diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-04-17 10:54:15 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-04-17 10:54:15 +0100 |
| commit | be49079efa54e90e34e244af8336be00bc48ff3c (patch) | |
| tree | cab4df1ef9a8bebd3dfb80af1448d5ea2e5731c3 | |
| parent | daa9dc343a409f613312a32f28ecd839e0a3dcb8 (diff) | |
| download | dotfiles-be49079efa54e90e34e244af8336be00bc48ff3c.tar.gz dotfiles-be49079efa54e90e34e244af8336be00bc48ff3c.tar.bz2 dotfiles-be49079efa54e90e34e244af8336be00bc48ff3c.zip | |
refactor: fully modernize SSH config
Remove all explicit HostKeyAlgorithms, KexAlgorithms, and Ciphers lists.
OpenSSH 9.x+ has excellent defaults: Ed25519 preferred, ssh-rsa disabled,
strong cipher and kex ordering out of the box. Explicit lists become a
liability — they prevent picking up improved defaults on upgrade.
| -rw-r--r-- | home/.ssh/config | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/home/.ssh/config b/home/.ssh/config index a2e75b3..1671625 100644 --- a/home/.ssh/config +++ b/home/.ssh/config @@ -1,10 +1,5 @@ -# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. +# Ensure KnownHosts are unreadable if leaked HashKnownHosts yes -# Host keys the client accepts - order here is honored by OpenSSH -HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 - -KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Compression no ControlMaster auto |