While there is a pretty decent choice of FTPS ciphers available, up to and including TLS 1.3, SFTP seems to be a bit behind the times.
The only host key algorithms currently supported are DSA and RSA. DSA is already almost unusable in practice, and RSA has also been disabled by default in recent OpenSSH versions for example.
It would be helpful to support:
- Multiple host keys using different algorithms, so that migrating to modern algorithms is not a "big bang" operation.
- ED25519, ED448, ECDSA, EDDSA would be great to support.
- The variants that employ certificates would also be great, since PKI support is a feature SSH lacked for a long time. (host key fingerprint vs. public CA)
Key exchange algorithms could also use some love, even though that is the part that currently has the most options:
- Curve25519, Curve448, DH groups 15, 17, 18 maybe?
Good ciphers are also just a few currently, because CBC is not a good choice for this application, leaving only options that use either a counter-mode (CTR, GCM) or are not CBC-based:
- ChaCha20-Poly1305, AEAD-AES-GCM (built-in MAC), AES-GCM, Blowfish-CTR, TwoFish-CTR, CAST128-CTR, Serpent-CTR
I'm uncertain about which MAC algorithms to suggest. Even HMAC-SHA1 is currently still considered OK, because the issues with SHA1 don't affect HMAC much.
Maybe looking at what the most recent OpenSSH version uses as defaults would also be good guidance.
I realize that there's about a million SFTP clients out there, and most of them are terrible, but soon we'll even run out of good options on the server side of things.categories.
Our server is already down to just 1 cipher (AES CTR), 2 host key algorithms (RSA+SHA1 / RSA+SHA2), 2 MAC algorithms (HMAC-SHA1, HMAC-SHA2).
