Consider modernizing guidelines/openssh.md to actually "modern" openssh #198
Description
Currently the Guidelines for OpenSSH configurations, i.e. the guidelines/openssh.md is listing settings for "Modern (OpenSSH 6.7+)". Given that OpenSSH 6.7 was released over 11 years ago (2014-10-06), it is perhaps time to do a bigger overhaul with in these guidelines and move the "OpenSSH 6.7+" section to "Intermediate" and current "Intermediate" to "Historical / Old".
I see a few reasons why there such an overhaul may be needed and really be the best solution forward:
- Currently "best practice" of supported Ciphers and Key exchange etc. are not mentioned at all. For instance the post quantum recommended
sntrup761x25519-sha512algorithm (supported since OpenSSH 9.0, dated 2022) normlkem768x25519-sha256(OpenSSH 9.9) are mentioned at all. - If anyone is following the guide today (on an actual "modern" install) it would arguably make their install less secure.
- Actually modern OpenSSH (10.0) will display a lot of warnings to users if not using a PQ algorithm, potentially causing a bit of confusion for less technically literate users.
- It's been over 11 years since 6.7 was actually to be considered "modern". In terms of IT security that is a long time...
There is currently a few issues here in Github about making small fixes here and there, such as #170, #176 and #192 just to mention a few. I would consider them more of a band-aid solution, it is time to properly fix the "Modern" configuration, and move historical recommended configurations to "Historical".
Some ref:
- OpenSSH 6.7 release notes: https://www.openssh.org/txt/release-6.7
- OpenSSH PQ: https://www.openssh.org/pq.html