SSH audit reports unsafe or weak algorithms

[drakkan]

I periodically receive private emails like this one:

I wanted to raise the awareness about the algorithms being used by OpenSSH 6.5 that's being utilized by SFTPGo.
I ran an audit with ssh_audit, and found that some of the algorithms used by SFTPGo are considered weak or unsafe, please find attached the audit log.

[drakkan]

You are using the default configuration.

If you don't mind to be compatible with slightly older clients you can easily configure SFTPGo to pass the audit performed using ssh_audit.

Here is a sample config diff:

-    "host_keys": [],
-    "kex_algorithms": [],
+    "host_keys": ["id_ed25519"],
+    "kex_algorithms": ["[email protected]"],
     "ciphers": [],
-    "macs": [],
+    "macs": ["[email protected]"],

Please note that SFTPGo is not related to OpenSSH in any way, it doesn't use OpenSSH 6.5 or any other version. It is based on the Go crypto/ssh stack.