From 61fa3c3464ca6d200f5766729266f65fab83e0f0 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 31 May 2017 09:38:00 +0200 Subject: [PATCH] update SSH Ciphers for Debian Stretch MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit blowfish, 3des and arcfour are not enabled by default on the server side anyway. on most hardware, AES is about 3 times faster than Chacha20 because of hardware accelerated AES, hence the changed order of preference compared to the default. Signed-off-by: Fabian Grünbichler --- data/PVE/Cluster.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm index c845298..600e664 100644 --- a/data/PVE/Cluster.pm +++ b/data/PVE/Cluster.pm @@ -1141,8 +1141,9 @@ sub setup_rootsshconfig { if (! -f $rootsshconfig) { mkdir '/root/.ssh'; if (my $fh = IO::File->new($rootsshconfig, O_CREAT|O_WRONLY|O_EXCL, 0640)) { - # this is the default ciphers list from debian openssl0.9.8 except blowfish is added as prefered - print $fh "Ciphers blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc\n"; + # this is the default ciphers list from Debian's OpenSSH package (OpenSSH_7.4p1 Debian-10, OpenSSL 1.0.2k 26 Jan 2017) + # changed order to put AES before Chacha20 (most hardware has AESNI) + print $fh "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com\n"; close($fh); } } -- 2.39.2