diff options
author | Pacien TRAN-GIRARD | 2016-11-08 21:47:26 +0100 |
---|---|---|
committer | Pacien TRAN-GIRARD | 2016-11-08 21:47:26 +0100 |
commit | fdca899aa9b44c6aa16000d1273f301c891131d4 (patch) | |
tree | 6baae0720fcf26de698ed96b65b993279ce5f299 | |
parent | 2d6955720c1857f81d20f982e6bded7e40de6c89 (diff) | |
download | ssh-hardened-fdca899aa9b44c6aa16000d1273f301c891131d4.tar.gz |
Add Debian specific install steps
-rw-r--r-- | README.md | 7 | ||||
-rw-r--r-- | ssh_config | 2 | ||||
-rw-r--r-- | sshd_config | 2 |
3 files changed, 8 insertions, 3 deletions
@@ -13,10 +13,15 @@ Installation | |||
13 | - `groupadd ssh-user` and `usermod -a -G ssh-user <username>` for each user allowed to use SSH. | 13 | - `groupadd ssh-user` and `usermod -a -G ssh-user <username>` for each user allowed to use SSH. |
14 | - Deploy user public keys before continuing | 14 | - Deploy user public keys before continuing |
15 | - Clone this repo into `/etc/ssh/` | 15 | - Clone this repo into `/etc/ssh/` |
16 | - Uncomment `KexDHMin 4096` in `ssh{,d}_config` if supported by the installed OpenSSH | ||
17 | - Regenerate `ssh_host_rsa_key{,.pub}` of length 4096 if lower (`ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null`) | 16 | - Regenerate `ssh_host_rsa_key{,.pub}` of length 4096 if lower (`ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null`) |
18 | 17 | ||
19 | 18 | ||
19 | ### Debian specific | ||
20 | |||
21 | - Comment unsupported parameter `KexDHMin 4096` in `ssh{,d}_config` | ||
22 | - `ln -s /usr/lib/openssh /usr/lib/ssh` | ||
23 | |||
24 | |||
20 | References | 25 | References |
21 | ---------- | 26 | ---------- |
22 | 27 | ||
@@ -20,7 +20,7 @@ | |||
20 | # Minimum accepted size of the DH parameter p. By default this is set to 1024 | 20 | # Minimum accepted size of the DH parameter p. By default this is set to 1024 |
21 | # to maintain compatibility with RFC4419, but should be set higher. | 21 | # to maintain compatibility with RFC4419, but should be set higher. |
22 | # Upstream default is identical to setting this to 2048. | 22 | # Upstream default is identical to setting this to 2048. |
23 | #KexDHMin 4096 | 23 | KexDHMin 4096 |
24 | 24 | ||
25 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | 25 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 |
26 | HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa | 26 | HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa |
diff --git a/sshd_config b/sshd_config index cb6a645..2b2b54e 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -29,7 +29,7 @@ HostKey /etc/ssh/ssh_host_ed25519_key | |||
29 | # Minimum accepted size of the DH parameter p. By default this is set to 1024 | 29 | # Minimum accepted size of the DH parameter p. By default this is set to 1024 |
30 | # to maintain compatibility with RFC4419, but should be set higher. | 30 | # to maintain compatibility with RFC4419, but should be set higher. |
31 | # Upstream default is identical to setting this to 2048. | 31 | # Upstream default is identical to setting this to 2048. |
32 | #KexDHMin 4096 | 32 | KexDHMin 4096 |
33 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | 33 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 |
34 | 34 | ||
35 | # Lifetime and size of ephemeral version 1 server key | 35 | # Lifetime and size of ephemeral version 1 server key |