Last active
August 29, 2015 14:12
-
-
Save edef1c/f79988933598b83fae4a to your computer and use it in GitHub Desktop.
Sane security defaults for SSH clients. Disables everything old and nasty.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # vim: ft=sshconfig | |
| # Sane security defaults for SSH clients. Disables everything old and nasty. | |
| # Unfortunately, SSH appears to provide no way to *exclude* old protocols, | |
| # so we have a list of known-secure key exchange algorithms, symmetric ciphers, | |
| # and message authentication codes. | |
| # Config taken from [https://stribika.github.io/2015/01/04/secure-secure-shell.html] | |
| Host * | |
| KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com | |
| # Unfortunately, Github supports neither authenticated encryption, | |
| # nor encrypt-then-MAC. | |
| Host github.com | |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It's just the bits of client config spread throughout the blog post, collected into one handy config file.