vaultsovereign/vm-skills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vm-skills/node-hardening/references/ssh_cipher_recommendations.md
Vault Sovereign eac77ef7b4 Initial commit: VaultMesh Skills collection 
Collection of operational skills for VaultMesh infrastructure including:
- backup-sovereign: Backup and recovery operations
- btc-anchor: Bitcoin anchoring
- cloudflare-tunnel-manager: Cloudflare tunnel management
- container-registry: Container registry operations
- disaster-recovery: Disaster recovery procedures
- dns-sovereign: DNS management
- eth-anchor: Ethereum anchoring
- gitea-bootstrap: Gitea setup and configuration
- hetzner-bootstrap: Hetzner server provisioning
- merkle-forest: Merkle tree operations
- node-hardening: Node security hardening
- operator-bootstrap: Operator initialization
- proof-verifier: Cryptographic proof verification
- rfc3161-anchor: RFC3161 timestamping
- secrets-vault: Secrets management

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00

116 lines
3.5 KiB
Markdown
Raw Permalink Blame History

# SSH Cipher Recommendations
## Overview
This document explains the SSH cipher, MAC, and key exchange algorithm choices used in the node-hardening skill's sshd_config template.
## Current Recommendations (2024)
### Ciphers (Encryption)
| Cipher | Recommendation | Notes |
|--------|----------------|-------|
| chacha20-poly1305@openssh.com | **Recommended** | Modern, fast, constant-time |
| aes256-gcm@openssh.com | **Recommended** | Strong, hardware-accelerated |
| aes128-gcm@openssh.com | **Acceptable** | Fast, hardware-accelerated |
| aes256-ctr | Acceptable | Legacy compatibility |
| aes128-ctr | Acceptable | Legacy compatibility |
| 3des-cbc | **Avoid** | Deprecated, slow |
| arcfour | **Avoid** | Broken |
### MACs (Message Authentication)
| MAC | Recommendation | Notes |
|-----|----------------|-------|
| hmac-sha2-512-etm@openssh.com | **Recommended** | Encrypt-then-MAC, strongest |
| hmac-sha2-256-etm@openssh.com | **Recommended** | Encrypt-then-MAC |
| umac-128-etm@openssh.com | Acceptable | Fast, Encrypt-then-MAC |
| hmac-sha2-512 | Acceptable | No ETM |
| hmac-sha2-256 | Acceptable | No ETM |
| hmac-sha1 | **Avoid** | Deprecated |
| hmac-md5 | **Avoid** | Broken |
### Key Exchange (KEX)
| KEX Algorithm | Recommendation | Notes |
|---------------|----------------|-------|
| curve25519-sha256 | **Recommended** | Modern, safe curve |
| curve25519-sha256@libssh.org | **Recommended** | Same, legacy name |
| diffie-hellman-group16-sha512 | Acceptable | 4096-bit DH |
| diffie-hellman-group18-sha512 | Acceptable | 8192-bit DH |
| diffie-hellman-group14-sha256 | Acceptable | 2048-bit DH |
| diffie-hellman-group1-sha1 | **Avoid** | Weak, deprecated |
| diffie-hellman-group-exchange-sha1 | **Avoid** | SHA1 deprecated |
### Host Key Algorithms
| Algorithm | Recommendation | Notes |
|-----------|----------------|-------|
| ssh-ed25519 | **Recommended** | Modern, compact |
| rsa-sha2-512 | **Recommended** | RSA with SHA2 |
| rsa-sha2-256 | **Recommended** | RSA with SHA2 |
| ecdsa-sha2-nistp256 | Acceptable | NIST curve concerns |
| ssh-rsa | **Avoid** | SHA1 deprecated |
| ssh-dss | **Avoid** | Weak |
## Template Configuration
The sshd_config template uses:
```
# Strong ciphers only
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
# Encrypt-then-MAC only
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# Modern key exchange
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
# Preferred host key algorithms
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
```
## Compatibility Notes
### Minimum Client Versions
These settings require:
- OpenSSH 7.3+ (released 2016)
- PuTTY 0.68+ (released 2017)
### Legacy Client Support
If you need to support older clients, add fallback options:
```
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256
KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512
```
## Testing Configuration
After applying changes, test with:
```bash
# Check server offerings
ssh -Q cipher
ssh -Q mac
ssh -Q kex
# Test connection with verbose output
ssh -vvv user@server
# Audit with ssh-audit (recommended)
pip install ssh-audit
ssh-audit localhost
```
## References
- [Mozilla SSH Guidelines](https://infosec.mozilla.org/guidelines/openssh)
- [ssh-audit](https://github.com/jtesta/ssh-audit)
- [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)
- [OpenSSH Manual](https://man.openbsd.org/sshd_config)
Reference in New Issue View Git Blame Copy Permalink