[pve-devel] [RFC cluster] update SSH Ciphers for Debian Stretch
Fabian Grünbichler
f.gruenbichler at proxmox.com
Wed May 31 09:38:00 CEST 2017
blowfish, 3des and arcfour are not enabled by default on the
server side anyway.
on most hardware, AES is about 3 times faster than Chacha20
because of hardware accelerated AES, hence the changed order
of preference compared to the default.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
Alternatively, we could drop this altogether and leave it up to the admin to
prefer AES if the hardware supports it? Chacha20 manages about 300MB/s in a VM
here, which is enough to saturate a GBit link..
data/PVE/Cluster.pm | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index 731acc5..4915cb3 100644
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -1132,8 +1132,9 @@ sub setup_rootsshconfig {
if (! -f $rootsshconfig) {
mkdir '/root/.ssh';
if (my $fh = IO::File->new($rootsshconfig, O_CREAT|O_WRONLY|O_EXCL, 0640)) {
- # this is the default ciphers list from debian openssl0.9.8 except blowfish is added as prefered
- print $fh "Ciphers blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc\n";
+ # this is the default ciphers list from Debian's OpenSSH package (OpenSSH_7.4p1 Debian-10, OpenSSL 1.0.2k 26 Jan 2017)
+ # changed order to put AES before Chacha20 (most hardware has AESNI)
+ print $fh "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com\n";
close($fh);
}
}
--
2.1.4
More information about the pve-devel
mailing list