summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJose Luis Duran <jlduran@users.noreply.github.com>2016-03-23 06:44:53 -0300
committerStephen Beaver <sbeaver@netgate.com>2016-06-22 10:06:33 -0400
commita9274a80842ca5e1b533b85b6f0999de64f2e99b (patch)
tree42f2e578c86882fe5c97ae9463f258426393fe61
parent384ffced2afdf11d1ef42ba6423f0776162f59c4 (diff)
downloadpfsense-a9274a80842ca5e1b533b85b6f0999de64f2e99b.zip
pfsense-a9274a80842ca5e1b533b85b6f0999de64f2e99b.tar.gz
Harden sshd_config
The changes are better explained in the following article: https://stribika.github.io/2015/01/04/secure-secure-shell.html (cherry picked from commit dca77360ffe868327d82c20834eceb1079d5823b)
-rwxr-xr-xsrc/etc/sshd35
1 files changed, 19 insertions, 16 deletions
diff --git a/src/etc/sshd b/src/etc/sshd
index b893c91..cd5c647 100755
--- a/src/etc/sshd
+++ b/src/etc/sshd
@@ -47,7 +47,6 @@
$keys = array(
array('type' => 'rsa', 'suffix' => 'rsa_'),
- array('type' => 'ecdsa', 'suffix' => 'ecdsa_'),
array('type' => 'ed25519', 'suffix' => 'ed25519_')
);
@@ -98,36 +97,40 @@
}
/* Include default configuration for pfSense */
+ /* Taken from https://stribika.github.io/2015/01/04/secure-secure-shell.html */
$sshconf = "# This file is automatically generated at startup\n";
- $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";
- $sshconf .= "PermitRootLogin yes\n";
- $sshconf .= "Compression yes\n";
- $sshconf .= "ClientAliveInterval 30\n";
- $sshconf .= "UseDNS no\n";
- $sshconf .= "X11Forwarding no\n";
+ $sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
+ /* Run the server on another port if we have one defined */
+ $sshconf .= "Port $sshport\n";
+ /* Only allow protocol 2, because we say so */
+ $sshconf .= "Protocol 2\n";
foreach ($keys as $key) {
$sshconf .= "HostKey {$sshConfigDir}/ssh_host_{$key['suffix']}key\n";
}
+ $sshconf .= "Compression yes\n";
+ $sshconf .= "ClientAliveInterval 30\n";
+ $sshconf .= "PermitRootLogin yes\n";
if (isset($config['system']['ssh']['sshdkeyonly'])) {
$sshconf .= "# Login via Key only\n";
- $sshconf .= "PasswordAuthentication no\n";
$sshconf .= "ChallengeResponseAuthentication no\n";
+ $sshconf .= "PasswordAuthentication no\n";
$sshconf .= "PubkeyAuthentication yes\n";
} else {
$sshconf .= "# Login via Key and Password\n";
- $sshconf .= "PasswordAuthentication yes\n";
$sshconf .= "ChallengeResponseAuthentication yes\n";
+ $sshconf .= "PasswordAuthentication yes\n";
$sshconf .= "PubkeyAuthentication yes\n";
}
- $sshconf .= "# override default of no subsystems\n";
- $sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n";
- /* Only allow protocol 2, because we say so */
- $sshconf .= "Protocol 2\n";
- /* Run the server on another port if we have one defined */
- $sshconf .= "Port $sshport\n";
+ $sshconf .= "UseDNS no\n";
+ $sshconf .= "UsePAM no\n";
+ $sshconf .= "LoginGraceTime 30s\n";
/* Hide FreeBSD version */
$sshconf .= "VersionAddendum none\n";
- $sshconf .= "LoginGraceTime 30s\n";
+ $sshconf .= "X11Forwarding no\n";
+ $sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
+ $sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com\n";
+ $sshconf .= "# override default of no subsystems\n";
+ $sshconf .= "Subsystem\tsftp\t/usr/libexec/sftp-server\n";
/* Apply package SSHDCond settings if config file exists */
if (file_exists("/etc/sshd_extra")) {
OpenPOWER on IntegriCloud