From 0d4b9cb5415afc52acfd1c13560010f46a741a5a Mon Sep 17 00:00:00 2001 From: Kyle Marek Date: Sat, 20 Jun 2015 20:26:34 -0400 Subject: [PATCH 1/2] Added hardended SSH client preferences --- configs/ssh/ssh_config | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 configs/ssh/ssh_config diff --git a/configs/ssh/ssh_config b/configs/ssh/ssh_config new file mode 100644 index 0000000..5df26b3 --- /dev/null +++ b/configs/ssh/ssh_config @@ -0,0 +1,12 @@ +# ssh_config — OpenSSH SSH client configuration files + +# Version 2 cipher preference list +# (Only reordered from default, no ciphers dropped) +# Defaule value from manual: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour +# Note: AES-GCM may be more efficient than AES-CTR+HMAC, without losing security +Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes256-cbc,aes192-cbc,arcfour + +# Version 2 MAC preference list +# (Only reordered from default, no MACs dropped) +# Default value from manual: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 +MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 From d3c5c0c25b455b0f064cdda8be0dc4b713eb2651 Mon Sep 17 00:00:00 2001 From: Kyle Marek Date: Sun, 21 Jun 2015 15:38:57 -0400 Subject: [PATCH 2/2] Additional configuration from https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern --- configs/ssh/ssh_config | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/configs/ssh/ssh_config b/configs/ssh/ssh_config index 5df26b3..8ce9be9 100644 --- a/configs/ssh/ssh_config +++ b/configs/ssh/ssh_config @@ -1,5 +1,12 @@ # ssh_config — OpenSSH SSH client configuration files +# Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. +HashKnownHosts yes +# Host keys the client accepts - order here is honored by OpenSSH +HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 + +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha256 + # Version 2 cipher preference list # (Only reordered from default, no ciphers dropped) # Defaule value from manual: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour