diff options
| -rw-r--r-- | factory-default/net-misc/openssh/etc/ssh/ssh_config | 41 | ||||
| -rw-r--r-- | factory-default/net-misc/openssh/etc/ssh/sshd_config | 7 |
2 files changed, 43 insertions, 5 deletions
diff --git a/factory-default/net-misc/openssh/etc/ssh/ssh_config b/factory-default/net-misc/openssh/etc/ssh/ssh_config index b3715be2..565f483a 100644 --- a/factory-default/net-misc/openssh/etc/ssh/ssh_config +++ b/factory-default/net-misc/openssh/etc/ssh/ssh_config @@ -16,10 +16,45 @@ # ssh_config(5) man page. Host * + # Hash host names and addresses when they are added to + # ~/.ssh/known_hosts + HashKnownHosts yes + + # Check the host IP address in the known_hosts file + CheckHostIP yes + + # Key algorithms that the client wants to use in order of preference + HostKeyAlgorithms ssh-ed25519,ssh-rsa + + # Ciphers allowed and their order of preference + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com + + # Available KEX (Key Exchange) algorithms + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + + # MAC (message authentication code) algorithms in order of preference + MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com + + # ssh-rsa + PubkeyAcceptedKeyTypes ssh-ed25519,ssh-rsa + + # Disable compression + Compression no + + # Disable rhosts based authentication + HostbasedAuthentication no + + # Order in which the client should try authentication methods + PreferredAuthentications publickey,keyboard-interactive,password + # Do not forward authentication agent to the remote machine ForwardAgent no + # Do not forward X11 connections over the secure channel ForwardX11 no - # Hash host names and addresses when they are added to - # ~/.ssh/known_hosts - HashKnownHosts yes + + # Automatically add new host keys to the user known hosts files + StrictHostKeyChecking accept-new + + # Accept notifications of additional hostkeys + UpdateHostKeys yes diff --git a/factory-default/net-misc/openssh/etc/ssh/sshd_config b/factory-default/net-misc/openssh/etc/ssh/sshd_config index 59f5fad9..3f0d125a 100644 --- a/factory-default/net-misc/openssh/etc/ssh/sshd_config +++ b/factory-default/net-misc/openssh/etc/ssh/sshd_config @@ -25,10 +25,10 @@ LoginGraceTime 5s PermitRootLogin no # Available KEX (Key Exchange) algorithms -KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521 +KexAlgorithms curve25519-sha256@libssh.org # Available ciphers -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com +Ciphers chacha20-poly1305@openssh.com # Available MAC (message authentication code) algorithms MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com @@ -57,6 +57,9 @@ PermitEmptyPasswords no # Disable s/key passwords ChallengeResponseAuthentication no +# Disallow keyboard-interactive authentication +KbdInteractiveAuthentication no + # Deny ssh-agent(1) forwarding AllowAgentForwarding no |