0

I am learning openssh and I found that the fundamental of openssh has 3 components.

  1. Cipher - to encrypt the data
  2. Message Authentication Code (MAC) - to ensure data integrity that is data is not changed while it was doing a journey to the end user.
  3. Key exchange - It is used for session key exchange.

Questions:

  1. Is there any other important part for configuration in openssh?
  2. While generating the openssh key, how I do I tell what cipher, MAC and key exchange it should use?
fpmurphy
  • 4,556
  • 3
  • 23
  • 26
tannoy connect
  • 169
  • 4
  • 13
  • Why do you think those components are set while generating an OpenSSH key? – muru Apr 27 '20 at 02:35
  • If I want higher security then I might disable weak ciphers that means I can even make it custom to choose only the highest security - Cipher, MAC and key exchange. – tannoy connect Apr 27 '20 at 02:43
  • 4
    Does this answer your question? [SSH: How to disable weak ciphers?](https://unix.stackexchange.com/questions/333728/ssh-how-to-disable-weak-ciphers) (https://unix.stackexchange.com/a/410252/70524, https://unix.stackexchange.com/a/511260/70524) – muru Apr 27 '20 at 02:47

1 Answers1

4

Is there any other important part for configuration in openssh?

Yes. There is a fourth major part of the SSH protocol: authentication.

The keys you manually generate with ssh-keygen (or equivalent) are used for authentication only, and have no effect at all on the three protocol elements you listed. And while those three elements are functionally symmetric, authentication can be different for each direction.

Thus, on a client, you optionally generate one or more key(s) each using a particular algorithm aka 'type' -t (RSA, DSA -- formerly, ECDSA, Ed25519), while you configure or default the algorithm(s) you will accept from the server. And depending on the server, the client (only!) may use other authentication methods like password (often) or GSS (rarely) instead of (any of) the publickey algorithms.

Conversely, on a server, you can generate key(s) for particular algorithms, but in practice most servers automatically generate all key types, and provide whichever one(s) the client(s) request. And you configure or default the algorithms the client's key can use, as well as any non-publickey methods.

While generating the openssh key, how I do I tell what cipher, MAC and key exchange it should use?

You don't. You configure the program, not the key, for those elements. On the client, server, or both, as described in the Q linked in a comment. Although that Q doesn't note that on client side, in /etc/ssh/ssh_config or ~/.ssh/ssh_config, you can configure either a global setting for all 'hosts' (servers), or different settings for different hosts and/or userids using the Host or Match syntax. See the man page on your system or on the web, and search for existing Qs here or maybe superuser; I know I've seen several.

Although it should be noted this won't improve security. The OpenSSH developers are pretty cautious -- some would say overly so -- and the defaults they set are already more than 'strong' enough. Obsessing over using the right magic words in your crypto config is at best a waste of time, and risks either making a mistake that reduces security, or more often distracting you from taking care of the things that actually do matter, like managing your key(s) and verifying the host authenticity.

dave_thompson_085
  • 3,790
  • 1
  • 16
  • 16