Last active
September 27, 2024 11:02
-
-
Save edef1c/f79988933598b83fae4a to your computer and use it in GitHub Desktop.
Sane security defaults for SSH clients. Disables everything old and nasty.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # vim: ft=sshconfig | |
| # Sane security defaults for SSH clients. Disables everything old and nasty. | |
| # Unfortunately, SSH appears to provide no way to *exclude* old protocols, | |
| # so we have a list of known-secure key exchange algorithms, symmetric ciphers, | |
| # and message authentication codes. | |
| # Config taken from [https://stribika.github.io/2015/01/04/secure-secure-shell.html] | |
| Host * | |
| KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256 | |
| Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr | |
| MACs [email protected],[email protected] | |
| # Unfortunately, Github supports neither authenticated encryption, | |
| # nor encrypt-then-MAC. | |
| Host github.com | |
| MACs [email protected],[email protected],hmac-sha2-512 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It's just the bits of client config spread throughout the blog post, collected into one handy config file.