mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-10 11:05:54 +02:00
1223078cde
Fixes #11887 The second version of this patch uses the correct path on IPFire systems and supersedes the first one. It also referrs to the correct issue ID. Thanks to Matthias Fischer for reporting this. Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
82 lines
2.2 KiB
Plaintext
82 lines
2.2 KiB
Plaintext
# ultra-secure OpenSSH server configuration
|
|
|
|
# only allow version 2 of SSH protocol
|
|
Protocol 2
|
|
|
|
# listen on port 22 by default
|
|
Port 22
|
|
|
|
# listen on these interfaces and protocols
|
|
AddressFamily any
|
|
ListenAddress 0.0.0.0
|
|
|
|
# limit authentication thresholds
|
|
LoginGraceTime 30s
|
|
MaxAuthTries 6
|
|
|
|
# limit maximum instanctes to prevent DoS
|
|
MaxStartups 5
|
|
|
|
# ensure proper logging
|
|
SyslogFacility AUTH
|
|
LogLevel INFO
|
|
|
|
# enforce permission checks before a login is accepted
|
|
# (prevents damage because of hacked systems with world-writeable
|
|
# home directories or similar)
|
|
StrictModes yes
|
|
|
|
# only allow safe crypto algorithms (may break some _very_ outdated clients)
|
|
# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
# enable data compression after successful login only
|
|
Compression delayed
|
|
|
|
# only allow cryptographically safe SSH host keys (adjust paths if needed)
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
|
|
# only allow login via public key by default
|
|
PubkeyAuthentication yes
|
|
PasswordAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
PermitEmptyPasswords no
|
|
|
|
# permit root login as there is no other user in IPFire 2.x
|
|
PermitRootLogin yes
|
|
|
|
# ignore user ~/.rhost* files
|
|
IgnoreRhosts yes
|
|
|
|
# ignore user known hosts file
|
|
IgnoreUserKnownHosts yes
|
|
|
|
# ignore user environments
|
|
PermitUserEnvironment no
|
|
|
|
# do not allow any kind of forwarding (provides only low security)
|
|
# some of them might need to be re-enabled if SSH server is a jump platform
|
|
X11Forwarding no
|
|
AllowTcpForwarding no
|
|
AllowAgentForwarding no
|
|
PermitTunnel no
|
|
GatewayPorts no
|
|
PermitOpen none
|
|
|
|
# detect broken sessions by sending keep-alive messages to
|
|
# clients (both via TCP and SSH)
|
|
TCPKeepAlive yes
|
|
ClientAliveInterval 10
|
|
|
|
# close unresponsive SSH sessions which fail to answer keep-alive
|
|
ClientAliveCountMax 6
|
|
|
|
# add support for SFTP
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
|
|
# EOF
|