Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Add node attributes to override KEX, MAC and cipher values #141
Comments and feedback on this approach, as well as around the default Kex, MAC and cipher choices are welcome - I note that there's a refactor of Kex and Cipher selections going on, plus there may be further discussions to be had on the default lists, so this is a quick hack to allow a complete override of several values.
Original commit message follows:
There's advice available on preferred choices of key exchange, message
At the time of committing, there is a refactor going on to simplify kex
Even in that refactor, hmac-ripemd160 MACs, which have been removed in
Likewise hmac-sha2-256 and hmac-sha2-512 are flagged by ssh-audit as
There is likely to be more complexity and balancing of features/security
@bazbremner Awesome! Thank you for bringing up the discussion. We are very close to merge #134 We should build this PR into two iterations: enable customization as you showed in this PR and updating the ciphers for newer versions. For that, lets also double-check https://bettercrypto.org, since we follow their recommendation
@chris-rock thanks for the comment. Yes, I agree that updating the generated ciphers should be a separate PR, but I thought the additional complexity and discussion that entails is useful background and justification for allowing a blanket override, as provided by my changes.
Assuming the basic premise is OK, what other changes would you like me to make to bring this PR into a mergable state?