SSH Configuration

Overview

SSH is configured for:

  • YubiKey FIDO2 resident key authentication

  • Post-quantum key exchange algorithms

  • Host-specific key selection

Configuration File

Location: ~/.ssh/config

Global Settings

Host *
    # Post-quantum key exchange (hybrid PQ + classical)
    KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org

    # Modern host key algorithms
    HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com

    # Identity management
    IdentitiesOnly yes
    AddKeysToAgent yes

    # Security settings
    PasswordAuthentication no
    ChallengeResponseAuthentication no

Infrastructure Hosts

Host nas-01
    HostName 10.50.1.70
    User adminerosado
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000_secondary
    IdentityFile ~/.ssh/id_ed25519_d000
    PasswordAuthentication yes

Host pfsense
    HostName 10.50.1.1
    User admin
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000_secondary
    IdentityFile ~/.ssh/id_ed25519_d000

Host certmgr-01
    HostName 10.50.1.60
    User ansible
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000_secondary
    IdentityFile ~/.ssh/id_ed25519_d000

Host ipsk-manager
    HostName 10.50.1.30
    User evanusmodestus
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000_secondary
    IdentityFile ~/.ssh/id_ed25519_d000
    PasswordAuthentication yes

Host kvm-host
    HostName 10.50.1.99
    User evanusmodestus
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000
    IdentityFile ~/.ssh/id_ed25519_sk_rk_d000_secondary
    IdentityFile ~/.ssh/id_ed25519_d000

Git Services

Host github.com
    IdentityFile ~/.ssh/id_ed25519_github
    User git

Host gitlab.com
    IdentityFile ~/.ssh/id_ed25519_gitlab
    User git

Host codeberg.org
    IdentityFile ~/.ssh/id_ed25519_codeberg
    User git

Host bitbucket.org
    IdentityFile ~/.ssh/id_ed25519_bitbucket
    User git

Host gitea
    HostName 10.50.1.70
    Port 2222
    IdentityFile ~/.ssh/id_ed25519_gitea
    User git

Post-Quantum SSH

Key Exchange Algorithms

KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256

  • sntrup761: Streamlined NTRU Prime (lattice-based, NIST candidate)

  • x25519: Classical elliptic curve

  • Hybrid: Both must be broken to compromise key exchange

Verification

# Check which KEX is used
ssh -v hostname 2>&1 | grep "kex:"

# Expected output:
# debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com

Related Pages