From 1cbd2703457a7a145533cfc2ca8bb140859da524 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Fri, 17 Apr 2026 10:54:13 +0100 Subject: fix: modernize SSH config algorithms - Remove deprecated ssh-rsa and ssh-rsa-cert from HostKeyAlgorithms (SHA-1 based, disabled by default in OpenSSH 8.8+) - Add curve25519-sha256 (standardized name) before @libssh.org variant - Remove commented-out MACs line (dead code) --- home/.ssh/config | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/home/.ssh/config b/home/.ssh/config index baf34ea..a2e75b3 100644 --- a/home/.ssh/config +++ b/home/.ssh/config @@ -1,10 +1,9 @@ # Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. HashKnownHosts yes # Host keys the client accepts - order here is honored by OpenSSH -HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 +HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -# MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Compression no -- cgit v1.2.3-70-g09d2