danwin1210/hosting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disabled RSA host key type (because small keys are generated by default), as well as ECDSA (due to suspicions of NSA-compromised P-curves). Enabled only strong key exchange, cipher, and MAC algorithms. See https://www.sshaudit.com/ and https://github.com/arthepsy/ssh-audit.

Browse Source
This commit is contained in:
Joe Testa
2018-11-19 15:01:11 -05:00
parent 41b33f2c51
commit e4e59782ca
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
etc/ssh/sshd_config
View File

@ -17,7 +17,7 @@ ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying # Ciphers and keying
#RekeyLimit default none #RekeyLimit default none
@ -115,6 +115,11 @@ AcceptEnv LANG LC_*
#Subsystem sftp /usr/lib/openssh/sftp-server #Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp Subsystem sftp internal-sftp
# Hardened set of key exchange, cipher, and MAC algorithms, as per <https://www.sshaudit.com/hardening_guides.html>.
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
Match User root Match User root
AuthenticationMethods publickey AuthenticationMethods publickey