aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPacien TRAN-GIRARD2016-11-08 21:47:26 +0100
committerPacien TRAN-GIRARD2016-11-08 21:47:26 +0100
commitfdca899aa9b44c6aa16000d1273f301c891131d4 (patch)
tree6baae0720fcf26de698ed96b65b993279ce5f299
parent2d6955720c1857f81d20f982e6bded7e40de6c89 (diff)
downloadssh-hardened-fdca899aa9b44c6aa16000d1273f301c891131d4.tar.gz
Add Debian specific install steps
-rw-r--r--README.md7
-rw-r--r--ssh_config2
-rw-r--r--sshd_config2
3 files changed, 8 insertions, 3 deletions
diff --git a/README.md b/README.md
index 9ff8deb..bed809a 100644
--- a/README.md
+++ b/README.md
@@ -13,10 +13,15 @@ Installation
13- `groupadd ssh-user` and `usermod -a -G ssh-user <username>` for each user allowed to use SSH. 13- `groupadd ssh-user` and `usermod -a -G ssh-user <username>` for each user allowed to use SSH.
14- Deploy user public keys before continuing 14- Deploy user public keys before continuing
15- Clone this repo into `/etc/ssh/` 15- Clone this repo into `/etc/ssh/`
16- Uncomment `KexDHMin 4096` in `ssh{,d}_config` if supported by the installed OpenSSH
17- Regenerate `ssh_host_rsa_key{,.pub}` of length 4096 if lower (`ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null`) 16- Regenerate `ssh_host_rsa_key{,.pub}` of length 4096 if lower (`ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null`)
18 17
19 18
19### Debian specific
20
21- Comment unsupported parameter `KexDHMin 4096` in `ssh{,d}_config`
22- `ln -s /usr/lib/openssh /usr/lib/ssh`
23
24
20References 25References
21---------- 26----------
22 27
diff --git a/ssh_config b/ssh_config
index fc3a628..79ca5e1 100644
--- a/ssh_config
+++ b/ssh_config
@@ -20,7 +20,7 @@
20# Minimum accepted size of the DH parameter p. By default this is set to 1024 20# Minimum accepted size of the DH parameter p. By default this is set to 1024
21# to maintain compatibility with RFC4419, but should be set higher. 21# to maintain compatibility with RFC4419, but should be set higher.
22# Upstream default is identical to setting this to 2048. 22# Upstream default is identical to setting this to 2048.
23#KexDHMin 4096 23KexDHMin 4096
24 24
25KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 25KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
26HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa 26HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
diff --git a/sshd_config b/sshd_config
index cb6a645..2b2b54e 100644
--- a/sshd_config
+++ b/sshd_config
@@ -29,7 +29,7 @@ HostKey /etc/ssh/ssh_host_ed25519_key
29# Minimum accepted size of the DH parameter p. By default this is set to 1024 29# Minimum accepted size of the DH parameter p. By default this is set to 1024
30# to maintain compatibility with RFC4419, but should be set higher. 30# to maintain compatibility with RFC4419, but should be set higher.
31# Upstream default is identical to setting this to 2048. 31# Upstream default is identical to setting this to 2048.
32#KexDHMin 4096 32KexDHMin 4096
33KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 33KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
34 34
35# Lifetime and size of ephemeral version 1 server key 35# Lifetime and size of ephemeral version 1 server key