ssh-audit icon indicating copy to clipboard operation
ssh-audit copied to clipboard
verified publisher icon jtesta

please update policies to match deprecation of Diffie-Helman

Open perkelix opened this issue 1 year ago • 3 comments

Running ssh-audit without any specific policy recommends dropping DH.

Running it with a policy still requires DH. At the very least, policies should drop diffie-hellman-group-exchange-sha256 and change the order for remaining DH to recommend diffie-hellman-group18-sha512, followed by diffie-hellman-group16-sha512.

Likewise, policies should recommend stronger MACs first.

perkelix avatar Dec 26 '24 06:12 perkelix

ssh-audit now gives warnings for all non-post-quantum key exchanges. Moving forward, new hardening guides will disable them entirely. For existing policies, my plan is to leave things as-is.

jtesta avatar Aug 30 '25 19:08 jtesta

Fair enough. Btw, I still don't get why curve25519-sha256 is makered with a warning.

perkelix avatar Aug 31 '25 03:08 perkelix

On its own, that key exchange does not provide protection against a quantum computer.

jtesta avatar Aug 31 '25 19:08 jtesta