Merge pull request #2783 from jlduran/harden-sshd_config

1 files changed, 20 insertions, 17 deletions

diff --git a/src/etc/sshd b/src/etc/sshd
index b893c91..eebd601 100755
--- a/src/etc/sshd
+++ b/src/etc/sshd
@@ -47,7 +47,6 @@
 
 	$keys = array(
 		array('type' => 'rsa',     'suffix' => 'rsa_'),
-		array('type' => 'ecdsa',   'suffix' => 'ecdsa_'),
 		array('type' => 'ed25519', 'suffix' => 'ed25519_')
 	);
 
@@ -98,36 +97,40 @@
 	}
 
 	/* Include default configuration for pfSense */
+	/* Taken from https://stribika.github.io/2015/01/04/secure-secure-shell.html */
 	$sshconf = "# This file is automatically generated at startup\n";
-	$sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";
-	$sshconf .= "PermitRootLogin yes\n";
-	$sshconf .= "Compression yes\n";
-	$sshconf .= "ClientAliveInterval 30\n";
-	$sshconf .= "UseDNS no\n";
-	$sshconf .= "X11Forwarding no\n";
+	$sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
+	/* Run the server on another port if we have one defined */
+	$sshconf .= "Port $sshport\n";
+	/* Only allow protocol 2, because we say so */
+	$sshconf .= "Protocol 2\n";
 	foreach ($keys as $key) {
 		$sshconf .= "HostKey {$sshConfigDir}/ssh_host_{$key['suffix']}key\n";
 	}
+	$sshconf .= "Compression yes\n";
+	$sshconf .= "ClientAliveInterval 30\n";
+	$sshconf .= "PermitRootLogin yes\n";
 	if (isset($config['system']['ssh']['sshdkeyonly'])) {
 		$sshconf .= "# Login via Key only\n";
-		$sshconf .= "PasswordAuthentication no\n";
 		$sshconf .= "ChallengeResponseAuthentication no\n";
+		$sshconf .= "PasswordAuthentication no\n";
 		$sshconf .= "PubkeyAuthentication yes\n";
 	} else {
 		$sshconf .= "# Login via Key and Password\n";
-		$sshconf .= "PasswordAuthentication yes\n";
 		$sshconf .= "ChallengeResponseAuthentication yes\n";
+		$sshconf .= "PasswordAuthentication yes\n";
 		$sshconf .= "PubkeyAuthentication yes\n";
 	}
-	$sshconf .= "# override default of no subsystems\n";
-	$sshconf .= "Subsystem       sftp    /usr/libexec/sftp-server\n";
-	/* Only allow protocol 2, because we say so */
-	$sshconf .= "Protocol 2\n";
-	/* Run the server on another port if we have one defined */
-	$sshconf .= "Port $sshport\n";
+	$sshconf .= "UseDNS no\n";
+	$sshconf .= "UsePAM no\n";
+	$sshconf .= "LoginGraceTime 30s\n";
 	/* Hide FreeBSD version */
 	$sshconf .= "VersionAddendum none\n";
-	$sshconf .= "LoginGraceTime 30s\n";
+	$sshconf .= "X11Forwarding no\n";
+	$sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
+	$sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com\n";
+	$sshconf .= "# override default of no subsystems\n";
+	$sshconf .= "Subsystem\tsftp\t/usr/libexec/sftp-server\n";
 
 	/* Apply package SSHDCond settings if config file exists */
 	if (file_exists("/etc/sshd_extra")) {
@@ -175,7 +178,7 @@
 		mark_subsystem_dirty('sshdkeys');
 		echo " Generating Keys:\n";
 		foreach ($generate_keys as $key) {
-			$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t {$key['type']} -N '' -f {$sshConfigDir}/ssh_host_{$key['suffix']}key");
+			$_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t {$key['type']} -b 4096 -N '' -f {$sshConfigDir}/ssh_host_{$key['suffix']}key");
 		}
 		clear_subsystem_dirty('sshdkeys');
 		file_notice("SSH", "{$g['product_name']} has completed creating your SSH keys.  SSH is now started.", "SSH Startup", "");