mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-10 19:15:54 +02:00
edea6ec5a4
Introduce a custom OpenSSH client configuration file for IPFire. Some people use it as a jumping host, so applying hardening options system-wide improves security. Cryptography setup is the same as for OpenSSH server configuration. The second version of this patch re-adds some non-AEAD cipher suites which are needed for connecting to older RHEL systems. Partially fixes #11751 Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
34 lines
1.2 KiB
Plaintext
34 lines
1.2 KiB
Plaintext
# OpenSSH client configuration
|
|
#
|
|
# set some basic hardening options for all connections
|
|
Host *
|
|
# disable Roaming as it is known to be vulnerable
|
|
UseRoaming no
|
|
|
|
# only use secure crypto algorithm
|
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
# always visualise server host keys (has no technical
|
|
# effect, but helps to identify key based MITM attacks)
|
|
VisualHostKey yes
|
|
|
|
# use SSHFP (might work on some up-to-date networks) to look up host keys
|
|
VerifyHostKeyDNS yes
|
|
|
|
# send keep-alive messages to connected server to avoid broken connections
|
|
ServerAliveInterval 10
|
|
ServerAliveCountMax 6
|
|
|
|
# disable X11 forwarding (security risk)
|
|
ForwardX11 no
|
|
|
|
# always check server IP address
|
|
CheckHostIP yes
|
|
|
|
# ensure only allowed authentication methods are used
|
|
PreferredAuthentications publickey,keyboard-interactive,password
|
|
|
|
# EOF
|