From 87e5b7f36a0c3f96eef11da53763f4e46eb0b853 Mon Sep 17 00:00:00 2001 From: Bertrand Jacquin Date: Tue, 20 Aug 2019 23:15:45 +0100 Subject: factory-default: Harden net-misc/openssh config --- .../net-misc/openssh/etc/ssh/ssh_config | 41 ++++++++++++++++++++-- .../net-misc/openssh/etc/ssh/sshd_config | 7 ++-- 2 files changed, 43 insertions(+), 5 deletions(-) (limited to 'factory-default') diff --git a/factory-default/net-misc/openssh/etc/ssh/ssh_config b/factory-default/net-misc/openssh/etc/ssh/ssh_config index b3715be2..565f483a 100644 --- a/factory-default/net-misc/openssh/etc/ssh/ssh_config +++ b/factory-default/net-misc/openssh/etc/ssh/ssh_config @@ -16,10 +16,45 @@ # ssh_config(5) man page. Host * + # Hash host names and addresses when they are added to + # ~/.ssh/known_hosts + HashKnownHosts yes + + # Check the host IP address in the known_hosts file + CheckHostIP yes + + # Key algorithms that the client wants to use in order of preference + HostKeyAlgorithms ssh-ed25519,ssh-rsa + + # Ciphers allowed and their order of preference + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com + + # Available KEX (Key Exchange) algorithms + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + + # MAC (message authentication code) algorithms in order of preference + MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com + + # ssh-rsa + PubkeyAcceptedKeyTypes ssh-ed25519,ssh-rsa + + # Disable compression + Compression no + + # Disable rhosts based authentication + HostbasedAuthentication no + + # Order in which the client should try authentication methods + PreferredAuthentications publickey,keyboard-interactive,password + # Do not forward authentication agent to the remote machine ForwardAgent no + # Do not forward X11 connections over the secure channel ForwardX11 no - # Hash host names and addresses when they are added to - # ~/.ssh/known_hosts - HashKnownHosts yes + + # Automatically add new host keys to the user known hosts files + StrictHostKeyChecking accept-new + + # Accept notifications of additional hostkeys + UpdateHostKeys yes diff --git a/factory-default/net-misc/openssh/etc/ssh/sshd_config b/factory-default/net-misc/openssh/etc/ssh/sshd_config index 59f5fad9..3f0d125a 100644 --- a/factory-default/net-misc/openssh/etc/ssh/sshd_config +++ b/factory-default/net-misc/openssh/etc/ssh/sshd_config @@ -25,10 +25,10 @@ LoginGraceTime 5s PermitRootLogin no # Available KEX (Key Exchange) algorithms -KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521 +KexAlgorithms curve25519-sha256@libssh.org # Available ciphers -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com +Ciphers chacha20-poly1305@openssh.com # Available MAC (message authentication code) algorithms MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com @@ -57,6 +57,9 @@ PermitEmptyPasswords no # Disable s/key passwords ChallengeResponseAuthentication no +# Disallow keyboard-interactive authentication +KbdInteractiveAuthentication no + # Deny ssh-agent(1) forwarding AllowAgentForwarding no -- cgit v1.2.3