diff options
| author | Bertrand Jacquin <bertrand@jacquin.bzh> | 2019-08-20 23:15:45 +0100 |
|---|---|---|
| committer | Bertrand Jacquin <bertrand@jacquin.bzh> | 2019-08-21 01:05:32 +0100 |
| commit | 87e5b7f36a0c3f96eef11da53763f4e46eb0b853 (patch) | |
| tree | 6bc607d54231bd62fe780d59c07d0e9c3365aee9 /factory-default | |
| parent | profiles/raspberry-pi: move nginx keywords (diff) | |
| download | portage-87e5b7f36a0c3f96eef11da53763f4e46eb0b853.tar.xz | |
factory-default: Harden net-misc/openssh config
Diffstat (limited to 'factory-default')
| -rw-r--r-- | factory-default/net-misc/openssh/etc/ssh/ssh_config | 41 | ||||
| -rw-r--r-- | factory-default/net-misc/openssh/etc/ssh/sshd_config | 7 |
2 files changed, 43 insertions, 5 deletions
diff --git a/factory-default/net-misc/openssh/etc/ssh/ssh_config b/factory-default/net-misc/openssh/etc/ssh/ssh_config index b3715be2..565f483a 100644 --- a/factory-default/net-misc/openssh/etc/ssh/ssh_config +++ b/factory-default/net-misc/openssh/etc/ssh/ssh_config @@ -16,10 +16,45 @@ # ssh_config(5) man page. Host * + # Hash host names and addresses when they are added to + # ~/.ssh/known_hosts + HashKnownHosts yes + + # Check the host IP address in the known_hosts file + CheckHostIP yes + + # Key algorithms that the client wants to use in order of preference + HostKeyAlgorithms ssh-ed25519,ssh-rsa + + # Ciphers allowed and their order of preference + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com + + # Available KEX (Key Exchange) algorithms + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + + # MAC (message authentication code) algorithms in order of preference + MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com + + # ssh-rsa + PubkeyAcceptedKeyTypes ssh-ed25519,ssh-rsa + + # Disable compression + Compression no + + # Disable rhosts based authentication + HostbasedAuthentication no + + # Order in which the client should try authentication methods + PreferredAuthentications publickey,keyboard-interactive,password + # Do not forward authentication agent to the remote machine ForwardAgent no + # Do not forward X11 connections over the secure channel ForwardX11 no - # Hash host names and addresses when they are added to - # ~/.ssh/known_hosts - HashKnownHosts yes + + # Automatically add new host keys to the user known hosts files + StrictHostKeyChecking accept-new + + # Accept notifications of additional hostkeys + UpdateHostKeys yes diff --git a/factory-default/net-misc/openssh/etc/ssh/sshd_config b/factory-default/net-misc/openssh/etc/ssh/sshd_config index 59f5fad9..3f0d125a 100644 --- a/factory-default/net-misc/openssh/etc/ssh/sshd_config +++ b/factory-default/net-misc/openssh/etc/ssh/sshd_config @@ -25,10 +25,10 @@ LoginGraceTime 5s PermitRootLogin no # Available KEX (Key Exchange) algorithms -KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521 +KexAlgorithms curve25519-sha256@libssh.org # Available ciphers -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com +Ciphers chacha20-poly1305@openssh.com # Available MAC (message authentication code) algorithms MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com @@ -57,6 +57,9 @@ PermitEmptyPasswords no # Disable s/key passwords ChallengeResponseAuthentication no +# Disallow keyboard-interactive authentication +KbdInteractiveAuthentication no + # Deny ssh-agent(1) forwarding AllowAgentForwarding no |