4VBEFGFVMDII72JTKQ5XTHQOYEFABHU7 X-MailFrom: pmueller@people01.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?utf-8?q?Peter_M=C3=BCller?= X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Please refer to https://www.openssh.com/releasenotes.html#9.9p1 for the release announcement of this version. Signed-off-by: Peter Müller --- lfs/openssh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/openssh b/lfs/openssh index 036d0bb8e..c14c8267c 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@ include Config -VER = 9.8p1 +VER = 9.9p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 +$(DL_FILE)_BLAKE2 = 817d267e42b8be74a13e0cfd7999bdb4dab6355c7f62c1a4dd89adad310c5fb7fe3f17109ce1a36cd269a3639c1b8f1d18330c615ab3b419253ec027cfa20997 install : $(TARGET) From patchwork Sat Sep 21 15:29:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 8144 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X9tVW6Gglz3wyT for ; Sat, 21 Sep 2024 15:30:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9tVR11dxz5pr; Sat, 21 Sep 2024 15:30:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X9tVQ5W6Dz2y10; Sat, 21 Sep 2024 15:30:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X9tVN3l7qz3408 for ; Sat, 21 Sep 2024 15:30:04 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9tVM4xxzz1lq; Sat, 21 Sep 2024 15:30:03 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4X9tVM3YF6z2xLg; Sat, 21 Sep 2024 15:30:03 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH v2 2/4] OpenSSH: Add ML-KEM x X25519 hybrid key exchange Date: Sat, 21 Sep 2024 15:29:58 +0000 Message-Id: <20240921153000.706916-2-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240921153000.706916-1-peter.mueller@ipfire.org> References: <20240921153000.706916-1-peter.mueller@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: 5APDYJVSFGD7BFZU6RLTK6YUQOUCSSW5 X-Message-ID-Hash: 5APDYJVSFGD7BFZU6RLTK6YUQOUCSSW5 X-MailFrom: pmueller@people01.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?utf-8?q?Peter_M=C3=BCller?= X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This was newly introduced in OpenSSH 9.9, hence our custom configurations for both SSH server and client need to be updated. Signed-off-by: Peter Müller --- config/ssh/ssh_config | 2 +- config/ssh/sshd_config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 85c069dda..5a9ad85c5 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -9,7 +9,7 @@ Host * UseRoaming no # Only use secure crypto algorithms - KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 76c9b3eb1..9229b6518 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -20,7 +20,7 @@ LoginGraceTime 30s MaxStartups 5 # Only allow safe crypto algorithms -KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com From patchwork Sat Sep 21 15:29:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 8145 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X9tVX3gpxz3wyW for ; Sat, 21 Sep 2024 15:30:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9tVR1yGxz6sZ; Sat, 21 Sep 2024 15:30:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X9tVQ742cz344r; Sat, 21 Sep 2024 15:30:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X9tVN3yPXz343j for ; Sat, 21 Sep 2024 15:30:04 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9tVM5Hdkz2ry; Sat, 21 Sep 2024 15:30:03 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4X9tVM3lNJz2yLJ; Sat, 21 Sep 2024 15:30:03 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH v2 3/4] OpenSSH: Add alias name for sntrup761x25519-sha512 key exchange Date: Sat, 21 Sep 2024 15:29:59 +0000 Message-Id: <20240921153000.706916-3-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240921153000.706916-1-peter.mueller@ipfire.org> References: <20240921153000.706916-1-peter.mueller@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: ILOC622XUP7OLHIKDMTCDTAVOPSJF3ZR X-Message-ID-Hash: ILOC622XUP7OLHIKDMTCDTAVOPSJF3ZR X-MailFrom: pmueller@people01.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?utf-8?q?Peter_M=C3=BCller?= X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This makes sure OpenSSH connections make use of this post-quantum key exchange whenever possible, even if one peer still running OpenSSH 9.8 or older. Signed-off-by: Peter Müller --- config/ssh/ssh_config | 2 +- config/ssh/sshd_config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 5a9ad85c5..86f123e28 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -9,7 +9,7 @@ Host * UseRoaming no # Only use secure crypto algorithms - KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 9229b6518..421416705 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -20,7 +20,7 @@ LoginGraceTime 30s MaxStartups 5 # Only allow safe crypto algorithms -KexAlgorithms sntrup761x25519-sha512,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com From patchwork Sat Sep 21 15:30:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 8143 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X9tVV3R0nz3wyT for ; Sat, 21 Sep 2024 15:30:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9tVQ5BpSz1lq; Sat, 21 Sep 2024 15:30:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X9tVQ3SYMz344x; Sat, 21 Sep 2024 15:30:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X9tVN3YZbz2y10 for ; Sat, 21 Sep 2024 15:30:04 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "people01.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X9tVM6gLHz5nb; Sat, 21 Sep 2024 15:30:03 +0000 (UTC) Received: by people01.haj.ipfire.org (Postfix, from userid 1078) id 4X9tVM3vPqz2yPZ; Sat, 21 Sep 2024 15:30:03 +0000 (UTC) From: =?utf-8?q?Peter_M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH v2 4/4] OpenSSH: Order symmetric ciphers by strength Date: Sat, 21 Sep 2024 15:30:00 +0000 Message-Id: <20240921153000.706916-4-peter.mueller@ipfire.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20240921153000.706916-1-peter.mueller@ipfire.org> References: <20240921153000.706916-1-peter.mueller@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: 5CXCPUPLIIHYYZDODMJ7FRLVYAO7ZD67 X-Message-ID-Hash: 5CXCPUPLIIHYYZDODMJ7FRLVYAO7ZD67 X-MailFrom: pmueller@people01.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: =?utf-8?q?Peter_M=C3=BCller?= X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: We also wish to prefer AES over Chacha/Poly, given the prevalence of hardware accelaration for the former. Signed-off-by: Peter Müller --- config/ssh/ssh_config | 2 +- config/ssh/sshd_config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 86f123e28..d5f63f315 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -10,7 +10,7 @@ Host * # Only use secure crypto algorithms KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 - Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com # Always visualise server host keys (helps to identify key based MITM attacks) diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config index 421416705..e338f8cef 100644 --- a/config/ssh/sshd_config +++ b/config/ssh/sshd_config @@ -21,7 +21,7 @@ MaxStartups 5 # Only allow safe crypto algorithms KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com # Only allow cryptographically safe SSH host keys (adjust paths if needed)