From f63c9457acf7118952f1550c36ad6ac5684ef2bb Mon Sep 17 00:00:00 2001 From: Mathieu Simon Date: Mon, 4 Sep 2023 17:23:49 +0200 Subject: [PATCH] Added sntrup761x25519-sha512@openssh.com as KEX since it is recommended by ssh-audit now. --- OPNsense-20.7-and-newer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OPNsense-20.7-and-newer.md b/OPNsense-20.7-and-newer.md index eab0e6e..0fb3dee 100644 --- a/OPNsense-20.7-and-newer.md +++ b/OPNsense-20.7-and-newer.md @@ -42,7 +42,7 @@ To find out what algorithms your `ssh` client supports, you can run these comman A good starting point is to select the following options for maximum compatibility with the probability that your client won't use the strongest/fastest option. As the algorithms may differ in computation speed or in the provided level of security, and their applied order in the OPNsense SSH server's config is nondeterministic (limitation of the current UI kit, it can't take into account the order of the selection), what you'd preferably want is to choose the strongest algorithms that are supported on both ends of the connection, otherwise, you won't be able to SSH into OPNsense until you find the middle ground. -- KexAlgorithms: `curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256` +- Key exchange algorithms: `curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,sntrup761x25519-sha512@openssh.com` - Ciphers: `chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr` - MACs: `hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com` - HostKeyAlgorithms: `ssh-ed25519,ssh-ed25519-cert-v01@openssh.com`