roles/common: Tweak sshd_config to match NSA Suite B recommendations
NSA stopped recommending AES-128 in August, 2015... Before: https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml After: https://web.archive.org/web/20150815072948/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml I don't see why we shouldn't follow suit; maybe they know something we don't! Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
parent
5c0a7c2c72
commit
973b37be4e
@ -85,9 +85,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
||||
|
||||
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com
|
||||
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
|
||||
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
|
||||
# only allow shell access by provisioning user
|
||||
|
@ -85,9 +85,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
||||
|
||||
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com
|
||||
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
|
||||
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
|
||||
# only allow shell access by provisioning user
|
||||
|
@ -85,9 +85,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
||||
|
||||
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com
|
||||
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
|
||||
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
|
||||
# only allow shell access by provisioning user
|
||||
|
Loading…
Reference in New Issue
Block a user