From 54abdb2740c2cdba3d8309380ee87c9bb871a058 Mon Sep 17 00:00:00 2001 From: mickael e Date: Tue, 15 Dec 2020 16:35:43 -0500 Subject: [PATCH] Use ditribution-default host key algorithms ECDSA will be used by defaut for the client to authenticate the host. Tor Onion Services will also provide another layer of authentication, when using ssh over Tor. --- .../roles/restrict-direct-access/templates/sshd_config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config b/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config index c4904c27fd..01822a00fe 100644 --- a/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config +++ b/install_files/ansible-base/roles/restrict-direct-access/templates/sshd_config @@ -2,6 +2,7 @@ Port 22 ListenAddress {{ ssh_listening_address }}:22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Enforce privilege separation by creating unprivileged child process @@ -39,7 +40,6 @@ UseDNS no # Cipher selection Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr -HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512 # Don't use SHA1 for kex KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # Don't use SHA1 for hashing, don't use encrypt-and-MAC mode