mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
0017b688e8
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
33 lines
1.2 KiB
Plaintext
33 lines
1.2 KiB
Plaintext
# OpenSSH client configuration file for IPFire
|
|
#
|
|
# The full documentation is available at: https://man.openbsd.org/ssh_config
|
|
#
|
|
|
|
# Set some basic hardening options for all connections
|
|
Host *
|
|
# Disable Roaming as it is known to be vulnerable
|
|
UseRoaming no
|
|
|
|
# Only use secure crypto algorithms
|
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
# Always visualise server host keys (but helps to identify key based MITM attacks)
|
|
VisualHostKey yes
|
|
|
|
# Use SSHFP (might work on some up-to-date networks) to look up host keys
|
|
VerifyHostKeyDNS yes
|
|
|
|
# send keep-alive messages to connected server to avoid broken connections
|
|
ServerAliveInterval 10
|
|
ServerAliveCountMax 6
|
|
|
|
# Ensure only allowed authentication methods are used
|
|
PreferredAuthentications publickey,keyboard-interactive,password
|
|
|
|
# Prevent information leak by hashing ~/.ssh/known_hosts
|
|
HashKnownHosts yes
|
|
|
|
# EOF
|