mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
7a981d94cb
By default, both SSH server and client rely on TCP-based keep alive messages to detect broken sessions, which can be spoofed rather easily in order to keep a broken session opened (and vice versa). Since we rely on SSH-based keep alive messages, which are not vulnerable to this kind of tampering, there is no need to double-check connections via TCP keep alive as well. This patch thereof disables using TCP keep alive for both SSH client and server scenario. For usability reasons, a timeout of 5 minutes (10 seconds * 30 keep alive messages = 300 seconds) will be used for both client and server configuration, as 60 seconds were found to be too short for unstable connectivity scenarios. Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
61 lines
1.8 KiB
Plaintext
61 lines
1.8 KiB
Plaintext
# OpenSSH server configuration file for IPFire
|
|
#
|
|
# The full documentation is available at: https://man.openbsd.org/sshd_config
|
|
#
|
|
|
|
# Only allow version 2 of SSH protocol
|
|
Protocol 2
|
|
|
|
# Listen on port 22 by default
|
|
Port 22
|
|
|
|
# Listen on every interface and IPv4 only
|
|
AddressFamily inet
|
|
ListenAddress 0.0.0.0
|
|
|
|
# Limit authentication timeout to 30 seconds
|
|
LoginGraceTime 30s
|
|
|
|
# Limit maximum instanctes to prevent DoS
|
|
MaxStartups 5
|
|
|
|
# Only allow safe crypto algorithms
|
|
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
|
|
|
# Only allow cryptographically safe SSH host keys (adjust paths if needed)
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
|
|
# Only allow login via public key by default
|
|
PubkeyAuthentication yes
|
|
PasswordAuthentication no
|
|
ChallengeResponseAuthentication no
|
|
|
|
# Permit root login as there is no other user in IPFire 2.x
|
|
PermitRootLogin yes
|
|
|
|
# Ignore user ~/.ssh/known_hosts file
|
|
IgnoreUserKnownHosts yes
|
|
|
|
# Do not allow any kind of forwarding (provides only low security);
|
|
# some of them might need to be re-enabled if SSH server is a jump platform
|
|
AllowTcpForwarding no
|
|
AllowAgentForwarding no
|
|
PermitOpen none
|
|
|
|
# Send SSH-based keep alive messages to connected clients to avoid broken connections
|
|
ClientAliveInterval 10
|
|
ClientAliveCountMax 30
|
|
|
|
# Since TCP keep alive messages can be spoofed and we have the SSH-based already,
|
|
# there is no need for this to be enabled as well
|
|
TCPKeepAlive no
|
|
|
|
# Add support for SFTP
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
|
|
# EOF
|