[pve-devel] applied: [RFC cluster] update SSH Ciphers for Debian Stretch

Wolfgang Bumiller w.bumiller at proxmox.com
Thu Sep 14 09:03:45 CEST 2017


applied

On Wed, May 31, 2017 at 09:38:00AM +0200, Fabian Grünbichler wrote:
> blowfish, 3des and arcfour are not enabled by default on the
> server side anyway.
> 
> on most hardware, AES is about 3 times faster than Chacha20
> because of hardware accelerated AES, hence the changed order
> of preference compared to the default.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> Alternatively, we could drop this altogether and leave it up to the admin to
> prefer AES if the hardware supports it? Chacha20 manages about 300MB/s in a VM
> here, which is enough to saturate a GBit link..
> 
>  data/PVE/Cluster.pm | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
> index 731acc5..4915cb3 100644
> --- a/data/PVE/Cluster.pm
> +++ b/data/PVE/Cluster.pm
> @@ -1132,8 +1132,9 @@ sub setup_rootsshconfig {
>      if (! -f $rootsshconfig) {
>          mkdir '/root/.ssh';
>          if (my $fh = IO::File->new($rootsshconfig, O_CREAT|O_WRONLY|O_EXCL, 0640)) {
> -            # this is the default ciphers list from debian openssl0.9.8 except blowfish is added as prefered
> -            print $fh "Ciphers blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc\n";
> +            # this is the default ciphers list from Debian's OpenSSH package (OpenSSH_7.4p1 Debian-10, OpenSSL 1.0.2k  26 Jan 2017)
> +	    # changed order to put AES before Chacha20 (most hardware has AESNI)
> +            print $fh "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com\n";
>              close($fh);
>          }
>      }
> -- 
> 2.1.4




More information about the pve-devel mailing list