SSH Defence against APTs and Quantum Computers
| Layer | Control | Configuration |
|---|---|---|
| Network | IP whitelisting | Admin VPN and WireGuard clients only |
| Transport | Key exchange | mlkem768x25519-sha256, sntrup761x25519-sha512 (post-quantum hybrid) |
| Transport | Cipher | aes256-gcm@openssh.com (AEAD) |
| Transport | MACs | umac-128-etm, hmac-sha2-256-etm, hmac-sha2-512-etm |
| Authentication | Method | Public key only (Ed25519) |
| ZTZT | Fail2ban | Permanent ban after 1 failed attempt |
| Key Security | Private key protection | Argon2id (20 passes, 64MB), 24-char passphrase |
| Key Security | Key rotation | Monthly |
| Standards | Exceeds | CIS, STIG, ssh-audit, lynis |
Complementary Defensive Techniques
| Technique | Purpose | Maturity |
|---|---|---|
| DNSSEC + SSHFP Records | Cryptographically validates host keys to prevent spoofing/MITM | Meets Standards |
| Strong Privilege Escalation Controls | Memory-hard hashing for sudo | Exceeds Standards |
Threat Scenarios & Feasibility
| Scenario | Required Investment | Feasibility |
|---|---|---|
| Supply Chain / Public Key Theft | $2.5M – $8M+ | Very Low |
| ISP/CSP Man-in-the-Middle (MITM) | $3M – $20M+ | Very Low |
| Private Key Theft (no passphrase) | $4B+ (or centuries of compute) | Very Low |
All scenarios are independently protected by multiple distinct layers, making simultaneous compromise economically and technically infeasible for non-nation-state actors.