From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cZcLw1Lfcz32cx for ; Sun, 28 Sep 2025 21:06:32 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cZcLr65c5z2xP7 for ; Sun, 28 Sep 2025 21:06:28 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cZcLq4yf2z3X8 for ; Sun, 28 Sep 2025 21:06:27 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1759093588; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=J0jWH9anNe9X9ccNXU9yKJ5g+PewNwJdrlBw4uls5no=; b=uHvH5UuTdTuxRawK/dXIV1Q+UBGxoDKTQsSuXOyYEACfrbfURlqdAgaPYn8o+03MBlAiq8 iX0z7wdpmREvSyBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1759093588; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=J0jWH9anNe9X9ccNXU9yKJ5g+PewNwJdrlBw4uls5no=; b=sE2nGfKYWcd8WI/VkGmtc7j15I2/yts9q/ZgB3M24mqhqS1uQvY0CNiJADLi2my9OVZUaJ KIgkppgNmY9y1uR3FI28op8GhskczdUsYlz9gSWyHceL2AjN3lf6ypg/cmRk0VsF7HkYdv F6TLVsEMTwHCp5w96w7aWz0rOiiBp7yo12FlqTohZMabSZ1kpegp/AWJF9sjDWL8JUIV1l jbQB6Ktlk9QZeruGyrJ3qqJOO+hVYYoh3z5fcYHbgBzXAYfVnBT8aOUOI45kBcru08K0Pn bL0smyhZ+H0NFlJEQdEaTaOdP/tMVRUDLDUL+IwWjr5OjteehQK0oFoL2vCt8g== Message-ID: <945df863-320b-45d6-9e7d-9aeacb901af4@ipfire.org> Date: Sun, 28 Sep 2025 21:06:00 +0000 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: [PATCH 3/3] ssh_config: Fix indentation mangled by Vim From: =?UTF-8?Q?Peter_M=C3=BCller?= To: "IPFire: Development" References: <5d3b4fdd-fe49-4997-b00c-c2fd723f0e4a@ipfire.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Peter Müller --- config/ssh/ssh_config | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 2fc62e116..66cb0c2cc 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -5,30 +5,30 @@ # Set some basic hardening options for all connections Host * - # Disable undocumented roaming feature as it is known to be vulnerable - UseRoaming no + # Disable undocumented roaming feature as it is known to be vulnerable + UseRoaming no - # Only use secure crypto algorithms - KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 - Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + # Only use secure crypto algorithms + KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com - # Always visualise server host keys (helps to identify key based MITM attacks) - VisualHostKey yes + # Always visualise server host keys (helps to identify key based MITM attacks) + VisualHostKey yes - # Use SSHFP (might work on some up-to-date networks) to look up host keys - VerifyHostKeyDNS yes + # Use SSHFP (might work on some up-to-date networks) to look up host keys + VerifyHostKeyDNS yes - # Send SSH-based keep alive messages to connected server to avoid broken connections - ServerAliveInterval 10 - ServerAliveCountMax 30 + # Send SSH-based keep alive messages to connected server to avoid broken connections + ServerAliveInterval 10 + ServerAliveCountMax 30 # Disable TCP keep alive messages since they can be spoofed and we have SSH-based # keep alive messages enabled; there is no need to do things twice here TCPKeepAlive no - # Ensure only allowed authentication methods are used - PreferredAuthentications publickey,keyboard-interactive,password + # Ensure only allowed authentication methods are used + PreferredAuthentications publickey,keyboard-interactive,password # Prevent information leak by hashing ~/.ssh/known_hosts HashKnownHosts yes -- 2.51.0