OpenSSH: Aktuelle Cipher-Suites für die Konfiguration
Gelegentlich sollten die Cipher-Suites bzw. Verschlüsselungsalgorithmen, die ein OpenSSH-Server anbietet, auf den neuesten Stand gebracht werden. Hier meine aktuelle Konfiguration für einen Server auf Debian GNU/Linux (Stretch) | /etc/ssh/sshd_config
:
## Ciphers (Sep 2019) # Key exchange algorithms KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # Host-key algorithms HostKeyAlgorithms ssh-ed25519,ssh-rsa # Encryption algorithms (ciphers) Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com # Message authentication code (MAC) algorithms MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
Welche Cipher-Suites euer OpenSSH-Server aktuell anbietet könnt ihr mit nmap prüfen:
nmap -p22
-n -sV --script ssh2-enum-algosIP-Address
ssh-audit eignet sich ebenfalls:
# general (gen) banner: SSH-2.0-OpenSSH_7.4p1 (gen) software: OpenSSH 7.4p1 (gen) compatibility: OpenSSH 6.5+, Dropbear SSH 2013.62+ (gen) compression: enabled (zlib@openssh.com) # key exchange algorithms (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4 # host-key algorithms (key) ssh-rsa (4096-bit) -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 (key) rsa-sha2-512 (4096-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (4096-bit) -- [info] available since OpenSSH 7.2 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5 `- [info] default cipher since OpenSSH 6.9. (enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 # message authentication code algorithms (mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2 # fingerprints (fin) ssh-ed25519: SHA256:+1OShEIUfyQz3k0WNfrUDSLuZ46X1V331UNcQHOg0yA
Hilf mit die Spendenziele zu erreichen! Mitmachen ➡