-
-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't manage SSH ciphers on bullseye #151
base: develop
Are you sure you want to change the base?
Conversation
Is it erring out somehow? |
No, it is not erroring out, but it is also just pinning the current (openssh 7.9) default cipher list and therefore provides no added value. From the
Ideally one would manage acceptable ciphers, as well as MACs and KexAlgorithms in an sshd_config using Mozillas recommendations, but that is probably out of scope for this role. |
I guess there was another reason - from: https://git.proxmox.com/?p=pve-cluster.git;a=blob;f=data/PVE/Cluster/Setup.pm;h=1f064775af3cc4b2ac12a59d7d8abb7283f4b998;hb=HEAD#l162
I'm not sure if making something that's hardcoded in PVE itself optional has any effect on support (this role is meant to mimic PVE tooling wherever it can't use them directly), but this seems like a relatively harmless thing to change in the first place. I'll wait to see if anyone else has any thoughts. |
Pretty sure that we should prefer chacha20-poly1305 these days, in spite of AES-NI support in hardware, I trust the OpenSSH upstream alot more to make good decisions. I feel we as sysadmins are in a good position to make better choices that don't break any compatibility. |
97db517
to
5a6a626
Compare
Some further research: https://lists.proxmox.com/pipermail/pve-devel/2017-August/028157.html Discussion behind the change to the ordering of ciphers I vote that we keep the behaviour PVE imposes by default on both distributions. I'm fine with converting the |
Putting it on my todo list. |
The OpenSSH daemon comes with reasonable defaults these days, so don't try to manage that, by copying the same cipher list from release to release. Between Debian releases there is usually a large overlap over compatible ciphers, so there shouldn't be any fear of breaking compatibility between Proxmox VE releases either.
0610942
to
290e00c
Compare
Rebased against develop to at least cleanup the unrelated/unmerged commits from the old pve7 branch. |
The OpenSSH daemon comes with reasonable defaults these days, so don't
try to manage that, by copying the same cipher list from release to
release.
Between Debian releases there is usually a large overlap over compatible
ciphers, so there shouldn't be any fear of breaking compatibility
between Proxmox VE releases either.
It might be reasonable to do the same on buster, but since I'm starting
a 7.0 cluster right now and I don't know the entire reasoning behind this
setting, I'm erring on the conservative side.