diff options
-rwxr-xr-x | src/etc/sshd | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/src/etc/sshd b/src/etc/sshd index b893c91..cd5c647 100755 --- a/src/etc/sshd +++ b/src/etc/sshd @@ -47,7 +47,6 @@ $keys = array( array('type' => 'rsa', 'suffix' => 'rsa_'), - array('type' => 'ecdsa', 'suffix' => 'ecdsa_'), array('type' => 'ed25519', 'suffix' => 'ed25519_') ); @@ -98,36 +97,40 @@ } /* Include default configuration for pfSense */ + /* Taken from https://stribika.github.io/2015/01/04/secure-secure-shell.html */ $sshconf = "# This file is automatically generated at startup\n"; - $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n"; - $sshconf .= "PermitRootLogin yes\n"; - $sshconf .= "Compression yes\n"; - $sshconf .= "ClientAliveInterval 30\n"; - $sshconf .= "UseDNS no\n"; - $sshconf .= "X11Forwarding no\n"; + $sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n"; + /* Run the server on another port if we have one defined */ + $sshconf .= "Port $sshport\n"; + /* Only allow protocol 2, because we say so */ + $sshconf .= "Protocol 2\n"; foreach ($keys as $key) { $sshconf .= "HostKey {$sshConfigDir}/ssh_host_{$key['suffix']}key\n"; } + $sshconf .= "Compression yes\n"; + $sshconf .= "ClientAliveInterval 30\n"; + $sshconf .= "PermitRootLogin yes\n"; if (isset($config['system']['ssh']['sshdkeyonly'])) { $sshconf .= "# Login via Key only\n"; - $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "ChallengeResponseAuthentication no\n"; + $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "PubkeyAuthentication yes\n"; } else { $sshconf .= "# Login via Key and Password\n"; - $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "ChallengeResponseAuthentication yes\n"; + $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "PubkeyAuthentication yes\n"; } - $sshconf .= "# override default of no subsystems\n"; - $sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n"; - /* Only allow protocol 2, because we say so */ - $sshconf .= "Protocol 2\n"; - /* Run the server on another port if we have one defined */ - $sshconf .= "Port $sshport\n"; + $sshconf .= "UseDNS no\n"; + $sshconf .= "UsePAM no\n"; + $sshconf .= "LoginGraceTime 30s\n"; /* Hide FreeBSD version */ $sshconf .= "VersionAddendum none\n"; - $sshconf .= "LoginGraceTime 30s\n"; + $sshconf .= "X11Forwarding no\n"; + $sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n"; + $sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com\n"; + $sshconf .= "# override default of no subsystems\n"; + $sshconf .= "Subsystem\tsftp\t/usr/libexec/sftp-server\n"; /* Apply package SSHDCond settings if config file exists */ if (file_exists("/etc/sshd_extra")) { |