webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
580c249a5b8d5800d62c98ca50f8936e7a906452
bpfire/config/ssh/ssh_config
Peter Müller 7a981d94cb SSH: do not send spoofable TCP keep alive messages 
By default, both SSH server and client rely on TCP-based keep alive
messages to detect broken sessions, which can be spoofed rather easily
in order to keep a broken session opened (and vice versa).

Since we rely on SSH-based keep alive messages, which are not vulnerable
to this kind of tampering, there is no need to double-check connections
via TCP keep alive as well.

This patch thereof disables using TCP keep alive for both SSH client and
server scenario. For usability reasons, a timeout of 5 minutes (10
seconds * 30 keep alive messages = 300 seconds) will be used for both
client and server configuration, as 60 seconds were found to be too
short for unstable connectivity scenarios.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2022-04-23 14:27:56 +00:00

37 lines
1.5 KiB
Plaintext
Raw Blame History

# OpenSSH client configuration file for IPFire
#
# The full documentation is available at: https://man.openbsd.org/ssh_config
#
# Set some basic hardening options for all connections
Host *
# Disable undocumented roaming feature as it is known to be vulnerable
UseRoaming no
# Only use secure crypto algorithms
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# Always visualise server host keys (helps to identify key based MITM attacks)
VisualHostKey yes
# Use SSHFP (might work on some up-to-date networks) to look up host keys
VerifyHostKeyDNS yes
# Send SSH-based keep alive messages to connected server to avoid broken connections
ServerAliveInterval 10
ServerAliveCountMax 30
# Disable TCP keep alive messages since they can be spoofed and we have SSH-based
# keep alive messages enabled; there is no need to do things twice here
TCPKeepAlive no
# Ensure only allowed authentication methods are used
PreferredAuthentications publickey,keyboard-interactive,password
# Prevent information leak by hashing ~/.ssh/known_hosts
HashKnownHosts yes
# EOF
Reference in New Issue View Git Blame Copy Permalink