SSH security.

- Replace the RSA key for GitHub with an ed25519 one. - Refactor the security configuration in 99_default. Make them easier to maintain by sepcifying what *not* to use. - In the OpenSSH 8.5 release notes it is mentioned that the ssh-rsa signature scheme will be deperecated. Be proactive and disable it. - Replace the RSA key for *.shore.co.il with a ed25519 one (keep to the ecdsa so as not to just a single key). Keep it for ea6350, Dropbear in OpenWRT 19.07 doesn't support other key types.

SSH security.
64359e2e · nimrod · 7616adf6 · 64359e2e · 64359e2e · 64359e2e
Commit 64359e2e authored 4 years ago by nimrod
--- a/.ssh/config.d/20_github
+++ b/.ssh/config.d/20_github
@@ -4,4 +4,4 @@
 Host github.com
 User git
-IdentityFile ~/Documents/github_rsa
+IdentityFile ~/Documents/github_ed25519
--- a/.ssh/config.d/20_shore
+++ b/.ssh/config.d/20_shore
@@ -9,13 +9,14 @@ Host host01.shore.co.il ns4.shore.co.il
 LocalForward 9090 localhost:9090
 Host ea6350.shore.co.il
+IdentityFile ~/Documents/Shore/shore_rsa
 User root
 LocalForward 8080 localhost:80
 Host git.shore.co.il
+IdentityFile ~/Documents/Shore/gitlab_ed25519
 HostName host01.shore.co.il
 Port 2222
-IdentityFile ~/Documents/Shore/gitlab_ed25519
 Host cgit.shore.co.il
 HostName host01.shore.co.il
@@ -26,5 +27,5 @@ Port 2222
 Host *.shore.co.il 192.168.3.*
 IdentityFile ~/Documents/Shore/shore_ecdsa
-IdentityFile ~/Documents/Shore/shore_rsa
+IdentityFile ~/Documents/Shore/shore_ed25519
 User nimrod
--- a/.ssh/config.d/99_default
+++ b/.ssh/config.d/99_default
 # vim:ft=sshconfig
-# Copied from
+# Based on:
-# https://wiki.mozilla.org/Security/Guidelines/OpenSSH?source=techstories.org#Modern
+# https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern
-HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
+# but instead of specifying what to use (more maintenance especially with
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+# different OSes and releases), specify what not to use. The baseline is
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+# ElementaryOS Hera, aka Ubuntu Bionic.
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+# http://manpages.ubuntu.com/manpages/bionic/en/man5/ssh_config.5.html
+Ciphers -aes128-cbc,aes192-cbc,aes256-cbc
+HostbasedKeyTypes -ssh-rsa,ssh-rsa-cert-v01@openssh.com
+HostKeyAlgorithms -ssh-rsa,ssh-rsa-cert-v01@openssh.com
+KexAlgorithms -diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
+MACs -umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1
+PubkeyAcceptedKeyTypes -ssh-rsa-cert-v01@openssh.com,ssh-rsa