configs/sshd_config: use secure crypto algos only#36
Merged
sayanchowdhury merged 1 commit intoflatcar-masterfrom Mar 2, 2021
Merged
configs/sshd_config: use secure crypto algos only#36sayanchowdhury merged 1 commit intoflatcar-masterfrom
sayanchowdhury merged 1 commit intoflatcar-masterfrom
Conversation
Limit ciphers used by the SSH service to "known secure" only:
- Limit Ciphers to chacha20-poly1305@openssh.com
aes128-ctr,aes192-ctr
aes256-ctr,aes128-gcm@openssh.com
aes256-gcm@openssh.com
- Limit Message Authentication Codes to hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-sha2-256,hmac-sha2-512
umac-128-etm@openssh.com
umac-128@openssh.com
- Limit Key Exchange Algorithms to curve25519-sha256
curve25519-sha256@libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group14-sha256
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
Member
|
there is some degree of awareness that there could be users carrying around old ssh keys. It's worth communicating to particularly test on the Alpha and Beta channels. |
Member
Author
|
I don't think keys are affected at all (since we don't force pubkey ciphers), but some ancient ssh clients might break. I've left a note in the coreos-base PR; we'll line this out in our release notes. |
jepio
pushed a commit
that referenced
this pull request
Feb 21, 2022
update-bootengine: fix containerised builds
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Limit ciphers used by the SSH service to "known secure" only:
Limit Ciphers to chacha20-poly1305@openssh.com
aes128-ctr,aes192-ctr
aes256-ctr,aes128-gcm@openssh.com
aes256-gcm@openssh.com
Limit Message Authentication Codes to hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-sha2-256,hmac-sha2-512
umac-128-etm@openssh.com
umac-128@openssh.com
Limit Key Exchange Algorithms to curve25519-sha256
curve25519-sha256@libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group14-sha256