diff options
| author | Mike Crute <mike@crute.us> | 2018-09-11 22:29:42 +0000 |
|---|---|---|
| committer | Mike Crute <mike@crute.us> | 2018-09-11 22:29:42 +0000 |
| commit | b3d11abb806d0eaecad3eb4af714c2e08cb63d50 (patch) | |
| tree | ac5c5a5ce47783c91d72510a24dcb8616d2a8f89 /ssh-bastion | |
| parent | 7ce53f21afe6aa07130f07e0d7a810b91c480180 (diff) | |
| download | dockerfiles-b3d11abb806d0eaecad3eb4af714c2e08cb63d50.tar.bz2 dockerfiles-b3d11abb806d0eaecad3eb4af714c2e08cb63d50.tar.xz dockerfiles-b3d11abb806d0eaecad3eb4af714c2e08cb63d50.zip | |
Harden SSH ciphers
Diffstat (limited to 'ssh-bastion')
| -rw-r--r-- | ssh-bastion/etc/ssh/sshd_config | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/ssh-bastion/etc/ssh/sshd_config b/ssh-bastion/etc/ssh/sshd_config index e46b5c6..29594c7 100644 --- a/ssh-bastion/etc/ssh/sshd_config +++ b/ssh-bastion/etc/ssh/sshd_config | |||
| @@ -79,9 +79,11 @@ PrintMotd no | |||
| 79 | 79 | ||
| 80 | # Used hardened crypto algorithms | 80 | # Used hardened crypto algorithms |
| 81 | # Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html | 81 | # Based on: https://stribika.github.io/2015/01/04/secure-secure-shell.html |
| 82 | # And also: https://access.redhat.com/discussions/3121481 | ||
| 83 | # And also: https://infosec.mozilla.org/guidelines/openssh | ||
| 82 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | 84 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 |
| 83 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | 85 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr |
| 84 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com | 86 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com |
| 85 | 87 | ||
| 86 | # Enable gateway ports for phone-home bastions so that administrators can | 88 | # Enable gateway ports for phone-home bastions so that administrators can |
| 87 | # connect back to the forwarded ports without needing ssh access to the bastion | 89 | # connect back to the forwarded ports without needing ssh access to the bastion |