Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Sane security defaults for SSH clients. Disables everything old and nasty.
# vim: ft=sshconfig
# Sane security defaults for SSH clients. Disables everything old and nasty.
# Unfortunately, SSH appears to provide no way to *exclude* old protocols,
# so we have a list of known-secure key exchange algorithms, symmetric ciphers,
# and message authentication codes.
# Config taken from [https://stribika.github.io/2015/01/04/secure-secure-shell.html]
Host *
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# Unfortunately, Github supports neither authenticated encryption,
# nor encrypt-then-MAC.
Host github.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512
@edef1c

This comment has been minimized.

Copy link
Owner Author

@edef1c edef1c commented Jan 6, 2015

It's just the bits of client config spread throughout the blog post, collected into one handy config file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment