Enforce "Secure Secure Shell" recommendations

author: Pacien TRAN-GIRARD 2016-11-08 17:03:03 +0100
committer: Pacien TRAN-GIRARD 2016-11-08 17:03:03 +0100
commit: 3ff8396faddc994b180e7836764728cb03d4dc79 (patch)
tree: b2aa84e7a83cbfaacfdd6111a147da04dd2ae174 /ssh_config
parent: 037b59eb7fe8d3f90b577f3397b6018d83e66e7b (diff)
download: ssh-hardened-3ff8396faddc994b180e7836764728cb03d4dc79.tar.gz
1 files changed, 13 insertions, 1 deletions
diff --git a/ssh_config b/ssh_config
index 5cdc3eb..fc3a628 100644
--- a/ssh_config
+++ b/ssh_config
@@ -20,7 +20,19 @@
 # Minimum accepted size of the DH parameter p. By default this is set to 1024
 # to maintain compatibility with RFC4419, but should be set higher.
 # Upstream default is identical to setting this to 2048.
-#KexDHMin 1024
+#KexDHMin 4096
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+PubkeyAuthentication yes
+UseRoaming no
+ForwardX11Trusted no
 Host *
 #   ForwardAgent no
author	Pacien TRAN-GIRARD	2016-11-08 17:03:03 +0100
committer	Pacien TRAN-GIRARD	2016-11-08 17:03:03 +0100
commit	3ff8396faddc994b180e7836764728cb03d4dc79 (patch)
tree	b2aa84e7a83cbfaacfdd6111a147da04dd2ae174 /ssh_config
parent	037b59eb7fe8d3f90b577f3397b6018d83e66e7b (diff)
download	ssh-hardened-3ff8396faddc994b180e7836764728cb03d4dc79.tar.gz

diff --git a/ssh_config b/ssh_config index 5cdc3eb..fc3a628 100644 --- a/ssh_config +++ b/ssh_config
@@ -20,7 +20,19 @@
20	# Minimum accepted size of the DH parameter p. By default this is set to 1024	20	# Minimum accepted size of the DH parameter p. By default this is set to 1024
21	# to maintain compatibility with RFC4419, but should be set higher.	21	# to maintain compatibility with RFC4419, but should be set higher.
22	# Upstream default is identical to setting this to 2048.	22	# Upstream default is identical to setting this to 2048.
23	#KexDHMin 1024	23	#KexDHMin 4096
		24
		25	KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
		26	HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
		27	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
		28	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
		29
		30	ChallengeResponseAuthentication no
		31	PasswordAuthentication no
		32	PubkeyAuthentication yes
		33
		34	UseRoaming no
		35	ForwardX11Trusted no
24		36
25	Host *	37	Host *
26	# ForwardAgent no	38	# ForwardAgent no