From ab13c1c8089dbb11166f2426ae0c05bdf119f79d Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Mon, 26 Jun 2023 14:20:14 +0200 Subject: [PATCH] testing: Configure curve25519-sha256 as key exchange for SSH With Debian bookworm, the PQC KE sntrup761x25519-sha512 is negotiated, by default. This increases the overhead significantly, in particular, the size of the KE message, which wouldn't get through IPsec tunnels without MSS clamping. --- testing/hosts/default/etc/ssh/sshd_config | 1 + 1 file changed, 1 insertion(+) diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config index f4ced3e374..700c7caaf7 100644 --- a/testing/hosts/default/etc/ssh/sshd_config +++ b/testing/hosts/default/etc/ssh/sshd_config @@ -1,6 +1,7 @@ Port 22 Protocol 2 Ciphers aes128-gcm@openssh.com +KexAlgorithms curve25519-sha256 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key PermitRootLogin yes -- 2.47.2