Added policy for hardened OpenSSH v8.4.

jtesta · Sep 27, 2020 · b7d698d · b7d698d
1 parent b0c0074
commit b7d698d
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/policies/openssh_8_4.txt b/policies/openssh_8_4.txt
@@ -0,0 +1,28 @@
+#
+# Official policy for hardened OpenSSH v8.4.
+#
+
+name = "Hardened OpenSSH v8.4"
+version = 1
+
+# RSA host key sizes.
+hostkey_size_rsa-sha2-256 = 4096
+hostkey_size_rsa-sha2-512 = 4096
+
+# Group exchange DH modulus sizes.
+dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
+
+# The host key types that must match exactly (order matters).
+host keys = rsa-sha2-512, rsa-sha2-256, ssh-ed25519
+
+# Host key types that may optionally appear.
+optional host keys = [email protected], [email protected], [email protected], [email protected], [email protected]
+
+# The key exchange algorithms that must match exactly (order matters).
+key exchanges = curve25519-sha256, [email protected], diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
+
+# The ciphers that must match exactly (order matters).
+ciphers = [email protected], [email protected], [email protected], aes256-ctr, aes192-ctr, aes128-ctr
+
+# The MACs that must match exactly (order matters).
+macs = [email protected], [email protected], [email protected]