HotCakeX
commented
1 month ago Hi, Thanks for the suggestion, i looked into it, this is the line i'm going to add to the SSH client config in user directory (with proper checks to make sure it's not added if it already exists), it will be part of the Miscellaneous category.
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.comExcluding anything that falls under the FUD category mentioned in that website, that solves the issue with weak MACs (Message Authentication Codes).
By the way Post-quantum cipher suites are on the way from NIST for Windows, TLS, SSH etc. https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-s-quantum-resistant-cryptography-is-here/ba-p/4238780
Are you sure the Security measure is not already implemented?
Please explain your new Security measure suggestion
The current windows versions include openssh v9.x and openssh server is available as an optional feature in the settings app. By default, SSH is secure but can be hardened much more. Atleast in terms of what ciphers, algorithms and CA's it uses. This is based on this repo: https://github.com/JuliusBairaktaris/Harden-Windows-SSH, the script there is simple and configures user's and system's ssh to use much stronger algorithms, cipher's and CA's. Beta installation of OpenSSH is not needed.
The above-mentioned repo is again an inspiration from SSH Audit's repo: https://github.com/jtesta/ssh-audit/wiki/Windows-11, which contains many more platforms which can be hardened in a similar way. The config given on this one varies slightly and is a little looser than the first repo mentioned above. We can decide which should be included (personally I use a combination of the two along with some of my own changes).
Another good read for this is this answer on stack exchange: https://security.stackexchange.com/questions/257670/ssh-server-configuration-best-practices/257678#257678
To check the default state of security for ssh: