Dado que los algoritmos están en un estado de flujo, encuentro que estoy usando una herramienta ssh-audit (disponible en Github ) para ser extremadamente útil.
A continuación se muestra un ejemplo de salida de una configuración SSH actual pero segura:
# general
(gen) banner: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
(gen) software: OpenSSH 6.7p1
(gen) compatibility: OpenSSH 6.5+, Dropbear SSH 2013.62+
(gen) compression: enabled ([email protected])
# key exchange algorithms
(kex) [email protected] -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak)
'- [info] available since OpenSSH 4.4
# host-key algorithms
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
(key) ssh-rsa -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
# encryption algorithms (ciphers)
(enc) [email protected] -- [info] available since OpenSSH 6.5
'- [info] default cipher since OpenSSH 6.9.
(enc) [email protected] -- [info] available since OpenSSH 6.2
(enc) [email protected] -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) [email protected] -- [info] available since OpenSSH 6.2
(mac) [email protected] -- [info] available since OpenSSH 6.2
(mac) [email protected] -- [info] available since OpenSSH 6.2
(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode
'- [warn] using weak hashing algorithm
'- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
# algorithm recommendations (for OpenSSH 6.7)
(rec) -hmac-sha1 -- mac algorithm to remove
Configuración utilizada para /etc/ssh/sshd_config
:
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
# Following MACs does not work on Mac OSX 10.10 or older
MACs [email protected],[email protected],[email protected],hmac-sha1
Configuración utilizada para /etc/ssh/ssh_config
:
HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
MACs [email protected],[email protected],[email protected],hmac-sha1
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr