]>
Commit | Line | Data |
---|---|---|
1 | # OpenSSH client configuration | |
2 | # | |
3 | # set some basic hardening options for all connections | |
4 | Host * | |
5 | # disable Roaming as it is known to be vulnerable | |
6 | UseRoaming no | |
7 | ||
8 | # only use secure crypto algorithm | |
9 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
10 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
11 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
12 | ||
13 | # always visualise server host keys (has no technical | |
14 | # effect, but helps to identify key based MITM attacks) | |
15 | VisualHostKey yes | |
16 | ||
17 | # use SSHFP (might work on some up-to-date networks) to look up host keys | |
18 | VerifyHostKeyDNS yes | |
19 | ||
20 | # send keep-alive messages to connected server to avoid broken connections | |
21 | ServerAliveInterval 10 | |
22 | ServerAliveCountMax 6 | |
23 | ||
24 | # disable X11 forwarding (security risk) | |
25 | ForwardX11 no | |
26 | ||
27 | # always check server IP address | |
28 | CheckHostIP yes | |
29 | ||
30 | # ensure only allowed authentication methods are used | |
31 | PreferredAuthentications publickey,keyboard-interactive,password | |
32 | ||
33 | # EOF |