mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
68545eb2d1
We also wish to prefer AES over Chacha/Poly, given the prevalence of hardware accelaration for the former. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
37 lines
1.5 KiB
Plaintext
37 lines
1.5 KiB
Plaintext
# OpenSSH client configuration file for IPFire
|
|
#
|
|
# The full documentation is available at: https://man.openbsd.org/ssh_config
|
|
#
|
|
|
|
# Set some basic hardening options for all connections
|
|
Host *
|
|
# Disable undocumented roaming feature as it is known to be vulnerable
|
|
UseRoaming no
|
|
|
|
# Only use secure crypto algorithms
|
|
KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
Ciphers aes256-gcm@openssh.com,aes256-ctr,chacha20-poly1305@openssh.com,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
# Always visualise server host keys (helps to identify key based MITM attacks)
|
|
VisualHostKey yes
|
|
|
|
# Use SSHFP (might work on some up-to-date networks) to look up host keys
|
|
VerifyHostKeyDNS yes
|
|
|
|
# Send SSH-based keep alive messages to connected server to avoid broken connections
|
|
ServerAliveInterval 10
|
|
ServerAliveCountMax 30
|
|
|
|
# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
|
|
# keep alive messages enabled; there is no need to do things twice here
|
|
TCPKeepAlive no
|
|
|
|
# Ensure only allowed authentication methods are used
|
|
PreferredAuthentications publickey,keyboard-interactive,password
|
|
|
|
# Prevent information leak by hashing ~/.ssh/known_hosts
|
|
HashKnownHosts yes
|
|
|
|
# EOF
|