We also wish to prefer AES over Chacha/Poly, given the
prevalence of hardware accelaration for the former.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This makes sure OpenSSH connections make use of this post-quantum
key exchange whenever possible, even if one peer still running
OpenSSH 9.8 or older.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This was newly introduced in OpenSSH 9.9, hence our custom
configurations for both SSH server and client need to be updated.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
By default, both SSH server and client rely on TCP-based keep alive
messages to detect broken sessions, which can be spoofed rather easily
in order to keep a broken session opened (and vice versa).
Since we rely on SSH-based keep alive messages, which are not vulnerable
to this kind of tampering, there is no need to double-check connections
via TCP keep alive as well.
This patch thereof disables using TCP keep alive for both SSH client and
server scenario. For usability reasons, a timeout of 5 minutes (10
seconds * 30 keep alive messages = 300 seconds) will be used for both
client and server configuration, as 60 seconds were found to be too
short for unstable connectivity scenarios.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This algorithm was introduced in OpenSSH 9.0p1; also, align the
curve25519-sha256* key exchanges to keep things tidy.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Introduce a custom OpenSSH client configuration file for IPFire.
Some people use it as a jumping host, so applying hardening options
system-wide improves security.
Cryptography setup is the same as for OpenSSH server configuration.
The second version of this patch re-adds some non-AEAD cipher suites
which are needed for connecting to older RHEL systems.
Partially fixes#11751
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
