libohad-dev/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use hardened defaults for SSH connections

Browse source
This commit is contained in:
Ohad Livne 2026-04-10 18:54:15 +03:00
parent d6b105d2ec
commit 6b27d7e5e2
Signed by: libohad-dev
GPG key ID: 34FDC68B51191A4D
2 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.ssh/config Normal file
View file

@ -0,0 +1 @@
Include ~/.ssh/config.d/*.conf

14
.ssh/config.d/90-hardened-security.conf Normal file
View file

@ -0,0 +1,14 @@
# SSH client algorithm hardening.
#
# Require PQ-hybrid KEX, AEAD ciphers, Ed25519 keys.
# Applied to all outgoing SSH connections from this machine.
#
# Requires OpenSSH 9.9+ for mlkem768x25519-sha256.
Host *
KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
PubkeyAcceptedAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
RekeyLimit 1G 1h