From a9274a80842ca5e1b533b85b6f0999de64f2e99b Mon Sep 17 00:00:00 2001 From: Jose Luis Duran Date: Wed, 23 Mar 2016 06:44:53 -0300 Subject: Harden sshd_config The changes are better explained in the following article: https://stribika.github.io/2015/01/04/secure-secure-shell.html (cherry picked from commit dca77360ffe868327d82c20834eceb1079d5823b) --- src/etc/sshd | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) (limited to 'src/etc/sshd') diff --git a/src/etc/sshd b/src/etc/sshd index b893c91..cd5c647 100755 --- a/src/etc/sshd +++ b/src/etc/sshd @@ -47,7 +47,6 @@ $keys = array( array('type' => 'rsa', 'suffix' => 'rsa_'), - array('type' => 'ecdsa', 'suffix' => 'ecdsa_'), array('type' => 'ed25519', 'suffix' => 'ed25519_') ); @@ -98,36 +97,40 @@ } /* Include default configuration for pfSense */ + /* Taken from https://stribika.github.io/2015/01/04/secure-secure-shell.html */ $sshconf = "# This file is automatically generated at startup\n"; - $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n"; - $sshconf .= "PermitRootLogin yes\n"; - $sshconf .= "Compression yes\n"; - $sshconf .= "ClientAliveInterval 30\n"; - $sshconf .= "UseDNS no\n"; - $sshconf .= "X11Forwarding no\n"; + $sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n"; + /* Run the server on another port if we have one defined */ + $sshconf .= "Port $sshport\n"; + /* Only allow protocol 2, because we say so */ + $sshconf .= "Protocol 2\n"; foreach ($keys as $key) { $sshconf .= "HostKey {$sshConfigDir}/ssh_host_{$key['suffix']}key\n"; } + $sshconf .= "Compression yes\n"; + $sshconf .= "ClientAliveInterval 30\n"; + $sshconf .= "PermitRootLogin yes\n"; if (isset($config['system']['ssh']['sshdkeyonly'])) { $sshconf .= "# Login via Key only\n"; - $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "ChallengeResponseAuthentication no\n"; + $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "PubkeyAuthentication yes\n"; } else { $sshconf .= "# Login via Key and Password\n"; - $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "ChallengeResponseAuthentication yes\n"; + $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "PubkeyAuthentication yes\n"; } - $sshconf .= "# override default of no subsystems\n"; - $sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n"; - /* Only allow protocol 2, because we say so */ - $sshconf .= "Protocol 2\n"; - /* Run the server on another port if we have one defined */ - $sshconf .= "Port $sshport\n"; + $sshconf .= "UseDNS no\n"; + $sshconf .= "UsePAM no\n"; + $sshconf .= "LoginGraceTime 30s\n"; /* Hide FreeBSD version */ $sshconf .= "VersionAddendum none\n"; - $sshconf .= "LoginGraceTime 30s\n"; + $sshconf .= "X11Forwarding no\n"; + $sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n"; + $sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com\n"; + $sshconf .= "# override default of no subsystems\n"; + $sshconf .= "Subsystem\tsftp\t/usr/libexec/sftp-server\n"; /* Apply package SSHDCond settings if config file exists */ if (file_exists("/etc/sshd_extra")) { -- cgit v1.1