diff options
author | Stephen Beaver <sbeaver@netgate.com> | 2016-06-22 10:05:40 -0400 |
---|---|---|
committer | Stephen Beaver <sbeaver@netgate.com> | 2016-06-22 10:05:40 -0400 |
commit | 90913bc71020950289c1502fac4286f0633d6dff (patch) | |
tree | d11b0913cca12cad82c4ae39df520aaa8242f300 /src | |
parent | 55f67b5abd9b809807e328477779d97120908273 (diff) | |
parent | 971257cbdf687c79943237b6c2f5e37c596318af (diff) | |
download | pfsense-90913bc71020950289c1502fac4286f0633d6dff.zip pfsense-90913bc71020950289c1502fac4286f0633d6dff.tar.gz |
Merge pull request #2783 from jlduran/harden-sshd_config
Diffstat (limited to 'src')
-rwxr-xr-x | src/etc/sshd | 37 |
1 files changed, 20 insertions, 17 deletions
diff --git a/src/etc/sshd b/src/etc/sshd index b893c91..eebd601 100755 --- a/src/etc/sshd +++ b/src/etc/sshd @@ -47,7 +47,6 @@ $keys = array( array('type' => 'rsa', 'suffix' => 'rsa_'), - array('type' => 'ecdsa', 'suffix' => 'ecdsa_'), array('type' => 'ed25519', 'suffix' => 'ed25519_') ); @@ -98,36 +97,40 @@ } /* Include default configuration for pfSense */ + /* Taken from https://stribika.github.io/2015/01/04/secure-secure-shell.html */ $sshconf = "# This file is automatically generated at startup\n"; - $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n"; - $sshconf .= "PermitRootLogin yes\n"; - $sshconf .= "Compression yes\n"; - $sshconf .= "ClientAliveInterval 30\n"; - $sshconf .= "UseDNS no\n"; - $sshconf .= "X11Forwarding no\n"; + $sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n"; + /* Run the server on another port if we have one defined */ + $sshconf .= "Port $sshport\n"; + /* Only allow protocol 2, because we say so */ + $sshconf .= "Protocol 2\n"; foreach ($keys as $key) { $sshconf .= "HostKey {$sshConfigDir}/ssh_host_{$key['suffix']}key\n"; } + $sshconf .= "Compression yes\n"; + $sshconf .= "ClientAliveInterval 30\n"; + $sshconf .= "PermitRootLogin yes\n"; if (isset($config['system']['ssh']['sshdkeyonly'])) { $sshconf .= "# Login via Key only\n"; - $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "ChallengeResponseAuthentication no\n"; + $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "PubkeyAuthentication yes\n"; } else { $sshconf .= "# Login via Key and Password\n"; - $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "ChallengeResponseAuthentication yes\n"; + $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "PubkeyAuthentication yes\n"; } - $sshconf .= "# override default of no subsystems\n"; - $sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n"; - /* Only allow protocol 2, because we say so */ - $sshconf .= "Protocol 2\n"; - /* Run the server on another port if we have one defined */ - $sshconf .= "Port $sshport\n"; + $sshconf .= "UseDNS no\n"; + $sshconf .= "UsePAM no\n"; + $sshconf .= "LoginGraceTime 30s\n"; /* Hide FreeBSD version */ $sshconf .= "VersionAddendum none\n"; - $sshconf .= "LoginGraceTime 30s\n"; + $sshconf .= "X11Forwarding no\n"; + $sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n"; + $sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com\n"; + $sshconf .= "# override default of no subsystems\n"; + $sshconf .= "Subsystem\tsftp\t/usr/libexec/sftp-server\n"; /* Apply package SSHDCond settings if config file exists */ if (file_exists("/etc/sshd_extra")) { @@ -175,7 +178,7 @@ mark_subsystem_dirty('sshdkeys'); echo " Generating Keys:\n"; foreach ($generate_keys as $key) { - $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t {$key['type']} -N '' -f {$sshConfigDir}/ssh_host_{$key['suffix']}key"); + $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t {$key['type']} -b 4096 -N '' -f {$sshConfigDir}/ssh_host_{$key['suffix']}key"); } clear_subsystem_dirty('sshdkeys'); file_notice("SSH", "{$g['product_name']} has completed creating your SSH keys. SSH is now started.", "SSH Startup", ""); |