* [PATCH 1/3] OpenSSH: Prefer AES-GCM ciphers over AES-CTR
@ 2025-09-28 21:05 Peter Müller
2025-09-28 21:06 ` [PATCH 2/3] OpenSSH: Amend upstream default cipher changes Peter Müller
0 siblings, 1 reply; 3+ messages in thread
From: Peter Müller @ 2025-09-28 21:05 UTC (permalink / raw)
To: IPFire: Development
This reflects the following change made upstream in OpenSSH 9.9:
* ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
for the connection. The default cipher preference list is now
Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
(128/192/256).
However, we keep preferring AES-GCM over Chacha/Poly, as hardware
acceleration often grants the former a better performance, while there
is no security advance of Chacha/Poly usage over 256 bit AES-GCM.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/ssh/ssh_config | 2 +-
config/ssh/sshd_config | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
index d5f63f315..a248001ff 100644
--- a/config/ssh/ssh_config
+++ b/config/ssh/ssh_config
@@ -10,7 +10,7 @@ Host *
# Only use secure crypto algorithms
KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
- Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
+ Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# Always visualise server host keys (helps to identify key based MITM attacks)
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
index 7b687457c..25e5b1838 100644
--- a/config/ssh/sshd_config
+++ b/config/ssh/sshd_config
@@ -21,7 +21,7 @@ MaxStartups 5
# Only allow safe crypto algorithms
KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
+Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# Only allow cryptographically safe SSH host keys (adjust paths if needed)
--
2.51.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 2/3] OpenSSH: Amend upstream default cipher changes
2025-09-28 21:05 [PATCH 1/3] OpenSSH: Prefer AES-GCM ciphers over AES-CTR Peter Müller
@ 2025-09-28 21:06 ` Peter Müller
2025-09-28 21:06 ` [PATCH 3/3] ssh_config: Fix indentation mangled by Vim Peter Müller
0 siblings, 1 reply; 3+ messages in thread
From: Peter Müller @ 2025-09-28 21:06 UTC (permalink / raw)
To: IPFire: Development
This patch implements the following change made to OpenSSH server
upstream in version 10.0:
* sshd(8): this release disables finite field (a.k.a modp)
Diffie-Hellman key exchange in sshd by default. Specifically,
this removes the "diffie-hellman-group*" and
"diffie-hellman-group-exchange-*" methods from the default
KEXAlgorithms list. The client is unchanged and continues to
support these methods by default. Finite field Diffie Hellman
is slow and computationally expensive for the same security
level as Elliptic Curve DH or PQ key agreement while offering
no redeeming advantages. ECDH has been specified for the SSH
protocol for 15 years and some form of ECDH has been the default
key exchange in OpenSSH for the last 14 years.
In addition, for both OpenSSH server and client, the following upstream
change made in version 9.9 is implemented:
* ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
is now used by default for key agreement. This algorithm is
considered to be safe against attack by quantum computers,
is guaranteed to be no less strong than the popular
curve25519-sha256 algorithm, has been standardised by NIST
and is considerably faster than the previous default.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/ssh/ssh_config | 2 +-
config/ssh/sshd_config | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
index a248001ff..2fc62e116 100644
--- a/config/ssh/ssh_config
+++ b/config/ssh/ssh_config
@@ -9,7 +9,7 @@ Host *
UseRoaming no
# Only use secure crypto algorithms
- KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+ KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
index 25e5b1838..3e25e74e8 100644
--- a/config/ssh/sshd_config
+++ b/config/ssh/sshd_config
@@ -20,7 +20,7 @@ LoginGraceTime 30s
MaxStartups 5
# Only allow safe crypto algorithms
-KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
--
2.51.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 3/3] ssh_config: Fix indentation mangled by Vim
2025-09-28 21:06 ` [PATCH 2/3] OpenSSH: Amend upstream default cipher changes Peter Müller
@ 2025-09-28 21:06 ` Peter Müller
0 siblings, 0 replies; 3+ messages in thread
From: Peter Müller @ 2025-09-28 21:06 UTC (permalink / raw)
To: IPFire: Development
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/ssh/ssh_config | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config
index 2fc62e116..66cb0c2cc 100644
--- a/config/ssh/ssh_config
+++ b/config/ssh/ssh_config
@@ -5,30 +5,30 @@
# Set some basic hardening options for all connections
Host *
- # Disable undocumented roaming feature as it is known to be vulnerable
- UseRoaming no
+ # Disable undocumented roaming feature as it is known to be vulnerable
+ UseRoaming no
- # Only use secure crypto algorithms
- KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
- Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
- MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+ # Only use secure crypto algorithms
+ KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+ Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
- # Always visualise server host keys (helps to identify key based MITM attacks)
- VisualHostKey yes
+ # Always visualise server host keys (helps to identify key based MITM attacks)
+ VisualHostKey yes
- # Use SSHFP (might work on some up-to-date networks) to look up host keys
- VerifyHostKeyDNS yes
+ # Use SSHFP (might work on some up-to-date networks) to look up host keys
+ VerifyHostKeyDNS yes
- # Send SSH-based keep alive messages to connected server to avoid broken connections
- ServerAliveInterval 10
- ServerAliveCountMax 30
+ # Send SSH-based keep alive messages to connected server to avoid broken connections
+ ServerAliveInterval 10
+ ServerAliveCountMax 30
# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
# keep alive messages enabled; there is no need to do things twice here
TCPKeepAlive no
- # Ensure only allowed authentication methods are used
- PreferredAuthentications publickey,keyboard-interactive,password
+ # Ensure only allowed authentication methods are used
+ PreferredAuthentications publickey,keyboard-interactive,password
# Prevent information leak by hashing ~/.ssh/known_hosts
HashKnownHosts yes
--
2.51.0
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-09-28 21:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-28 21:05 [PATCH 1/3] OpenSSH: Prefer AES-GCM ciphers over AES-CTR Peter Müller
2025-09-28 21:06 ` [PATCH 2/3] OpenSSH: Amend upstream default cipher changes Peter Müller
2025-09-28 21:06 ` [PATCH 3/3] ssh_config: Fix indentation mangled by Vim Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox