]>
Commit | Line | Data |
---|---|---|
0017b688 | 1 | # OpenSSH client configuration file for IPFire |
edea6ec5 | 2 | # |
0017b688 PM |
3 | # The full documentation is available at: https://man.openbsd.org/ssh_config |
4 | # | |
5 | ||
6 | # Set some basic hardening options for all connections | |
edea6ec5 | 7 | Host * |
7a981d94 | 8 | # Disable undocumented roaming feature as it is known to be vulnerable |
edea6ec5 PM |
9 | UseRoaming no |
10 | ||
0017b688 | 11 | # Only use secure crypto algorithms |
018f80c6 | 12 | KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 |
edea6ec5 PM |
13 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr |
14 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
15 | ||
7a981d94 | 16 | # Always visualise server host keys (helps to identify key based MITM attacks) |
edea6ec5 PM |
17 | VisualHostKey yes |
18 | ||
0017b688 | 19 | # Use SSHFP (might work on some up-to-date networks) to look up host keys |
edea6ec5 PM |
20 | VerifyHostKeyDNS yes |
21 | ||
7a981d94 | 22 | # Send SSH-based keep alive messages to connected server to avoid broken connections |
edea6ec5 | 23 | ServerAliveInterval 10 |
7a981d94 PM |
24 | ServerAliveCountMax 30 |
25 | ||
26 | # Disable TCP keep alive messages since they can be spoofed and we have SSH-based | |
27 | # keep alive messages enabled; there is no need to do things twice here | |
28 | TCPKeepAlive no | |
edea6ec5 | 29 | |
0017b688 | 30 | # Ensure only allowed authentication methods are used |
edea6ec5 PM |
31 | PreferredAuthentications publickey,keyboard-interactive,password |
32 | ||
0017b688 PM |
33 | # Prevent information leak by hashing ~/.ssh/known_hosts |
34 | HashKnownHosts yes | |
35 | ||
edea6ec5 | 36 | # EOF |