roles/common: Remove Encrypt-and-MAC modes from Ubuntu 20.04 sshd_config
Recommended by ssh-audit, but also generally the concensus for a few years that Encrypt-and-MAC is hard to get right. OpenSSH has several Encrypt-then-MAC schemes available so we can use those. See: https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
This commit is contained in:
parent
9b7a31ebf9
commit
9ea14de6f5
@ -128,7 +128,7 @@ PasswordAuthentication yes
|
|||||||
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
|
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
|
||||||
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
|
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||||
|
|
||||||
{% if ssh_allowed_users is defined and ssh_allowed_users %}
|
{% if ssh_allowed_users is defined and ssh_allowed_users %}
|
||||||
|
Loading…
Reference in New Issue
Block a user