• Recent OpenSSH versiosn has brought a number of security improvements including new ciphers and key exchange algorithms.
    Some guidelines can be found regarding optimized settings:
    https://stribika.github.io/2015/01/04/secure-secure-shell.html
    https://wiki.mozilla.org/Security/Guidelines/OpenSSH

    Since I'm deploying a more unified SSH config amongst my different severs I wanted my pfSense box to behave the same.
    Apparently the sshd config comes from the bash file /etc/sshd where I found only a line on ciphers.

    $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";
    

    So all I had to do was to

    /etc/rc.conf_mount_rw
    

    and then add the following to /etc/sshd:

    
    /* $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n"; */
    $sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
    $sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
    $sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\n";
    
    

    And finally

    /etc/rc.conf_mount_ro
    

    So I'm assuming that this will not be persistent across system upgrades so I'm wondering if there is a plan to have a user programmable sshd config file at some point.

    PS: One a nice side effect of adding more modern KexAlgorithms is that you will get much less connection attempts from rogue bots running old version of OpenSSH. They will be knocked down right at the preauth phase and won't even get a chance to try a login and thus even won't get seen by fail2ban for example.

  • Rebel Alliance Developer Netgate

    Probably won't be an option to include custom code there – but -- you can make a diff of that change, add it using the system patches package and then set the patch to auto-apply to put your change back in.

    As long as the patch still applies cleanly on the new version it'll work fine.


  • here a patch to use with "system patches"-package:

    add a new patch, name it.
    Put the following into "Patch contents:

    --- sshd.orig
    +++ sshd
    @@ -102,1 +102,3 @@
    -	$sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";
    +	$sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
    +	$sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
    +	$sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\n";
    

    Base directory is /etc/
    Tick "Ignore whitespaces"
    At last tick "auto apply".
    save, test, apply when no errors.

    done