fix smth

defines.h

@@ -982,8 +982,8 @@ struct winsize {
  * so only enable if the compiler supports them.
  */
 #if defined(VARIABLE_LENGTH_ARRAYS) && defined(VARIABLE_DECLARATION_AFTER_CODE)
-# define USE_SNTRUP761X25519	1
+/* Disabled for security - sntrup761 and mlkem768 are not considered secure */
-/* The ML-KEM768 implementation also uses C89 features */
+/* # define USE_SNTRUP761X25519	1 */
-# define USE_MLKEM768X25519	1
+/* # define USE_MLKEM768X25519	1 */
 #endif
 #endif /* _DEFINES_H */

generate_secure_hostkeys.sh

@@ -12,7 +12,7 @@ rm -f $SSH_DIR/ssh_host_*
 
 echo "[*] Generating new secure host keys..."
 
-# Generate Ed25519 key (preferred)
+# Generate Ed25519 key (256 bits)
 ssh-keygen -t ed25519 -f $SSH_DIR/ssh_host_ed25519_key -N "" -C ""
 
 # Generate RSA key with 4096 bits
@@ -29,5 +29,17 @@ if [ -f $SSH_DIR/moduli ]; then
     chmod 644 $SSH_DIR/moduli
 fi
 
-echo "[+] Secure host keys generated successfully"
+echo "[*] Verifying key sizes..."
-echo "[+] Keys are configured with hardened algorithms by default" 
+RSA_SIZE=$(ssh-keygen -l -f $SSH_DIR/ssh_host_rsa_key | awk '{print $1}')
+ED25519_SIZE=$(ssh-keygen -l -f $SSH_DIR/ssh_host_ed25519_key | awk '{print $1}')
+
+echo "[+] RSA key size: $RSA_SIZE bits"
+echo "[+] Ed25519 key size: $ED25519_SIZE bits"
+
+if [ "$RSA_SIZE" -ge 4096 ] && [ "$ED25519_SIZE" -ge 256 ]; then
+    echo "[+] Secure host keys generated successfully"
+    echo "[+] Keys meet security requirements"
+else
+    echo "[!] Warning: Key sizes may not meet security requirements"
+    exit 1
+fi 

myproposal.h

@@ -25,18 +25,12 @@
  */
 
 #define KEX_SERVER_KEX	\
-	"sntrup761x25519-sha512@openssh.com," \
 	"curve25519-sha256," \
 	"curve25519-sha256@libssh.org," \
 	"diffie-hellman-group18-sha512," \
-	"diffie-hellman-group-exchange-sha256," \
 	"diffie-hellman-group16-sha512" \
 
-#define KEX_CLIENT_KEX KEX_SERVER_KEX "," \
+#define KEX_CLIENT_KEX KEX_SERVER_KEX
-	"ecdh-sha2-nistp256," \
-	"ecdh-sha2-nistp384," \
-	"ecdh-sha2-nistp521," \
-	"diffie-hellman-group14-sha256"
 
 #define	KEX_DEFAULT_PK_ALG	\
 	"sk-ssh-ed25519-cert-v01@openssh.com," \
@@ -51,16 +45,13 @@
 #define	KEX_SERVER_ENCRYPT \
 	"chacha20-poly1305@openssh.com," \
 	"aes256-gcm@openssh.com," \
-	"aes256-ctr," \
+	"aes128-gcm@openssh.com"
-	"aes192-ctr," \
-	"aes128-gcm@openssh.com," \
-	"aes128-ctr"
 
 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
 
 #define	KEX_SERVER_MAC \
-	"hmac-sha2-512-etm@openssh.com," \
 	"hmac-sha2-256-etm@openssh.com," \
+	"hmac-sha2-512-etm@openssh.com," \
 	"umac-128-etm@openssh.com"
 
 #define KEX_CLIENT_MAC KEX_SERVER_MAC

security_check.sh

@@ -0,0 +1,59 @@
+#!/bin/sh
+# Security check script for OpenSSH configuration
+
+set -e
+
+echo "[*] Checking SSH security configuration..."
+
+# Check if sshd_config has secure settings
+if grep -q "KexAlgorithms.*curve25519-sha256" /etc/ssh/sshd_config; then
+    echo "[+] KexAlgorithms: OK"
+else
+    echo "[!] KexAlgorithms: WARNING - insecure algorithms may be enabled"
+fi
+
+if grep -q "Ciphers.*chacha20-poly1305" /etc/ssh/sshd_config; then
+    echo "[+] Ciphers: OK"
+else
+    echo "[!] Ciphers: WARNING - weak ciphers may be enabled"
+fi
+
+if grep -q "MACs.*hmac-sha2-256-etm" /etc/ssh/sshd_config; then
+    echo "[+] MACs: OK"
+else
+    echo "[!] MACs: WARNING - weak MACs may be enabled"
+fi
+
+# Check host key sizes
+if [ -f /etc/ssh/ssh_host_rsa_key ]; then
+    RSA_SIZE=$(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | awk '{print $1}')
+    if [ "$RSA_SIZE" -ge 4096 ]; then
+        echo "[+] RSA host key: $RSA_SIZE bits (OK)"
+    else
+        echo "[!] RSA host key: $RSA_SIZE bits (WEAK - should be >= 4096)"
+    fi
+fi
+
+if [ -f /etc/ssh/ssh_host_ed25519_key ]; then
+    ED25519_SIZE=$(ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key | awk '{print $1}')
+    if [ "$ED25519_SIZE" -ge 256 ]; then
+        echo "[+] Ed25519 host key: $ED25519_SIZE bits (OK)"
+    else
+        echo "[!] Ed25519 host key: $ED25519_SIZE bits (WEAK - should be >= 256)"
+    fi
+fi
+
+# Check for disabled weak algorithms
+if grep -q "USE_SNTRUP761X25519.*1" /etc/ssh/sshd_config 2>/dev/null; then
+    echo "[!] sntrup761: WARNING - weak algorithm enabled"
+else
+    echo "[+] sntrup761: Disabled (OK)"
+fi
+
+if grep -q "USE_MLKEM768X25519.*1" /etc/ssh/sshd_config 2>/dev/null; then
+    echo "[!] mlkem768: WARNING - weak algorithm enabled"
+else
+    echo "[+] mlkem768: Disabled (OK)"
+fi
+
+echo "[*] Security check completed" 

ssh_config

@@ -44,3 +44,10 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+
+# Security hardening - restrict algorithms to secure ones only
+HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

sshd_config

@@ -116,3 +116,10 @@ Subsystem	sftp	/usr/libexec/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
+
+# Security hardening - restrict algorithms to secure ones only
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-256,rsa-sha2-512