]>
Commit | Line | Data |
---|---|---|
0017b688 | 1 | # OpenSSH client configuration file for IPFire |
edea6ec5 | 2 | # |
0017b688 PM |
3 | # The full documentation is available at: https://man.openbsd.org/ssh_config |
4 | # | |
5 | ||
6 | # Set some basic hardening options for all connections | |
edea6ec5 | 7 | Host * |
0017b688 | 8 | # Disable Roaming as it is known to be vulnerable |
edea6ec5 PM |
9 | UseRoaming no |
10 | ||
0017b688 | 11 | # Only use secure crypto algorithms |
edea6ec5 PM |
12 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 |
13 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
14 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
15 | ||
0017b688 | 16 | # Always visualise server host keys (but helps to identify key based MITM attacks) |
edea6ec5 PM |
17 | VisualHostKey yes |
18 | ||
0017b688 | 19 | # Use SSHFP (might work on some up-to-date networks) to look up host keys |
edea6ec5 PM |
20 | VerifyHostKeyDNS yes |
21 | ||
22 | # send keep-alive messages to connected server to avoid broken connections | |
23 | ServerAliveInterval 10 | |
24 | ServerAliveCountMax 6 | |
25 | ||
0017b688 | 26 | # Ensure only allowed authentication methods are used |
edea6ec5 PM |
27 | PreferredAuthentications publickey,keyboard-interactive,password |
28 | ||
0017b688 PM |
29 | # Prevent information leak by hashing ~/.ssh/known_hosts |
30 | HashKnownHosts yes | |
31 | ||
edea6ec5 | 32 | # EOF |