With ever-expanding number of scripts on my NAS I noticed that pretty much every one had similar, but not quite the same parameters. For example, my automatic replication would use one set of encryption parameters while my Mikrotik router backup script would use other, and my website backup script would use a third variant.
So I decided to see if I could still keep the reasonable security but consolidate all these to a single type.
For key exchange, I had choice of diffie-hellman-group-exchange-sha256
, diffie-hellman-group-exchange-sha1
, diffie-hellman-group14-sha1
, and diffie-hellman-group1-sha1
. Unfortunately there is no curve25519-sha256@libssh.org
or similar algorithms that are considered more secure.
For a while I considered using diffie-hellman-group14-sha1
as it uses 2048 bit prime but its abandonment by modern SSH versions made me go with diffie-hellman-group-exchange-sha256
. As this method allows for custom groups, it should be theoretically better but it also allows server to setup connection with known weak parameters. As servers are in my control, that should not pose an huge issue here.
For cipher my hands were extremely tied - Mikrotik, my router of choice, supports only aes256-ctr
and aes192-ctr
. Both are of acceptable security so I went with faster: aes192-ctr
.
For authentication Mikrotik was again extremely limited - only hmac-sha2-256
and hmac-sha1
were supported. While I was tempted to go with hmac-sha1
which is still secure enough despite SHA1 being broken (HMAC part really does make a difference), I went with hmac-sha2-256
as former might get obsoleted soon.
My final set of "standard" parameters is as follows:
-2 -o KexAlgorithms=diffie-hellman-group-exchange-sha256 -c aes192-ctr -o MACs=hmac-sha2-256
Additional parameter is not strictly encryption related but I find it very reasonable to enforce SSH protocol version 2.