From be49079efa54e90e34e244af8336be00bc48ff3c Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Fri, 17 Apr 2026 10:54:15 +0100 Subject: refactor: fully modernize SSH config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove all explicit HostKeyAlgorithms, KexAlgorithms, and Ciphers lists. OpenSSH 9.x+ has excellent defaults: Ed25519 preferred, ssh-rsa disabled, strong cipher and kex ordering out of the box. Explicit lists become a liability — they prevent picking up improved defaults on upgrade. --- home/.ssh/config | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/home/.ssh/config b/home/.ssh/config index a2e75b3..1671625 100644 --- a/home/.ssh/config +++ b/home/.ssh/config @@ -1,10 +1,5 @@ -# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. +# Ensure KnownHosts are unreadable if leaked HashKnownHosts yes -# Host keys the client accepts - order here is honored by OpenSSH -HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 - -KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Compression no ControlMaster auto -- cgit v1.2.3-70-g09d2