From: Peter Müller Date: Sun, 28 Sep 2025 21:06:00 +0000 (+0000) Subject: ssh_config: Fix indentation mangled by Vim X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df09a64b08d101f7036b37c27da7bb9b06d307cc;p=ipfire-2.x.git ssh_config: Fix indentation mangled by Vim Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 2fc62e116..66cb0c2cc 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -5,30 +5,30 @@ # Set some basic hardening options for all connections Host * - # Disable undocumented roaming feature as it is known to be vulnerable - UseRoaming no + # Disable undocumented roaming feature as it is known to be vulnerable + UseRoaming no - # Only use secure crypto algorithms - KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 - Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + # Only use secure crypto algorithms + KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com - # Always visualise server host keys (helps to identify key based MITM attacks) - VisualHostKey yes + # Always visualise server host keys (helps to identify key based MITM attacks) + VisualHostKey yes - # Use SSHFP (might work on some up-to-date networks) to look up host keys - VerifyHostKeyDNS yes + # Use SSHFP (might work on some up-to-date networks) to look up host keys + VerifyHostKeyDNS yes - # Send SSH-based keep alive messages to connected server to avoid broken connections - ServerAliveInterval 10 - ServerAliveCountMax 30 + # Send SSH-based keep alive messages to connected server to avoid broken connections + ServerAliveInterval 10 + ServerAliveCountMax 30 # Disable TCP keep alive messages since they can be spoofed and we have SSH-based # keep alive messages enabled; there is no need to do things twice here TCPKeepAlive no - # Ensure only allowed authentication methods are used - PreferredAuthentications publickey,keyboard-interactive,password + # Ensure only allowed authentication methods are used + PreferredAuthentications publickey,keyboard-interactive,password # Prevent information leak by hashing ~/.ssh/known_hosts HashKnownHosts yes