mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-12 04:05:53 +02:00
0a5823db02
This is entirely not practicable and should have been changed before. I missed this when I tested the configuration. It is common that multiple SSH keys exist and three is common number (RSA, ECDSA & Ed25519). A key passed with ssh -i and password authentication are not even tried. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
79 lines
2.1 KiB
Plaintext
79 lines
2.1 KiB
Plaintext
# ultra-secure OpenSSH server configuration
|
|
|
|
# only allow version 2 of SSH protocol
|
|
Protocol 2
|
|
|
|
# listen on port 22 by default
|
|
Port 22
|
|
|
|
# listen on these interfaces and protocols
|
|
AddressFamily any
|
|
ListenAddress 0.0.0.0
|
|
|
|
# limit authentication thresholds
|
|
LoginGraceTime 30s
|
|
MaxAuthTries 6
|
|
|
|
# limit maximum instanctes to prevent DoS
|
|
MaxStartups 5
|
|
|
|
# ensure proper logging
|
|
SyslogFacility AUTH
|
|
LogLevel INFO
|
|
|
|
# enforce permission checks before a login is accepted
|
|
# (prevents damage because of hacked systems with world-writeable
|
|
# home directories or similar)
|
|
StrictModes yes
|
|
|
|
# only allow safe crypto algorithms (may break some _very_ outdated clients)
|
|
# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
# enable data compression after successful login only
|
|
Compression delayed
|
|
|
|
# only allow cryptographically safe SSH host keys (adjust paths if needed)
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
|
|
# only allow login via public key by default
|
|
PubkeyAuthentication yes
|
|
PasswordAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
PermitEmptyPasswords no
|
|
|
|
# permit root login as there is no other user in IPFire 2.x
|
|
PermitRootLogin yes
|
|
|
|
# ignore user ~/.rhost* files
|
|
IgnoreRhosts yes
|
|
|
|
# ignore user known hosts file
|
|
IgnoreUserKnownHosts yes
|
|
|
|
# ignore user environments
|
|
PermitUserEnvironment no
|
|
|
|
# do not allow any kind of forwarding (provides only low security)
|
|
# some of them might need to be re-enabled if SSH server is a jump platform
|
|
X11Forwarding no
|
|
AllowTcpForwarding no
|
|
AllowAgentForwarding no
|
|
PermitTunnel no
|
|
GatewayPorts no
|
|
PermitOpen none
|
|
|
|
# detect broken sessions by sending keep-alive messages to
|
|
# clients (both via TCP and SSH)
|
|
TCPKeepAlive yes
|
|
ClientAliveInterval 10
|
|
|
|
# close unresponsive SSH sessions which fail to answer keep-alive
|
|
ClientAliveCountMax 6
|
|
|
|
# EOF
|