Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default sshd parameters

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alphazo
      last edited by

      Recent OpenSSH versiosn has brought a number of security improvements including new ciphers and key exchange algorithms.
      Some guidelines can be found regarding optimized settings:
      https://stribika.github.io/2015/01/04/secure-secure-shell.html
      https://wiki.mozilla.org/Security/Guidelines/OpenSSH

      Since I'm deploying a more unified SSH config amongst my different severs I wanted my pfSense box to behave the same.
      Apparently the sshd config comes from the bash file /etc/sshd where I found only a line on ciphers.

      $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";

      So all I had to do was to

      /etc/rc.conf_mount_rw

      and then add the following to /etc/sshd:

      
/* $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n"; */
$sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
$sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
$sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\n";

      And finally

      /etc/rc.conf_mount_ro

      So I'm assuming that this will not be persistent across system upgrades so I'm wondering if there is a plan to have a user programmable sshd config file at some point.

      PS: One a nice side effect of adding more modern KexAlgorithms is that you will get much less connection attempts from rogue bots running old version of OpenSSH. They will be knocked down right at the preauth phase and won't even get a chance to try a login and thus even won't get seen by fail2ban for example.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Probably won't be an option to include custom code there – but -- you can make a diff of that change, add it using the system patches package and then set the patch to auto-apply to put your change back in.

        As long as the patch still applies cleanly on the new version it'll work fine.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • _
          _igor_
          last edited by

          here a patch to use with "system patches"-package:

          add a new patch, name it.
          Put the following into "Patch contents:

          --- sshd.orig
+++ sshd
@@ -102,1 +102,3 @@
-	$sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";
+	$sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
+	$sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
+	$sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com\n";

          Base directory is /etc/
          Tick "Ignore whitespaces"
          At last tick "auto apply".
          save, test, apply when no errors.

          done

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.