Skip to content

Adjust our SSH algorithm tuning to better fit ssh-audit hardening guides #279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: next
Choose a base branch
from
Draft

Adjust our SSH algorithm tuning to better fit ssh-audit hardening guides #279

wants to merge 2 commits into from

Conversation

jonasbardino
Copy link
Contributor

@jonasbardino jonasbardino commented Jul 4, 2025
edited
Loading

Adjusted our SSH algorithm tuning to better fit the ssh-audit hardening recommendations for Rocky 9:
https://www.sshaudit.com/hardening_guides.html#rocky_9
The changes include added modern algos as well as small reordering to balance security and performance.

NOTE: this is a rather untested draft so far and possibly changes default negotiated security parameters. So it should neither be merged before we have verified correctness nor put in production before we have fully evaluated the performance improvements of upgrading paramiko to 3.5.x on our Rocky 9 systems.

@jonasbardino
Adjusted our SSH algorithm tuning to better fit the ssh-audit hardening
da0e285 
recommendations for Rocky 9:
https://www.sshaudit.com/hardening_guides.html#rocky_9
The changes include added modern algos as well as small reordering to balance
security and performance.
@jonasbardino jonasbardino self-assigned this Jul 4, 2025
@jonasbardino jonasbardino added the enhancement New feature or request label Jul 4, 2025
@jonasbardino
Copy link
Contributor Author

We will likely want to further tweak the included key exchange algorithm choice on Rocky 10+ when the new post-quantum algorithm mlkem768x25519-sha256 enters the game through openssh-9.9+, and becomes the new default in openssh-10+.
Rocky10 already comes with openssh-9.9:
https://rockylinux.pkgs.org/10/rockylinux-baseos-x86_64/openssh-9.9p1-7.el10_0.rocky.0.1.x86_64.rpm.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jonasbardino jonasbardino

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jonasbardino