Mailing List Archive

Best practice setting Ciphers & Algorithms?
Hi list members,

is there a best practice setting Ciphers, GSSAPIKexAlgorithms, KexAlgorithms, HostKeyAlgorithms, PubkeyAcceptedKeyTypes and CASignatureAlgorithms in one shot in a secure manner? If this would look pretty, like this 'modern' styles you get from https://ssl-config.mozilla.org/, this would be the cherry on top.

Thanks!
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Best practice setting Ciphers & Algorithms? [ In reply to ]
On Wed, 6 Apr 2022, Keine Eile wrote:

> Hi list members,
>
> is there a best practice setting Ciphers, GSSAPIKexAlgorithms, KexAlgorithms,
> HostKeyAlgorithms, PubkeyAcceptedKeyTypes and CASignatureAlgorithms in one
> shot in a secure manner? If this would look pretty, like this 'modern' styles
> you get from https://ssl-config.mozilla.org/, this would be the cherry on top.

If you run a current release of OpenSSH then you get secure defaults :)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Best practice setting Ciphers & Algorithms? [ In reply to ]
On Thu, 7 Apr 2022 at 09:11, Damien Miller <djm@mindrot.org> wrote:
> On Wed, 6 Apr 2022, Keine Eile wrote:
> > Hi list members,
> >
> > is there a best practice setting Ciphers, GSSAPIKexAlgorithms, KexAlgorithms,
> > HostKeyAlgorithms, PubkeyAcceptedKeyTypes and CASignatureAlgorithms in one
> > shot in a secure manner? If this would look pretty, like this 'modern' styles
> > you get from https://ssl-config.mozilla.org/, this would be the cherry on top.
>
> If you run a current release of OpenSSH then you get secure defaults :)

And if for some reason that's not feasible, the defaults which are
documented in the current man pages
(https://man.openbsd.org/ssh_config,
https://man.openbsd.org/sshd_config) represent the developers' current
opinion of best practice, so you could use the intersection of those
and what you version supports.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Best practice setting Ciphers & Algorithms? [ In reply to ]
Thanks for your response!
In the meantime I have learned, I want to use crypto-policies(7). Which is very convenient, as I do not have to argue with anyone, why things are as, they are.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev