projects / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 0017b688 | 1 | # OpenSSH client configuration file for IPFire |
| edea6ec5 | 2 | # |
| 0017b688 PM |
3 | # The full documentation is available at: https://man.openbsd.org/ssh_config |
| 4 | # | |
| 5 | ||
| 6 | # Set some basic hardening options for all connections | |
| edea6ec5 | 7 | Host * |
| 0017b688 | 8 | # Disable Roaming as it is known to be vulnerable |
| edea6ec5 PM |
9 | UseRoaming no |
| 10 | ||
| 0017b688 | 11 | # Only use secure crypto algorithms |
| edea6ec5 PM |
12 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 |
| 13 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
| 14 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
| 15 | ||
| 0017b688 | 16 | # Always visualise server host keys (but helps to identify key based MITM attacks) |
| edea6ec5 PM |
17 | VisualHostKey yes |
| 18 | ||
| 0017b688 | 19 | # Use SSHFP (might work on some up-to-date networks) to look up host keys |
| edea6ec5 PM |
20 | VerifyHostKeyDNS yes |
| 21 | ||
| 22 | # send keep-alive messages to connected server to avoid broken connections | |
| 23 | ServerAliveInterval 10 | |
| 24 | ServerAliveCountMax 6 | |
| 25 | ||
| 0017b688 | 26 | # Ensure only allowed authentication methods are used |
| edea6ec5 PM |
27 | PreferredAuthentications publickey,keyboard-interactive,password |
| 28 | ||
| 0017b688 PM |
29 | # Prevent information leak by hashing ~/.ssh/known_hosts |
| 30 | HashKnownHosts yes | |
| 31 | ||
| edea6ec5 | 32 | # EOF |