diff options
| author | Jose Luis Duran <jlduran@users.noreply.github.com> | 2016-03-23 06:44:53 -0300 |
|---|---|---|
| committer | Stephen Beaver <sbeaver@netgate.com> | 2016-06-22 10:06:33 -0400 |
| commit | a9274a80842ca5e1b533b85b6f0999de64f2e99b (patch) | |
| tree | 42f2e578c86882fe5c97ae9463f258426393fe61 | |
| parent | 384ffced2afdf11d1ef42ba6423f0776162f59c4 (diff) | |
| download | pfsense-a9274a80842ca5e1b533b85b6f0999de64f2e99b.zip pfsense-a9274a80842ca5e1b533b85b6f0999de64f2e99b.tar.gz | |
Harden sshd_config
The changes are better explained in the following article:
https://stribika.github.io/2015/01/04/secure-secure-shell.html
(cherry picked from commit dca77360ffe868327d82c20834eceb1079d5823b)
| -rwxr-xr-x | src/etc/sshd | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/src/etc/sshd b/src/etc/sshd index b893c91..cd5c647 100755 --- a/src/etc/sshd +++ b/src/etc/sshd @@ -47,7 +47,6 @@ $keys = array( array('type' => 'rsa', 'suffix' => 'rsa_'), - array('type' => 'ecdsa', 'suffix' => 'ecdsa_'), array('type' => 'ed25519', 'suffix' => 'ed25519_') ); @@ -98,36 +97,40 @@ } /* Include default configuration for pfSense */ + /* Taken from https://stribika.github.io/2015/01/04/secure-secure-shell.html */ $sshconf = "# This file is automatically generated at startup\n"; - $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n"; - $sshconf .= "PermitRootLogin yes\n"; - $sshconf .= "Compression yes\n"; - $sshconf .= "ClientAliveInterval 30\n"; - $sshconf .= "UseDNS no\n"; - $sshconf .= "X11Forwarding no\n"; + $sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n"; + /* Run the server on another port if we have one defined */ + $sshconf .= "Port $sshport\n"; + /* Only allow protocol 2, because we say so */ + $sshconf .= "Protocol 2\n"; foreach ($keys as $key) { $sshconf .= "HostKey {$sshConfigDir}/ssh_host_{$key['suffix']}key\n"; } + $sshconf .= "Compression yes\n"; + $sshconf .= "ClientAliveInterval 30\n"; + $sshconf .= "PermitRootLogin yes\n"; if (isset($config['system']['ssh']['sshdkeyonly'])) { $sshconf .= "# Login via Key only\n"; - $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "ChallengeResponseAuthentication no\n"; + $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "PubkeyAuthentication yes\n"; } else { $sshconf .= "# Login via Key and Password\n"; - $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "ChallengeResponseAuthentication yes\n"; + $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "PubkeyAuthentication yes\n"; } - $sshconf .= "# override default of no subsystems\n"; - $sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n"; - /* Only allow protocol 2, because we say so */ - $sshconf .= "Protocol 2\n"; - /* Run the server on another port if we have one defined */ - $sshconf .= "Port $sshport\n"; + $sshconf .= "UseDNS no\n"; + $sshconf .= "UsePAM no\n"; + $sshconf .= "LoginGraceTime 30s\n"; /* Hide FreeBSD version */ $sshconf .= "VersionAddendum none\n"; - $sshconf .= "LoginGraceTime 30s\n"; + $sshconf .= "X11Forwarding no\n"; + $sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n"; + $sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com\n"; + $sshconf .= "# override default of no subsystems\n"; + $sshconf .= "Subsystem\tsftp\t/usr/libexec/sftp-server\n"; /* Apply package SSHDCond settings if config file exists */ if (file_exists("/etc/sshd_extra")) { |
