Use hardened defaults for SSH connections
This commit is contained in:
parent
340b20f39e
commit
87c66ec157
GPG key ID:
34FDC68B51191A4D
2 changed files with 15 additions and 0 deletions
1
.ssh/config
Normal file
1
.ssh/config
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
Include ~/.ssh/config.d/*.conf
|
||||||
14
.ssh/config.d/90-hardened-security.conf
Normal file
14
.ssh/config.d/90-hardened-security.conf
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
# SSH client algorithm hardening.
|
||||||
|
#
|
||||||
|
# Require PQ-hybrid KEX, AEAD ciphers, Ed25519 keys.
|
||||||
|
# Applied to all outgoing SSH connections from this machine.
|
||||||
|
#
|
||||||
|
# Requires OpenSSH 9.9+ for mlkem768x25519-sha256.
|
||||||
|
|
||||||
|
Host *
|
||||||
|
KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
|
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||||
|
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
|
||||||
|
PubkeyAcceptedAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com
|
||||||
|
RekeyLimit 1G 1h
|
||||||
Loading…
Add table
Add a link
Reference in a new issue