Joe Testa
Joe Testa
I know I've been behind in this, but two things I should mention are: 1.) I'll be putting more time into it soon, and 2.) I plan on putting the...
> I will try and update and attempt to squash everything, and again if it turns into a mess - I'll close this one of and create a clean PR...
Merged. Thanks for putting the work into this!
Yep. I'm currently doing behind-the-scenes work in getting a new release completed. I haven't forgotten about this.
> https://www.ssh-audit.com/hardening_guides.html has perplexing recommendations for KexAlgorithms. It includes a bunch of entries there, such as gss-curve25519-sha256-, which sshd_config(5) does not document as being valid for KexAlgorithms, but only for...
@cjwatson : Ok, I suppose switching to a blacklist for Debian makes sense, then. Might you happen to know if Ubuntu also back-ports OpenSSH versions?
The custom policy support would be perfect for this scenario. Considering how few people run their own Gitlab server, it wouldn't make sense for me to support it long-term. (Supporting...
A Gitlab user on, say, Ubuntu 24, could use the Ubuntu 24-specific client hardening guide, which would help them in all outgoing connections (Gitlab included). That said, if anyone from...
ssh-audit now gives warnings for all non-post-quantum key exchanges. Moving forward, new hardening guides will disable them entirely. For existing policies, my plan is to leave things as-is.
On its own, that key exchange does not provide protection against a quantum computer.