From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 2/2] ssh_config: Do not set defaults explicitly Date: Mon, 20 Jan 2020 20:05:00 +0000 Message-ID: <6a71a56c-7894-adf3-23db-c8ede6bd41eb@ipfire.org> In-Reply-To: <0026bf7c-a550-0df8-8ee9-ac181047055e@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6023214207738210047==" List-Id: --===============6023214207738210047== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Signed-off-by: Peter M=C3=BCller --- config/ssh/ssh_config | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 2abfae6d1..2e2ee60c3 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -1,33 +1,32 @@ -# OpenSSH client configuration +# OpenSSH client configuration file for IPFire # -# set some basic hardening options for all connections +# The full documentation is available at: https://man.openbsd.org/ssh_config +# + +# Set some basic hardening options for all connections Host * - # disable Roaming as it is known to be vulnerable + # Disable Roaming as it is known to be vulnerable UseRoaming no =20 - # only use secure crypto algorithm + # Only use secure crypto algorithms KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-ex= change-sha256 Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes= 128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com= ,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com =20 - # always visualise server host keys (has no technical - # effect, but helps to identify key based MITM attacks) + # Always visualise server host keys (but helps to identify key based= MITM attacks) VisualHostKey yes =20 - # use SSHFP (might work on some up-to-date networks) to look up host= keys + # Use SSHFP (might work on some up-to-date networks) to look up host= keys VerifyHostKeyDNS yes =20 # send keep-alive messages to connected server to avoid broken conne= ctions ServerAliveInterval 10 ServerAliveCountMax 6 =20 - # disable X11 forwarding (security risk) - ForwardX11 no - - # always check server IP address - CheckHostIP yes - - # ensure only allowed authentication methods are used + # Ensure only allowed authentication methods are used PreferredAuthentications publickey,keyboard-interactive,password =20 + # Prevent information leak by hashing ~/.ssh/known_hosts + HashKnownHosts yes + # EOF --=20 2.16.4 --===============6023214207738210047==--