[pve-devel] applied: [RFC cluster] update SSH Ciphers for Debian Stretch
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Sep 14 09:03:45 CEST 2017
applied
On Wed, May 31, 2017 at 09:38:00AM +0200, Fabian Grünbichler wrote:
> blowfish, 3des and arcfour are not enabled by default on the
> server side anyway.
>
> on most hardware, AES is about 3 times faster than Chacha20
> because of hardware accelerated AES, hence the changed order
> of preference compared to the default.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> Alternatively, we could drop this altogether and leave it up to the admin to
> prefer AES if the hardware supports it? Chacha20 manages about 300MB/s in a VM
> here, which is enough to saturate a GBit link..
>
> data/PVE/Cluster.pm | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
> index 731acc5..4915cb3 100644
> --- a/data/PVE/Cluster.pm
> +++ b/data/PVE/Cluster.pm
> @@ -1132,8 +1132,9 @@ sub setup_rootsshconfig {
> if (! -f $rootsshconfig) {
> mkdir '/root/.ssh';
> if (my $fh = IO::File->new($rootsshconfig, O_CREAT|O_WRONLY|O_EXCL, 0640)) {
> - # this is the default ciphers list from debian openssl0.9.8 except blowfish is added as prefered
> - print $fh "Ciphers blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc\n";
> + # this is the default ciphers list from Debian's OpenSSH package (OpenSSH_7.4p1 Debian-10, OpenSSL 1.0.2k 26 Jan 2017)
> + # changed order to put AES before Chacha20 (most hardware has AESNI)
> + print $fh "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com\n";
> close($fh);
> }
> }
> --
> 2.1.4
More information about the pve-devel
mailing list