Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you like Wireguard's security, you can emulate it in your sshd_config:

    Ciphers chacha20-poly1305@openssh.com
    KexAlgorithms curve25519-sha256@libssh.org
    MACs hmac-sha2-512-etm@openssh.com
The MAC is irrelevant, as that function is built into the AEAD cipher, which are to be preferred (the alternate is AES-GCM).

This will shut off a lot of legacy SSH clients. Android Connectbot specifically needs the AES cipher; adding it causes problems for putty.

Otherwise, this is the classic "best practice" site for SSH:

https://stribika.github.io/2015/01/04/secure-secure-shell.ht...



Exactly my finding too!

Except certain version of MacOS (and Windows) ssh client would also be unable to connect.


I don't know about MacOS, but Microsoft's native OpenSSH supports this configuration.

    C:\>ssh -vv me@myDJBserver.myco.com
    OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
    ...
    debug2: KEX algorithms: curve25519-sha256@libssh.org
    ...
    debug2: ciphers ctos: chacha20-poly1305@openssh.com
    debug2: ciphers stoc: chacha20-poly1305@openssh.com
    ...
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    ...
    $
Above you can also see that the MAC is implicit with the chosen AEAD cipher.


You can brew install openssh on MacOS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: