{"id":73,"date":"2020-03-18T17:45:00","date_gmt":"2020-03-18T16:45:00","guid":{"rendered":"http:\/\/blog.fresel.at\/?p=73"},"modified":"2020-03-18T10:13:47","modified_gmt":"2020-03-18T09:13:47","slug":"openssh","status":"publish","type":"post","link":"https:\/\/blog.koeckeis-fresel.net\/?p=73","title":{"rendered":"openssh"},"content":{"rendered":"\n
# see https:\/\/infosec.mozilla.org\/guidelines\/openssh.html<\/a> \n \n##########\ncp \/etc\/ssh\/moduli \/etc\/ssh\/moduli.orig\nawk '$5 >= 3071' \/etc\/ssh\/moduli > \/etc\/ssh\/moduli.tmp && mv \/etc\/ssh\/moduli.tmp \/etc\/ssh\/moduli\nsed -i -e 's\/#HostKey\/HostKey\/g' \/etc\/ssh\/sshd_config\nsed -i -e 's\/#PubkeyAuthentication\/PubkeyAuthentication\/g' \/etc\/ssh\/sshd_config\nsed -i -e 's\/#LogLevel INFO\/LogLevel VERBOSE\/g' \/etc\/ssh\/sshd_config\nsed -i -e 's\/#PrintLastLog yes\/PrintLastLog yes\/g' \/etc\/ssh\/sshd_config\necho KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 >> \/etc\/ssh\/sshd_config\necho Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr >> \/etc\/ssh\/sshd_config\necho MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com >> \/etc\/ssh\/sshd_config\nsystemctl restart sshd.service<\/strong>\n#########\n \n# Supported HostKey algorithms by order of preference.\u00a0\n HostKey \/etc\/ssh\/ssh_host_ed25519_key\u00a0\n HostKey \/etc\/ssh\/ssh_host_rsa_key\u00a0\n HostKey \/etc\/ssh\/ssh_host_ecdsa_key\u00a0\n\nKexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256\u00a0 \n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\u00a0\n\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\u00a0\n \n# Password based logins are disabled - only public key based logins are allowed.\u00a0\n AuthenticationMethods publickey\u00a0\n PubkeyAuthentication yes\n AuthorizedKeysFile .ssh\/authorized_keys\n #PasswordAuthentication yes\n UsePAM yes\n \n # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.\u00a0\n LogLevel VERBOSE\u00a0\n \n # Log sftp level file access (read\/write\/etc.) that would not be easily logged otherwise.\u00a0\n Subsystem sftp\u00a0 \/usr\/lib\/ssh\/sftp-server -f AUTHPRIV -l INFO\u00a0\n\n # Root login IS allowed\u00a0\n PermitRootLogin Yes\u00a0\n \n # Use kernel sandbox mechanisms where possible in unprivileged processes\u00a0\n # Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX\/Darwin, rlimit elsewhere.\u00a0\n UsePrivilegeSeparation sandbox\nEOF<\/strong><\/pre>\n\n\n\n
awk '$5 >= 3071' \/etc\/ssh\/moduli > \/etc\/ssh\/moduli.tmp && mv \/etc\/ssh\/moduli.tmp \/etc\/ssh\/moduli<\/strong><\/pre>\n","protected":false},"excerpt":{"rendered":"
# see https:\/\/infosec.mozilla.org\/guidelines\/openssh.html ########## cp \/etc\/ssh\/moduli \/etc\/ssh\/moduli.orig awk ‘$5 >= 3071’ \/etc\/ssh\/moduli > \/etc\/ssh\/moduli.tmp && mv \/etc\/ssh\/moduli.tmp \/etc\/ssh\/moduli sed -i -e ‘s\/#HostKey\/HostKey\/g’ \/etc\/ssh\/sshd_config sed -i -e ‘s\/#PubkeyAuthentication\/PubkeyAuthentication\/g’ \/etc\/ssh\/sshd_config sed -i -e ‘s\/#LogLevel INFO\/LogLevel VERBOSE\/g’ \/etc\/ssh\/sshd_config sed -i -e ‘s\/#PrintLastLog yes\/PrintLastLog yes\/g’ \/etc\/ssh\/sshd_config echo KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 >> \/etc\/ssh\/sshd_config echo Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr >> \/etc\/ssh\/sshd_config echo MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1,6],"tags":[],"class_list":["post-73","post","type-post","status-publish","format-standard","hentry","category-general","category-os"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=\/wp\/v2\/posts\/73","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=73"}],"version-history":[{"count":0,"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=\/wp\/v2\/posts\/73\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=73"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=73"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.koeckeis-fresel.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=73"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}