stribika
What portion of .ssh/config is safe to share?
This may be a dumb question, but as a person who loves to share (and peek at others') dotfiles, I've long desired to include my ~/.ssh/config file in my dotfiles. Mostly for backup/restore and version history, but also for pointing others to it for guidance.
However, as a veritable security newb, I don't feel comfortable sharing the whole file, for by its nature it contains sensitive data.
Having posted your recommendations for a "secure" SSH configuration, what portions of one's SSH configuration would you consider safe to publish in a dotfiles repo?
Assuming it's safe to publish:
- KexAlgorithms
- UseRoaming
- PasswordAuthentication
- ChallengeResponseAuthentication
- PubkeyAuthentication
- HostKeyAlgorithms
- Ciphers
- MACs
What about HostName aliases?
Probably not a good idea to share User? or IdentityFile (though I suppose if one's machine were compromised in order to have access to the identityfile, you're screwed anyway. so merely publishing the filename is not really significant?)
What about any RemoteForward settings?
Don't publish user names. Although disabling password login makes brute forcing passwords infeasible even with known user names, they can be useful in other contexts. Could be used to guess valid email addresses for phishing, logging in to something else less secure, or whatever.
I wouldn't publish internal hostnames either. It's not that they are particularly hard to find once an attacker is in, it's that you might want to alert on too many reverse lookups and zone transfer attempts. But never rely on these staying secret.
As for forwarding, there are multiple kinds. X11 and agent forwarding settings are kind of hard to hide. TCP and domain socket forwarding are like firewall rules. Don't publish but assume they are known.
