From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 3/3] SSH client configuration: Prefer server host keys in different order Date: Wed, 12 Sep 2018 19:50:45 +0200 Message-ID: <20180912175045.7636-3-peter.mueller@link38.eu> In-Reply-To: <20180912175045.7636-1-peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4899818119092557861==" List-Id: --===============4899818119092557861== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable SSH clients can set a preference for server host keys. To achive best security and performance, ED25519 is preferred over ECDSA (also secure, but a bit bigger and some of them use ECC curves from non-trustworthy sources) which is preferred over RSA. Since ED25519 keys are smaller and need less CPU time on both client and server, this also achives a better performance. Signed-off-by: Peter M=C3=BCller --- config/ssh/ssh_config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 9f7121c76..462f2f1a0 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -36,4 +36,7 @@ Host * # hash entries in ~/.ssh/known_hosts file to avoid permission disclosure HashKnownHosts yes =20 + # prefer server host keys in different order (ED25519, ECDSA, RSA) + HostKeyAlgorithms ssh-ed25519-cert-v01(a)openssh.com,ssh-ed25519,ecdsa-sha2= -nistp256-cert-v01(a)openssh.com,ecdsa-sha2-nistp384-cert-v01(a)openssh.com,e= cdsa-sha2-nistp521-cert-v01(a)openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nist= p384,ecdsa-sha2-nistp521,rsa-sha2-512-cert-v01(a)openssh.com,rsa-sha2-256-cer= t-v01(a)openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa-cert-v01(a)openssh.com,= ssh-rsa + # EOF --=20 2.16.4 --===============4899818119092557861==--