On Thu, 7 Apr 2022 at 09:11, Damien Miller <djm@xxxxxxxxxxx> wrote: > On Wed, 6 Apr 2022, Keine Eile wrote: > > Hi list members, > > > > is there a best practice setting Ciphers, GSSAPIKexAlgorithms, KexAlgorithms, > > HostKeyAlgorithms, PubkeyAcceptedKeyTypes and CASignatureAlgorithms in one > > shot in a secure manner? If this would look pretty, like this 'modern' styles > > you get from https://ssl-config.mozilla.org/, this would be the cherry on top. > > If you run a current release of OpenSSH then you get secure defaults :) And if for some reason that's not feasible, the defaults which are documented in the current man pages (https://man.openbsd.org/ssh_config, https://man.openbsd.org/sshd_config) represent the developers' current opinion of best practice, so you could use the intersection of those and what you version supports. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
