Initial commit: VaultMesh Skills collection
Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Vault Sovereign
115
node-hardening/references/ssh_cipher_recommendations.md
Normal file
115
node-hardening/references/ssh_cipher_recommendations.md
Normal file
@@ -0,0 +1,115 @@
|
||||
# SSH Cipher Recommendations
|
||||
|
||||
## Overview
|
||||
|
||||
This document explains the SSH cipher, MAC, and key exchange algorithm choices used in the node-hardening skill's sshd_config template.
|
||||
|
||||
## Current Recommendations (2024)
|
||||
|
||||
### Ciphers (Encryption)
|
||||
|
||||
| Cipher | Recommendation | Notes |
|
||||
|--------|----------------|-------|
|
||||
| chacha20-poly1305@openssh.com | **Recommended** | Modern, fast, constant-time |
|
||||
| aes256-gcm@openssh.com | **Recommended** | Strong, hardware-accelerated |
|
||||
| aes128-gcm@openssh.com | **Acceptable** | Fast, hardware-accelerated |
|
||||
| aes256-ctr | Acceptable | Legacy compatibility |
|
||||
| aes128-ctr | Acceptable | Legacy compatibility |
|
||||
| 3des-cbc | **Avoid** | Deprecated, slow |
|
||||
| arcfour | **Avoid** | Broken |
|
||||
|
||||
### MACs (Message Authentication)
|
||||
|
||||
| MAC | Recommendation | Notes |
|
||||
|-----|----------------|-------|
|
||||
| hmac-sha2-512-etm@openssh.com | **Recommended** | Encrypt-then-MAC, strongest |
|
||||
| hmac-sha2-256-etm@openssh.com | **Recommended** | Encrypt-then-MAC |
|
||||
| umac-128-etm@openssh.com | Acceptable | Fast, Encrypt-then-MAC |
|
||||
| hmac-sha2-512 | Acceptable | No ETM |
|
||||
| hmac-sha2-256 | Acceptable | No ETM |
|
||||
| hmac-sha1 | **Avoid** | Deprecated |
|
||||
| hmac-md5 | **Avoid** | Broken |
|
||||
|
||||
### Key Exchange (KEX)
|
||||
|
||||
| KEX Algorithm | Recommendation | Notes |
|
||||
|---------------|----------------|-------|
|
||||
| curve25519-sha256 | **Recommended** | Modern, safe curve |
|
||||
| curve25519-sha256@libssh.org | **Recommended** | Same, legacy name |
|
||||
| diffie-hellman-group16-sha512 | Acceptable | 4096-bit DH |
|
||||
| diffie-hellman-group18-sha512 | Acceptable | 8192-bit DH |
|
||||
| diffie-hellman-group14-sha256 | Acceptable | 2048-bit DH |
|
||||
| diffie-hellman-group1-sha1 | **Avoid** | Weak, deprecated |
|
||||
| diffie-hellman-group-exchange-sha1 | **Avoid** | SHA1 deprecated |
|
||||
|
||||
### Host Key Algorithms
|
||||
|
||||
| Algorithm | Recommendation | Notes |
|
||||
|-----------|----------------|-------|
|
||||
| ssh-ed25519 | **Recommended** | Modern, compact |
|
||||
| rsa-sha2-512 | **Recommended** | RSA with SHA2 |
|
||||
| rsa-sha2-256 | **Recommended** | RSA with SHA2 |
|
||||
| ecdsa-sha2-nistp256 | Acceptable | NIST curve concerns |
|
||||
| ssh-rsa | **Avoid** | SHA1 deprecated |
|
||||
| ssh-dss | **Avoid** | Weak |
|
||||
|
||||
## Template Configuration
|
||||
|
||||
The sshd_config template uses:
|
||||
|
||||
```
|
||||
# Strong ciphers only
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
|
||||
|
||||
# Encrypt-then-MAC only
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
|
||||
# Modern key exchange
|
||||
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
|
||||
|
||||
# Preferred host key algorithms
|
||||
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
|
||||
```
|
||||
|
||||
## Compatibility Notes
|
||||
|
||||
### Minimum Client Versions
|
||||
|
||||
These settings require:
|
||||
- OpenSSH 7.3+ (released 2016)
|
||||
- PuTTY 0.68+ (released 2017)
|
||||
|
||||
### Legacy Client Support
|
||||
|
||||
If you need to support older clients, add fallback options:
|
||||
|
||||
```
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256
|
||||
KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512
|
||||
```
|
||||
|
||||
## Testing Configuration
|
||||
|
||||
After applying changes, test with:
|
||||
|
||||
```bash
|
||||
# Check server offerings
|
||||
ssh -Q cipher
|
||||
ssh -Q mac
|
||||
ssh -Q kex
|
||||
|
||||
# Test connection with verbose output
|
||||
ssh -vvv user@server
|
||||
|
||||
# Audit with ssh-audit (recommended)
|
||||
pip install ssh-audit
|
||||
ssh-audit localhost
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
- [Mozilla SSH Guidelines](https://infosec.mozilla.org/guidelines/openssh)
|
||||
- [ssh-audit](https://github.com/jtesta/ssh-audit)
|
||||
- [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)
|
||||
- [OpenSSH Manual](https://man.openbsd.org/sshd_config)
|
||||
Reference in New Issue
Block a user