Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New algorithms for SSH. #54

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 32 additions & 9 deletions configs/sshd/sshd-pfs_config
Original file line number Diff line number Diff line change
@@ -1,11 +1,34 @@
# Specifies the ciphers allowed for protocol version 2.
# The default is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,
# arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
# aes256-cbc,arcfour
Ciphers aes256-ctr
# Protocol v1 is broken.
Protocol 2

# Specifies the available key exchange algorithms.
# 1. ECDH over Curve25519 with SHA256
# 2. Custom DH with SHA256 - generate primes using
# ssh-keygen -G /tmp/moduli -b 4096
# ssh-keygen -T /etc/ssh/moduli -f /tmp/moduli
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256

# Server authentication
# 1. Ed25519 - generate key using
# ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
# 2. RSA - generate key using
# ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Client authentication
ChallengeResponseAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes

# Specifies the allowed ciphers
# 1. Chacha20-Poly1305 - Authenticated encryption, message length encrypted
# 2. AES-GCM - Authenticated encryption, message length is Additional Data
# 3. AES-CTR - Confidentiality only, works better with flawed Encrypt-and-MAC
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

# Specifies the available MAC (message authentication code) algorithms.
# The default is: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,
# hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha256-96,hmac-sha2-512,
# hmac-sha2-512-96
MACs hmac-sha2-512
# 1. Encrypt-then-MAC with at least 128 bit tags and keys - provable security
# 2. Encrypt-and-MAC with at least 128 bit tags and keys - no security proof
# probably fine with a CTR cipher, don't use them with CBC
MACs hmac-sha2-512[email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128