On Thu, 7 Apr 2022 at 09:11, Damien Miller <djm at mindrot.org>
wrote:> On Wed, 6 Apr 2022, Keine Eile wrote:
> > Hi list members,
> >
> > is there a best practice setting Ciphers, GSSAPIKexAlgorithms,
KexAlgorithms,
> > HostKeyAlgorithms, PubkeyAcceptedKeyTypes and CASignatureAlgorithms in
one
> > shot in a secure manner? If this would look pretty, like this
'modern' styles
> > you get from https://ssl-config.mozilla.org/, this would be the cherry
on top.
>
> If you run a current release of OpenSSH then you get secure defaults :)
And if for some reason that's not feasible, the defaults which are
documented in the current man pages
(https://man.openbsd.org/ssh_config,
https://man.openbsd.org/sshd_config) represent the developers' current
opinion of best practice, so you could use the intersection of those
and what you version supports.
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.