Evaluate disabling certain default cipher suites and key-ex algos

bottlerocket-os / bottlerocket-admin-container

A container for admin access to Bottlerocket

Other

58 stars 34 forks source link

Open etungsten opened 2 years ago

etungsten commented 2 years ago

We should evaluate disabling some default SSH cipher suites and key algorithms that might trigger vulnerability scanning tools

etungsten commented 2 years ago

EKS optimized AMI's sshd_config limits the cipher suites to the following by default:

Ciphers aes128-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

We should consider doing the same. Users can still override with the admin container userdata if they wish.