Default sshd parameters

alphazo · Aug 19, 2015, 8:27 AM

Recent OpenSSH versiosn has brought a number of security improvements including new ciphers and key exchange algorithms.
Some guidelines can be found regarding optimized settings:
https://stribika.github.io/2015/01/04/secure-secure-shell.html
https://wiki.mozilla.org/Security/Guidelines/OpenSSH

Since I'm deploying a more unified SSH config amongst my different severs I wanted my pfSense box to behave the same.
Apparently the sshd config comes from the bash file /etc/sshd where I found only a line on ciphers.

$sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";

So all I had to do was to

/etc/rc.conf_mount_rw

and then add the following to /etc/sshd:


/* $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n"; */
$sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
$sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
$sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\n";

And finally

/etc/rc.conf_mount_ro

So I'm assuming that this will not be persistent across system upgrades so I'm wondering if there is a plan to have a user programmable sshd config file at some point.

PS: One a nice side effect of adding more modern KexAlgorithms is that you will get much less connection attempts from rogue bots running old version of OpenSSH. They will be knocked down right at the preauth phase and won't even get a chance to try a login and thus even won't get seen by fail2ban for example.

jimp · Aug 19, 2015, 4:58 PM

Probably won't be an option to include custom code there – but -- you can make a diff of that change, add it using the system patches package and then set the patch to auto-apply to put your change back in.

As long as the patch still applies cleanly on the new version it'll work fine.

_igor_ · Aug 25, 2015, 5:21 PM

here a patch to use with "system patches"-package:

add a new patch, name it.
Put the following into "Patch contents:

--- sshd.orig
+++ sshd
@@ -102,1 +102,3 @@
-	$sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";
+	$sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
+	$sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
+	$sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\n";

Base directory is /etc/
Tick "Ignore whitespaces"
At last tick "auto apply".
save, test, apply when no errors.

done