diff --git a/README.md b/README.md index 34245bf..8473e23 100755 --- a/README.md +++ b/README.md @@ -16,10 +16,11 @@ strongly inspired by awesome work by https://github.com/jessfraz - https://blog.g3rt.nl/upgrade-your-ssh-keys.html - https://stribika.github.io/2015/01/04/secure-secure-shell.html - https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client +- see `/etc/ssh/ssh_config` and `.ssh/config` add this to `~/.ssh/config`: -``` +```bash # Ensure KnownHosts are unreadable if leaked - it is otherwise easier to know which hosts your keys have access to. HashKnownHosts yes # Host keys the client accepts - order here is honored by OpenSSH @@ -58,6 +59,6 @@ keyid-format 0xlong ## TODO -- explain setup, ideas, practises -- add HOWTO -- seperate sources.list setup for server/desktop +- [ ] explain setup, ideas, practises +- [ ] add HOWTO +- [ ] seperate sources.list setup for server/desktop diff --git a/etc/ssh/ssh_config b/etc/ssh/ssh_config new file mode 100644 index 0000000..e233f93 --- /dev/null +++ b/etc/ssh/ssh_config @@ -0,0 +1,70 @@ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# some resources on hardening SSH +# - https://blog.g3rt.nl/upgrade-your-ssh-keys.html +# - https://stribika.github.io/2015/01/04/secure-secure-shell.html +# - https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client + +Host * +# ForwardAgent no +# ForwardX11 no +# ForwardX11Trusted yes +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# IdentityFile ~/.ssh/id_ecdsa +# IdentityFile ~/.ssh/id_ed25519 +# Port 22 +# Protocol 2 +# Cipher 3des +# Host keys the client accepts - order here is honored by OpenSSH +HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 + +# defaults: +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 + +# hardened: +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes